Fake privacy policies

I sign up at a lot of websites and liberally spray email addresses across the net. These signups are on behalf of one customer or another and each webform gets its own tagged and tracked email address. I always have a specific goal with each signup: getting a copy of a customer’s email, checking their signup process, auditing an affiliate on behalf of a customer or identifying where there might be a problem in a process. Because I have specific goals, I am pretty careful with these signups and usually uncheck every “share my email address” box I can find on the forms.
In every case the privacy policies of my clients and the things they tell me are explicit in that addresses will not be shared. It’s all opt-in, and email addresses are not shared without permission. Even in the cases where I am auditing affiliates, my clients assure me that if I follow this exact process my address will not be shared. Or so the affiliates have assured them.
Despite my care and the privacy policies on the websites, these addresses occasionally leak or are sold. This is actually very rare, and most of the websites I test never do anything with my address that I don’t expect. But in a couple cases these email addresses have ended up in the hands of some hard core spammers (hundreds of emails a day) and there was no useful tracking I could do. In other cases the volume has been lower, and I’ve watched the progression of my email addresses being bought and sold with morbid fascination.
Today an address I signed up at a website about a year ago got hit with multiple spams in a short time frame. All came from different IPs in the same /24. All had different domains with no websites. Whois showed all the domains were registered behind a privacy protection service. Interestingly, two of the domains used the same CAN SPAM address. The third had no CAN SPAM address at all. None of these addresses match the data I have on file related to the email signup.
It never ceases to amaze me how dishonest some address collection outfits. Their websites state clearly that addresses will not be bought an sold, and yet the addresses get lots of spam unrelated to the original signup. For those dishonest enough to do this they’ll never get caught unless recipients tags and tracks all their signups. Even worse, unless their partners test their signups or their mailing practices, the partners may end up unwittingly sending spam.

Related Posts

Just Leave Me Alone Already

I tend to avoid online sites that require you to register and provide information including email addresses. In my experiences companies cannot resist sending email and my email load is extremely heavy and I want less email, not more. Sometimes, though, what I need to do requires an online registration and giving an email address to a company I would really prefer not to have it.
Recently, I had to register online with AT&T Wireless. My iPhone was getting repeated text spams and I wanted it to stop. The only way to do this is register online. Registering online required giving them an email address.
The text spam has stopped, but they have been sending me almost daily emails since then. Each email has an opt-out, and I have availed myself of every opportunity to opt-out. Each opt-out link takes me to a different site, a different page, a different process.
In two of the cases, AT&T seems to be violating the new CAN SPAM provisions. For one, I had to tell them what I wanted to opt-out of (email or phone) and then was taken to a page where I had to input my cell number, my email address and request to be removed. In another case,  I was forced to login to my online wireless account and then was able to change preferences. In only one of the 3 opt-outs I have requested, was the opt-out form actually a single click, just requiring my email address.
I am wondering just how many mailing lists AT&T added my address to and how often they will continue sending me mail after their 10 days are up. It is this level of frustration, that mail just keeps coming and coming and coming even after the recipient has repeatedly attempted to opt-out, that causes people to hit the “this is spam” button on mail that the sender thinks is opt-in.
But, really, AT&T, please stop sending me mail that I never asked for, and that I have repeatedly asked you to stop sending me by jumping through your hoops. Oh, and you may consider sharing the opt-out data with all the same internal groups that you shared my email address with initially.

Read More

TWSD: breaking the law

I tell my clients that they should comply with CAN SPAM (physical postal address and unsubscribe option) even if the mail they are sending is technically exempt. The bar for legality is so low, there is no reason not to.
Sure, there is a lot of spam out there that does not comply with CAN SPAM. Everything you see from botnets and proxies is in violation, although many of those mails do actually meet the postal address and unsubscribe requirements.
One of my spams recently caught my eye today with their disclaimer on the bottom: “This email message is CAN SPAM ACT of 2003 Compliant.” The really funny bit is that it does not actually comply with the law. Even better, the address it was sent to is not published anywhere, so the company could also be nailed for a dictionary attack and face enhanced penalties.
It reminds me of the old spams that claimed they complied with S.1618.

Read More

Co-reg

Well over half of the clients who come to me with delivery problems admit at some point that one of the ways they collect subscribers is through co-registration. They typically have widespread delivery problems at the major ISPs as well as SBL listings.
John Levine posted over the weekend about his thoughts on co-reg.

Read More