Registration is not permission

“But we only mail people who registered at our website! How can they say we’re spamming?”
In those cases where website registration includes notice that the recipient will be added to a list, and / or the recipient receives an email informing them of the type of email they have agreed to receive there is some permission involved. Without any notice, however, there is no permission. Senders must tell the recipient they should expect to receive mail at the time of registration (or shortly thereafter) otherwise there is not even any pretense of opt-in associated with that registration.
Take, for example, a photographers website. The photographer took photos at a friend’s wedding and put them up on a website for the friend and guests to see. Guests were able to purchase photos directly from the site, if they so desired. In order to control access, the photographer required users to register on the site, including an email address.
None of this is bad. It’s all standard and reasonably good practice.
Unfortunately, the photographer seems to have fallen into the fallacy that everyone who registers at a website wants to receive mail from the website as this morning I received mail from “Kate and Al’s Photos <pictage@pictage.example.com>.” It includes this disclaimer on the bottom:

This email was sent by Pictage, Inc. to laura-tagged@mydomain.example.com, a registered user on www.pictage.com or an affiliated partner. If you’d rather not receive future email from Pictage, please click here.

No. No. No. Bad Sender. No Cookie.
I registered because I wanted so see specific photos on your website. Not because I want to receive email from you. I read your privacy policy (http://www.pictage.com/static/about/termsofservice.html) and there was nothing on there about sending mail. You didn’t mail me a welcome message. You didn’t tell me I’d be receiving advertising from you. You simply added me to a mailing list and then, 3 months later, sent me an email. And you didn’t just spam me, but you spammed a bunch of Al’s closest friends (many of whom are also delivery and anti-spam folks and at least one of whom is a spamhaus volunteer).
This is a very bad way to run a mail campaign. There was no information about email in the privacy policy. There wasn’t an opportunity to opt-out at registration. There was no welcome message alerting me to the chance that I’d receive mail from you in the future.
Registration is not an opt-in request and does not confer permission for the sender to add the receiver to a mailing list.
EDIT: Al’s reaction to his name being used in mail he did not authorize

Related Posts

Spam that's not spam

Steve and I were talking this evening and I mentioned to him that I got “a lot of spam that wasn’t really spam. Know what I mean?”
He did. But if I tell that to you, what does it mean to you?
More on this in a couple days, but I’m onsite at a client’s for the next few days so it may take me a plane ride home to put all the thoughts down.

Read More

How reputation and content interact

Recently, one of my clients had a new employee make a mistake and ended up sending newsletters to people in their database that had not subscribed to those particular newsletters. This resulted in their recipients getting 3 extra emails from them. These things happen, people fat-finger database queries or aren’t as careful with segmentation as they should be.
My clients were predictably unhappy about sending mail their users hadn’t signed up for and asked me what to do to fix their reputation. I advised they not do anything other than make sure they don’t do that again. The first send after their screw-up had their standard 100% inbox delivery. The second send had a significant problem with bulk foldering at Hotmail and Yahoo. The third send had their standard 100% inbox delivery.
So what happened on the second send? It appears that on that send they had a link or other content that “filled the bucket.” Generally, their IP reputation is high enough that content isn’t sufficient to send their mail into the bulk folder. However, their reputation dipped based on the mistake last week, and thus the marginal content caused the bulk foldering.
Overall, these are senders with a good reputation. Their screw up wasn’t enough to damage their delivery itself, but may have contributed to all their mail going into the bulk folder the other day. I expect that their reputation will rebound quickly and they will be able to send the same content they did and see it in the inbox.

Read More

Beware: Phishing and Spam in Social Networks

Trend Micro warns us today about how spam and phishing can hit you even in the closed ecosystem of a social networking system such as Facebook. Malware abounds. And in the social network arena, just like anywhere else, “using your account to send spam” is a common thing for the bad guys to want to do.
In Rik Ferguson’s investigation (which I read about on CNet News), he came across a link to a URL that asked for his Facebook credentials, supposedly necessary to allow installation of a specific Facebook application. Once the credentials were handed over, the app immediately spammed all of his Facebook friends, sending them a bogus notification, attempting to draw them into visiting the phishing/malware URL, with (one assumes) the hope of spreading the infection even wider.
He’s a researcher for Trend Micro, so he knows what he’s doing. But for the rest of us, this highlights how necessary it is to be careful with who you give your usernames and passwords to. In my opinion, it’s never safe to take your username and password from one site and hand it over to another site. Some social networking make the problem even worse by blurring the lines between safe and unsafe by asking for usernames and passwords to third party accounts, but you just can never know with 100% certainty which sites are legitimate and which ones aren’t.
— Al Iverson

Read More