Confirmation Fails

Yesterday I talked about registration confirmations. Today I’m going to talk about a couple recent experiences with websites and their registration failures.
The first experience was with Yelp. One of my readers decided I needed a Yelp account and created one using my laura-questions email address. Yelp understands that people will be jerks and so sent me an email to confirm the account.

Hi Laura,
Thanks for joining Yelp.
To protect your privacy, please confirm your email address by clicking here:
https://www.yelp.com/ce?[REDACTED] We look forward to seeing you on Yelp.
— The Yelp Team
If you did not sign up for Yelp someone probably mis-typed their email address so just ignore this message.

I’m pretty sure it wasn’t a typo, but in the grand scheme of things if I don’t have to unsubscribe, I’m pretty happy. I continued to be happy with Yelp, until about a week later. At that point I started getting Yelp newsletters to laura-questions. It seems that “ignoring the message” doesn’t mean they won’t contact me, just that I don’t have access to the fake account that someone set up for me. Even worse, the unsubscribe link didn’t work because the account had not been confirmed.
Yelp doesn’t accept email, so eventually I had to open a case with their legal department to get them to stop sending me newsletters that I hadn’t asked for, nor confirmed. They seem to have fixed the problem at this point.
I understand this is a fairly rare situation, but there are a lot of things that Yelp could do to improve the experience of people who have fake accounts created by harassers.
Obviously, Yelp could trivially fix the problem by not sending newsletters to any unconfirmed address. But a lot of marketers will tell you that recipients are lazy and they won’t confirm but they will happily receive email. In some cases, the marketers even have data that shows definite revenue from mail sent to unconfirmed addresses. Not ever mailing those addresses seems to be a bad idea. At the same time, marketing to those addresses also seems like a poor idea.
There are some things I would suggest to clients in order to respect recipients who don’t confirm but not lose revenue due to recipients who don’t confirm but want the email.

  1. Limit what users can do on the website before they confirm their email address. Facebook, for instance, does not allow installation of games or internal messaging until an account is confirmed. This stops users from giving fake addresses but actually using the services provided by a website.
  2. Set up a limited marketing campaign to unconfirmed addresses. Instead of just adding those users to their normal marketing stream, they could send a confirmation reminder or two. Ideally these would be a small version of the newsletter: “here’s what you missed by not confirming your address. Confirm your address by <DATE> in order to get our newsletter and all the benefits of your account.
  3. Use website data to determine engagement. If someone creates an account, never confirms and never logs in, then it’s very likely this is a fake account and they shouldn’t be mailed at all.
  4. Make it easy to unsubscribe from mail, particularly when the address is unconfirmed. Even folks who run spamtraps will sometimes give senders the benefit of the doubt and try to unsubscribe. If that unsubscribe doesn’t take or is hard, that may result in a blocklisting.
  5. Have a link in the confirmation message that allows the recipient that says this registration is fraudulent, don’t ever email me again.

The second situation is with the New York Times. Apparently, I created an account on the NYTimes.com website at some point. A few weeks ago I got an email from them.

Dear NYTimes.com Registered User,
You previously registered your e-mail address on NYTimes.com. Our records indicate that
you did not confirm your email address.
Please note we have confirmed your email address so that you can now receive important
e-mail notifications and updates from NYTimes.com. To start getting all of the news you
want delivered right to your in-box, simply select your free newsletters now:

I know this is an account I created because it came to a tagged address. What I don’t know is how long ago I created the account. I have no trace of mail to that address from the NY Times in my mailbox which has archives back to mid-2010. That means the registration is at least 36 months old. With no communication from the NY Times in that 36 months, I bet that mailing had some pretty bad delivery.
Clearly, confirming addresses for your recipients is a very bad idea. However, there are things the NY Times could have done better.

  1. Instead of sending me an email saying they were confirming my address, they could have sent me an email asking me to confirm my address.
  2. Limit the addresses emailed for confirmation to those accounts that are currently active. Not only do I not remember signing up, I don’t have any trace of the login data for my account. That means I’ve not logged into NYTimes.com with that account. Using website data is a great way to interact with users outside of email. The NY Times could identify active users who’ve not confirmed and send them confirmation emails.
  3. Limit the website functionality for NY Times for users who’ve not confirmed. The NY Times has been desperate to find some way to monetize their website, and that means they are doing a lot with interstitial ads and restricting article reads. They have the ability to stop users from logging in if the email addresses are not confirmed. That wouldn’t affect people like me who create an account and then forget they have it and never use it. What it would do is convince people who were actively logging into the NY Times to confirm. No confirmation, no logins at the paper, no commenting on articles, no access to archives, whatever the NY Times wants to restrict from non-registered and non-confirmed users.
  4. Allow an opt-out! The message was tagged as a “service message.” The footer said I could unsubscribe from promotional emails, but did not allow me to opt-out from more service messages. This is a bad idea, particularly when the NY Times is confirming my address for me.

Confirming registrations at websites is a good step for many commercial sites. It gives so many benefits to both the recipient and the website. But confirmations can be handled poorly, as the above two examples show. But there were simple, small things that both companies could have done that would have changed their spam to legitimate email.

Related Posts

Evil weasels and random monkeys

I’m doing testing on a new release of Abacus at the moment, so I’m in a software QA (Quality Assurance) frame of mind.
One of the tenets of software QA is “Assume users are malicious”. That’s also one of the tenets of security engineering, but in a completely different way.
A security engineer treats users as malicious, as the users he or she is most concerned about are crackers trying to compromise their system, so they really are malicious. A QA engineer knows that if you have enough users in the field, making enough different mistakes or trying to do enough unusual things, they’ll find all the buggy little corners of your application eventually – and crash it or corrupt data more reliably than a genuinely malicious user.
As a QA engineer it’s easier to personify the forces of chaos you’re defending against as a single evil weasel than a million random monkeys.
In the bulk email world the main points where you interact with your users are signup, confirmation, unsubscription and click-throughs. Always think about what the evil weasel will do at that point.
Signup

Read More

Email and politics

I occasionally consult for activists using email. Their needs and requirements are a little different from email marketers. Sure, the requirements for email delivery are the same: relevant and engaging mail to people who requested it. But there are complicating issues that most marketers don’t necessarily have to deal with.
Activist groups are attractive targets for forged signups. Think about it, when people get deeply involved in arguments on the internet, they often look for ways to harass the person on the other end of the disagreement. They will often signup the people they’re disagreeing with for mailing lists. When the disagreements are political, the logical target is a group on the other side of the political divide.
People also sign up spamtraps and bad addresses as a way to cause problems or harass the political group itself. Often this results in the activist group getting blocked. This never ends well, as instead of fixing the problem, the group goes yelling about how their voice is being silenced and their politics are being censored!!
No, they’re not being silenced, they’re running an open mailing list and a lot of people are on it who never asked to be on it. They’re complaining and the mail is getting blocked.
With that as background, I noticed one of the major political blogs announced their brand new mailing list today. Based on their announcement it seemed they that they may have talked to someone who knew about managing a mailing list.

Read More

Some thoughts on permission

A lot of email marketing best practices center around getting permission to send email to recipients. A lot of anti-spammers argue that the issue is consent not content. Both groups seem to agree that permission is important, but more often than not they disagree about what constitutes permission.
For some the only acceptable permission is round trip confirmation, also known as confirmed opt-in or double opt-in.
For others making a purchase constitutes permission to send mail.
For still others checking or unchecking a box on a signup page is sufficient permission.
I don’t think there is a global, over arching, single form of permission. I think context and agreement matters. I think permission is really about both sides of the transaction knowing what the transaction is. Double opt-in, single opt-in, check the box to opt-out area all valid ways to collect permission. Dishonest marketers can, and do, use all of these ways to collect email addresses.
But while dishonest marketers may adhere to all of the letters of the best practice recommendations, they purposely make the wording and explanation of check boxes and what happens when confusing. I do believe some people make the choices deliberately confusing to increase the number of addresses that have opted in. Does everyone? Of course not. But there are certainly marketers who deliberately set out to make their opt-ins as confusing as possible.
This is why I think permission is meaningless without the context of the transaction. What did the address collector tell the recipient would happen with their email address? What did the address giver understand would happen with their email address? Do these two things match? If the two perceptions agree then I am satisfied there is permission. If the expectations don’t match, then I’m not sure there is permission involved.
What are your thoughts on permission?

Read More