Evil weasels and random monkeys

I’m doing testing on a new release of Abacus at the moment, so I’m in a software QA (Quality Assurance) frame of mind.
One of the tenets of software QA is “Assume users are malicious”. That’s also one of the tenets of security engineering, but in a completely different way.
A security engineer treats users as malicious, as the users he or she is most concerned about are crackers trying to compromise their system, so they really are malicious. A QA engineer knows that if you have enough users in the field, making enough different mistakes or trying to do enough unusual things, they’ll find all the buggy little corners of your application eventually – and crash it or corrupt data more reliably than a genuinely malicious user.
As a QA engineer it’s easier to personify the forces of chaos you’re defending against as a single evil weasel than a million random monkeys.
In the bulk email world the main points where you interact with your users are signup, confirmation, unsubscription and click-throughs. Always think about what the evil weasel will do at that point.
Signup

  • The weasel will enter an invalid email address – check it at signup time
  • The weasel will enter a valid email address that belongs to someone else – there are many ways to defend against that, none of them clearly the best
  • The weasel will enter leading or trailing spaces – strip ’em off
  • The weasel will enter non-ASCII characters in their name – and that’s OK unless it breaks your data handling
  • The weasel will enter non-ASCII characters in their email address – and that’s probably not OK, not yet, anyway
  • If you treat a character as “magic” anywhere in your data flow (whether that be a quote, a comma, tab or even a newline) your weasel will sneak it in to their data somewhere – always sanitize your inputs as soon as possible
  • If you rely on client-side validation to ensure clean data, your weasel will turn off javascript – always validate server-side, even if you’re validating client-side
  • The weasel will sign up multiple times, in different places – yet they don’t really want multiple emails
  • The weasel has a million email addresses, and will sign them all up if you send him a million tchotchkes to do that – don’t incentivize that sort of behaviour
  • The weasel has, inexplicably, a thousand friends and will sign them all up if you send him a thousand tchotchkes to do so – which could conceivably be what you want, but be very, very sure before incentivizing for it
  • The weasel surely has the email addresses of 100,000 strangers who he’ll tell you are his friends – be very careful about offering incentives for signups, as the weasel will happily have you send 99,999 pieces of unwanted spam so that he gets his nickel for the one recipient who buys from you

Confirmation

  • The weasel will run antivirus software that automatically prefetches everything in the email – either have your “yes I want to subscribe” link go to a page that requires additional action, or have a “hidden” link in the email that invalidates the opt-in link if it’s followed
  • The weasel will visit the confirmation link multiple times, and will complain if it welcomes them to the list each time – consider “You’re already subscribed to…” type language, if they’re already subscribed
  • The weasel will edit the URL the opt-in link goes to, changing the email address embedded in it – so make sure that it’s an opaque token or cryptographically signed
  • If the opt-in link contains the number 10237, the weasel will also go to the same URL with the number 10236 or 10238 – make sure that they can’t affect other peoples signups that way
  • The weasel will sign up for your list, then unsubscribe, then six months later find the old confirmation email and click on the opt-in link – make sure that doesn’t work, instead routing them to a signup page, perhaps

Unsubscription

  • Your weasel doesn’t know their email address – make sure they don’t need to know it to unsubscribe
  • Your weasel does know other peoples email addresses – make sure they need to know more than that to unsubscribe other people
  • The weasel will run antivirus software that prefetches URLs in the email – so either require them to hit a button on the destination webpage or have a “hidden” link in the email that invalidates the opt-out link if it’s followed
  • The weasel will hit the “this is spam” link to unsubscribe – make sure that doing that does suppress mail to them
  • The weasel will appear almost intentionally stupid in their inability to navigate the complexities of your unsubscription mechanism – make sure that they can contact a human, and that that human has the power to suppress mail to them
  • The weasel will share the email you send them with other people, who’ll then click on the unsubscription link – give them the email address on the unsubscription page, so they’re less likely to inadvertently unsubscribe the original weasel

Click-throughs

  • The weasel won’t remember their username or password – so don’t make them log in to see the content you link to from the email
  • The weasel will forward your email on to other people – so make sure the other people can’t see any of the weasel’s PII or spend the weasel’s money without more authentication
  • The weasel will click on the links in the email repeatedly – so make sure that’s OK
  • The weasel will suddenly find email you sent them three years ago, and expect the links to still work
  • The weasel will try to copy and paste URLs from the text part of your email – so try and keep them under 70 characters or so

There are countless other things the evil weasel and the random monkeys will do to throw a spanner into your systems. Bear them in mind when you’re putting infrastructure, or a campaign, or policies together.

Related Posts

Some thoughts on permission

A lot of email marketing best practices center around getting permission to send email to recipients. A lot of anti-spammers argue that the issue is consent not content. Both groups seem to agree that permission is important, but more often than not they disagree about what constitutes permission.
For some the only acceptable permission is round trip confirmation, also known as confirmed opt-in or double opt-in.
For others making a purchase constitutes permission to send mail.
For still others checking or unchecking a box on a signup page is sufficient permission.
I don’t think there is a global, over arching, single form of permission. I think context and agreement matters. I think permission is really about both sides of the transaction knowing what the transaction is. Double opt-in, single opt-in, check the box to opt-out area all valid ways to collect permission. Dishonest marketers can, and do, use all of these ways to collect email addresses.
But while dishonest marketers may adhere to all of the letters of the best practice recommendations, they purposely make the wording and explanation of check boxes and what happens when confusing. I do believe some people make the choices deliberately confusing to increase the number of addresses that have opted in. Does everyone? Of course not. But there are certainly marketers who deliberately set out to make their opt-ins as confusing as possible.
This is why I think permission is meaningless without the context of the transaction. What did the address collector tell the recipient would happen with their email address? What did the address giver understand would happen with their email address? Do these two things match? If the two perceptions agree then I am satisfied there is permission. If the expectations don’t match, then I’m not sure there is permission involved.
What are your thoughts on permission?

Read More

Troubleshooting Yahoo delivery

Last week Jon left a comment on my post Following the Script. He gives a familiar story about how he’s having problems contacting Yahoo.

Read More

The sledgehammer of confirmed opt-in

We focused Monday on Trend/MAPS blocking fully confirmed opt-in (COI) mail, because that is the Gold Standard for opt-in. It is also Trend/MAPS stated policy that all mail should be COI. There are some problems with this approach. The biggest is that Trend/MAPS is confirming some of the email they receive and then listing COI senders.
The other problem is that typos happen by real people signing up for mail they want. Because MAPS is using typo domains to drive listings, they’re going to see a lot of mail from companies that are doing single opt-in. I realize that there are problems with single opt-in mail, but the problems depends on a lot of factors. Not all single opt-in lists are full of traps and spam and bad data.
In fact, one ESP has a customer with a list of more than 50 million single opt-in email addresses. This sender mails extremely heavily, and yet sees little to no blocking by public or private blocklists.
Trend/MAPS policy is singling out senders that are sending mail people signed up to receive. We know for sure that hard core spammers spend a lot of time and money to identify spamtraps. The typo traps that Trend/MAPS use are pretty easy to find and I have no doubt that the real, problematic spammers are pulling traps out of their lists. Legitimate senders, particularly the ESPs, aren’t going to do that. As one ESP rep commented on yesterday’s post:

Read More