Verifying email addresses

Over at CircleID Aviram Jenik posts about using email addresses as identification and how that can go horribly wrong if the website does no verification. In his case, the problem is a user who has made a purchase using Aviram’s gmail address and Aviram now has access to the other users personal information. As he explains it:

Most of this misguided email ranges from boring to funny, but today I got a purchase confirmation with the order number, amount and last 4 digits of the CC number. Since I “own” the email that is associated with this account, what prevents me from logging in to this guy’s account (have the e-commerce site send the password to “my” email due to my temporary amnesia) and redirecting the order to another zip code that happens to be my house?

I have recently been going through a very similar situation. It appears that someone in the UK signed up at an address harvesting website with my email address. This Mr. Laura Corbishley gave win4now.co.uk full authority to sell my email address to all and sundry, and they have. Emailinform got my address first and has been sending me email “because [I] opted in at win4now.co.uk. In the process of trying to track down this spam, I did “recover” my password at win4now.co.uk and took over the account.
I am suspicious of the signup at win4now.co.uk for a couple reasons.

  1. “Mr.” Laura. Sure, it is possible someone missed a pulldown window. Possible but unlikely.
  2. The postal address is Solihull, Warwickshire. But, according to Royal Mail Solihull is no longer in Warwickshire for purposes of mail delivery. The correct address is West Midlands. Another possible error, but how many people do not know their snail mail address.
  3. I have never received any mail from win4now.co.uk. I have only received mail from emailinform.

I know this is fairly common, people sign up bad addresses at website, either maliciously or accidentally. Even more frustrating is the inability to contact a real human at win4now.
I checked out their privacy policy. At the very top of their privacy policy it says:

This Privacy Policy Statement explains the data processing practices of win4now.co.uk. If you have any requests concerning your personal information or any queries with regard to these practices please contact our Privacy Officer by e-mail at privacy@win4now.co.uk) and sent mail to privacy@win4now.co.uk.

Fair enough. I sent email to their Privacy Officer. In the email I explained that one of their users had fraudulently used my email address to signup and I was now receiving spam. I requested that they remove my email address and notify everyone that they had sold my address to that there was no permission with that address and to remove it from their list as well.
Win4now sent me an email back that had the following at the very top:

IMPORTANT NOTE: Please do not respond to this email, it is auto-generated and replies are not monitored.

They provided a short FAQ and no indication that there is any human actually reading the privacy mail. Having an unmonitored privacy address is bad, but the auto-ignore goes out of its way to ignore privacy questions. The text of the message answers some questions, none of which seem to address their privacy policy.

  • Q: I have a problem using my Win4now password
  • Q: I do not want to receive any more new competition emails
  • Q: I would like to update my details
  • Q: I would like to unsubscribe from Win4Now
  • Q: I am having problems viewing the website
  • Q: I would like to know if I am a competition winner

None of those questions relate to privacy. At the bottom of the email there is another address I can send mail to, but at this point it is clear to me that win4now is exhibiting all the signs of spammers and scammers. They are avoiding email to privacy@, they do no form of confirmation not even a welcome message giving me the chance to inform them this registration is fraudulent, they are selling my address around but there is no way for me to stop them from doing that. I have gone in and changed the preferences on that account, but given win4now’s sloppy system I do not actually believe that will have an effect.
Thanks to some helpful folks over at a large ISP, I have been contacted by people at emailinform. They have unsubscribed me from their list. They are also looking into the address purchase. I am expecting they will return with some IP address “confirming” that I signed up at win4now and that therefore their mail is not spam.
Let me be clear, an IP address is not consent. It may help jog a memory, or remind a user they did sign up. In this case, however, I can categorically say this was not me as I always use tagged addresses to sign up for mail. Furthermore, I am not a UK resident and am not eligible for any benefits of the signup at win4now or the products being marketed by emailinform.
Both of these situations speak to the importance of any group collecting email addresses, for any reason, to incorporate some sort of confirmation into the signup process. While my preference is for positive confirmation (click here if this is you), even the bare minimum of negative confirmation (click here if this is not you) would have made win4now look slightly legitimate. As it is, they do not seem any different from any other spammers collecting email addresses and selling them to all and sundry.
My specific situation also speaks to the importance of being contactable by people. Do not make it hard for your recipients to contact a person inside your organization. These are your customers there is no reason to avoid them. The dodging and weaving looks suspiciously like you are a spammer.

Related Posts

Email related laws

I’ve been working on a document discussing laws relevant to email delivery and have found some useful websites about laws in different countries.
US Laws from the FTC website.
European Union Laws from the European Law site.
Two documents on United Kingdom Law from the Information Commissioner’s Office and the Data Protection Laws.
Canadian Laws from the Industry Canada website.
Australian Laws from the Australian Law website.

Read More

FBLs, complaints and unsubscribes

On one of my mailing lists there was a long discussion about the Q Interactive survey. Some of the senders on the list were complaining that unless ISPs provide FBLs they should not use complaints to make filtering decisions. The sender perspective is that it isn’t fair for the ISPs to have data and use it without sharing it back so that the senders could remove complainers.
This deeply, deeply misses the point.
The ISPs are in the business of keeping their users happy. Part of that is measuring how users react to mail. This includes providing “report spam” or similar buttons when they control the interface. Some ISPs have chosen to share that data back with senders. Some ISPs have made the choice not to share that information back.
But even the ISPs that share FBL data with senders do not expect that the only thing a sender will do is remove the email address. ISPs expect senders to actually pay attention, to not send mail that their recipients do not want. They expect that ESPs are going to notice that one customer has consistently high complaint rates and actually force their customer to stop sending mail that recipients think is spam.
Senders should keep track of complaint rates. Measure them per send. Do not waste time whining that this ISP or that ISP will not set you up with a FBL. Take the data from those ISPs that do have FBLs and measure it. It is extremely unlikely that a mailing will have grossly different complaint rates between ISPs. You have all the data you need in order to evaluate how your recipients are perceiving your email.
ESPs and senders who think that their only response to FBL complaints should be to remove that email are the ones most likely to have filtering and blocking problems. The ISPs are giving them valuable data that they can use to evaluate how their emails are being received. Instead of being ungrateful, wagging fingers and blaming the ISPs for not giving them the data they want, senders should spend more time focusing on what they can discover from the data that is shared with them.
A FBL email is more than an unsubscribe request, senders should stop focusing on the unsubscribe portion of the FBL process and focus more on the recipient feedback portion of it. What can you learn about your mail from a FBL?

Read More

Predictions for 2008

I did not have a lot of predictions for what will happen with email at the beginning of the year so I did not do a traditional beginning of the year post. Over the last 3 – 4 weeks, though, I have noticed some things that I think show where the industry is going.
Authentication. In January two announcements happened that lead me to believe most legitimate mail will be DK/DKIM signed by the end of the year. AOTA announced that approximately 50% of all email was currently authenticated. They did not separate out SPF/SenderID authentication from DK/DKIM authentication, but this still suggests email authentication is being widely adopted. AOL announced they will be checking DKIM on their inbound mail. I expect more and more email will be DKIM signed in response to this announcement.
Filtering. The end of 2007 marked a steady uptick in mail being filtered or blocked by recipient domains. I expect this trend to continue throughout 2008. Recipient domains are rolling out new technology to measure complaints, evaluate reputation and monitor unwanted email in ways that tease out the bad actors from the good. This means more bad and borderline email will be blocked. Over the short term, I expect to see more good email blocked, too, but expect this will resolve itself by Q2/Q3.
Sender Improvements. As the ISPs get better at filtering, I expect that many borderline senders will discover they cannot continue to have sloppy subscription practices and still get their mail delivered. Improved authentication and better filtering let ISPs pin-point blocks. Instead of having to block by IP or by domain, they can block only some mail from a domain, or only some mail from an IP. There are a number of senders who are sending mail that users do not want mixed with mail that recipients do want. Right now, if there is more mail that recipients want in that mix, then ISPs let the mail through. This will not continue to happen through 2008. Senders will need to send mail users actively want in order to see good delivery.
Less is more. A lot of other email bloggers have talked about this, and I will echo their predictions. Less email is more. Send relevant mail that your customers want. Target, target, target. Good mailers will not send offers to their entire database, instead they will send mail to a select portion of their database.
Feedback loops. Use of feedback loops by recipient domains will continue to grow.
Mobile email. More recipients will be receiving email on mobile devices.
Suggestions for 2008

Read More