Verifying email addresses

Over at CircleID Aviram Jenik posts about using email addresses as identification and how that can go horribly wrong if the website does no verification. In his case, the problem is a user who has made a purchase using Aviram’s gmail address and Aviram now has access to the other users personal information. As he explains it:

Most of this misguided email ranges from boring to funny, but today I got a purchase confirmation with the order number, amount and last 4 digits of the CC number. Since I “own” the email that is associated with this account, what prevents me from logging in to this guy’s account (have the e-commerce site send the password to “my” email due to my temporary amnesia) and redirecting the order to another zip code that happens to be my house?

I have recently been going through a very similar situation. It appears that someone in the UK signed up at an address harvesting website with my email address. This Mr. Laura Corbishley gave win4now.co.uk full authority to sell my email address to all and sundry, and they have. Emailinform got my address first and has been sending me email “because [I] opted in at win4now.co.uk. In the process of trying to track down this spam, I did “recover” my password at win4now.co.uk and took over the account.
I am suspicious of the signup at win4now.co.uk for a couple reasons.

  1. “Mr.” Laura. Sure, it is possible someone missed a pulldown window. Possible but unlikely.
  2. The postal address is Solihull, Warwickshire. But, according to Royal Mail Solihull is no longer in Warwickshire for purposes of mail delivery. The correct address is West Midlands. Another possible error, but how many people do not know their snail mail address.
  3. I have never received any mail from win4now.co.uk. I have only received mail from emailinform.

I know this is fairly common, people sign up bad addresses at website, either maliciously or accidentally. Even more frustrating is the inability to contact a real human at win4now.
I checked out their privacy policy. At the very top of their privacy policy it says:

This Privacy Policy Statement explains the data processing practices of win4now.co.uk. If you have any requests concerning your personal information or any queries with regard to these practices please contact our Privacy Officer by e-mail at privacy@win4now.co.uk) and sent mail to privacy@win4now.co.uk.

Fair enough. I sent email to their Privacy Officer. In the email I explained that one of their users had fraudulently used my email address to signup and I was now receiving spam. I requested that they remove my email address and notify everyone that they had sold my address to that there was no permission with that address and to remove it from their list as well.
Win4now sent me an email back that had the following at the very top:

IMPORTANT NOTE: Please do not respond to this email, it is auto-generated and replies are not monitored.

They provided a short FAQ and no indication that there is any human actually reading the privacy mail. Having an unmonitored privacy address is bad, but the auto-ignore goes out of its way to ignore privacy questions. The text of the message answers some questions, none of which seem to address their privacy policy.

  • Q: I have a problem using my Win4now password
  • Q: I do not want to receive any more new competition emails
  • Q: I would like to update my details
  • Q: I would like to unsubscribe from Win4Now
  • Q: I am having problems viewing the website
  • Q: I would like to know if I am a competition winner

None of those questions relate to privacy. At the bottom of the email there is another address I can send mail to, but at this point it is clear to me that win4now is exhibiting all the signs of spammers and scammers. They are avoiding email to privacy@, they do no form of confirmation not even a welcome message giving me the chance to inform them this registration is fraudulent, they are selling my address around but there is no way for me to stop them from doing that. I have gone in and changed the preferences on that account, but given win4now’s sloppy system I do not actually believe that will have an effect.
Thanks to some helpful folks over at a large ISP, I have been contacted by people at emailinform. They have unsubscribed me from their list. They are also looking into the address purchase. I am expecting they will return with some IP address “confirming” that I signed up at win4now and that therefore their mail is not spam.
Let me be clear, an IP address is not consent. It may help jog a memory, or remind a user they did sign up. In this case, however, I can categorically say this was not me as I always use tagged addresses to sign up for mail. Furthermore, I am not a UK resident and am not eligible for any benefits of the signup at win4now or the products being marketed by emailinform.
Both of these situations speak to the importance of any group collecting email addresses, for any reason, to incorporate some sort of confirmation into the signup process. While my preference is for positive confirmation (click here if this is you), even the bare minimum of negative confirmation (click here if this is not you) would have made win4now look slightly legitimate. As it is, they do not seem any different from any other spammers collecting email addresses and selling them to all and sundry.
My specific situation also speaks to the importance of being contactable by people. Do not make it hard for your recipients to contact a person inside your organization. These are your customers there is no reason to avoid them. The dodging and weaving looks suspiciously like you are a spammer.

Recent comments
Disposable or Temporary Addresses

Related Posts

Botnets

Terry Zink has been posting articles about botnets as traced by Hotmail. I do not often talk about botnets as they are outside my area of expertise. They are not something I deal with, as no one who uses botnets is welcome as a client here.
My clients and I, however, do have to deal with the fallout from botnets.  Because of botnets, receiver ISPs are extremely suspicious of mail from any IP address that they have not seen mail from previously. Mail from new IPs is, more often than not, a newly infected Windows machine. This results in mail from new IPs not starting with a reputation of zero but starting with a negative reputation.
Botnets are another example of spammers making it more difficult for mailers with permission to use email.

Read More

That's spammer speak

I’ve been hearing stories from other deliverability consultants and some ISP reps about what people are telling them. Some of them are jaw dropping examples of senders who are indistinguishable from spammers. Some of them are just examples of sender ignorance.
“We’re blocked at ISP-A, so we’re just going to stop mailing all our recipients at ISP-A.” Pure spammer speak. The speaker sees no value in any individual recipient, so instead of actually figuring out what about their mail is causing problems, they are going to drop 30% of their list. We talk a lot on this blog about relevancy and user experience. If a sender does not care about their email enough to invest a small amount of time into fixing a problem, then why should recipients care about the mail they are sending?
A better solution then just throwing away 30% of a list is to determine the underlying reasons for  delivery issues, and actually make adjustments to  address collection processes and  user experience. Build a sustainable, long term email marketing program that builds a loyal customer base.
“We have a new system to unsubscribe people immediately, but are concerned about implementing it due to database shrink.” First off, the law says that senders must stop mailing people that ask. Secondly, if people do not want email, they are not going to be an overall asset. They are likely to never purchase from the email, and they are very likely to hit the ‘this is spam’ button and lower the overall delivery rate of a list.
Let people unsubscribe. Users who do not want email from a sender are cruft. They lower the ROI for a list, they lower aggregate performance. Senders should not want unwilling or unhappy recipients on their list.
“We found out a lot of our addresses are at non-existent domains, so we want to correct the typos.” “Correcting” email addresses is an exercise in trying to read recipients minds. I seems intuitive that someone who typed yahooooo.com meant yahoo.com, or that hotmial.com meant hotmail.com, but there is no way to know for sure. There is also the possibility that the user is deliberately mistyping addresses to avoid getting mail from the sender. It could be that the user who mistyped their domain also mistyped their username. In any case, “fixing” the domain could result in a sender sending spam.
Data hygiene is critical, and any sender should be monitoring and checking the information input into their subscription forms. There are even services which offer real time monitoring of the data that is being entered into webforms. Once the data is in the database, though, senders should not arbitrarily change it.

Read More

Predictions for 2008

I did not have a lot of predictions for what will happen with email at the beginning of the year so I did not do a traditional beginning of the year post. Over the last 3 – 4 weeks, though, I have noticed some things that I think show where the industry is going.
Authentication. In January two announcements happened that lead me to believe most legitimate mail will be DK/DKIM signed by the end of the year. AOTA announced that approximately 50% of all email was currently authenticated. They did not separate out SPF/SenderID authentication from DK/DKIM authentication, but this still suggests email authentication is being widely adopted. AOL announced they will be checking DKIM on their inbound mail. I expect more and more email will be DKIM signed in response to this announcement.
Filtering. The end of 2007 marked a steady uptick in mail being filtered or blocked by recipient domains. I expect this trend to continue throughout 2008. Recipient domains are rolling out new technology to measure complaints, evaluate reputation and monitor unwanted email in ways that tease out the bad actors from the good. This means more bad and borderline email will be blocked. Over the short term, I expect to see more good email blocked, too, but expect this will resolve itself by Q2/Q3.
Sender Improvements. As the ISPs get better at filtering, I expect that many borderline senders will discover they cannot continue to have sloppy subscription practices and still get their mail delivered. Improved authentication and better filtering let ISPs pin-point blocks. Instead of having to block by IP or by domain, they can block only some mail from a domain, or only some mail from an IP. There are a number of senders who are sending mail that users do not want mixed with mail that recipients do want. Right now, if there is more mail that recipients want in that mix, then ISPs let the mail through. This will not continue to happen through 2008. Senders will need to send mail users actively want in order to see good delivery.
Less is more. A lot of other email bloggers have talked about this, and I will echo their predictions. Less email is more. Send relevant mail that your customers want. Target, target, target. Good mailers will not send offers to their entire database, instead they will send mail to a select portion of their database.
Feedback loops. Use of feedback loops by recipient domains will continue to grow.
Mobile email. More recipients will be receiving email on mobile devices.
Suggestions for 2008

Read More