Wednesday, 9. January 2008
Closing the loop
A user here has taken to reporting every email he doesn't want as spam. Some are spam, but most are solicited mailings which he has decided he no longer wants - though not all use a closed loop opt in process, so you can't be completely sure that he really asked for some of them in the first place *.
Therefore, rather than blocking future emails from these senders at source (other users may still want them), we have been using unsubscribe links, where they are available in these alleged spams, to remove our user from these remote mailing lists. For some reason it never occurred to him to try this himself, instead of just dumping vast numbers of solicited messages into spam reporting.
Most of these unsubscribe links contain a unique identifier in the URL which the remote system can use to identify which recipient clicked the opt out link and remove that recipient with no further interaction, and this is as it should be. If you operate a bulk emailing system using a closed loop opt in process, it is only courteous to make it as painless as possible for users to change their minds and opt out.
One click is all it should ever take.
One of these unsubscribe links had no such unique identifier and, when clicked, presented a web page with a field marked "email address", a submit button and words to the effect that the user should enter the email address to be unsubscribed and click submit.
This breaks the one click to opt out rule, but it gets worse. Much, much worse.
Here's what appeared after we clicked the submit button.
Therefore, rather than blocking future emails from these senders at source (other users may still want them), we have been using unsubscribe links, where they are available in these alleged spams, to remove our user from these remote mailing lists. For some reason it never occurred to him to try this himself, instead of just dumping vast numbers of solicited messages into spam reporting.
Most of these unsubscribe links contain a unique identifier in the URL which the remote system can use to identify which recipient clicked the opt out link and remove that recipient with no further interaction, and this is as it should be. If you operate a bulk emailing system using a closed loop opt in process, it is only courteous to make it as painless as possible for users to change their minds and opt out.
One click is all it should ever take.
One of these unsubscribe links had no such unique identifier and, when clicked, presented a web page with a field marked "email address", a submit button and words to the effect that the user should enter the email address to be unsubscribed and click submit.
This breaks the one click to opt out rule, but it gets worse. Much, much worse.
Here's what appeared after we clicked the submit button.
Please confirm your mailing list unsubscription
An email message has been sent to the following address:
user[at]example.com
to confirm that address's removal from the following list:
[Name of mailing list]
Upon receiving this message, you will need to follow a confirmation URL, located in the message itself.
This confirmation process, known as double opt-out confirmation, has been put into place to protect the privacy of the owner of this email address.
If you do not receive a confirmation for removal in the next twenty-four hours or you have any other questions regarding this mailing list, please contact the list owner at:
list_owner[at]list.domain
Oh dear.
Double opt-out confirmation?
Let's go over the process again.
- Anyone can enter any email address in a web form to sign up to receive mailings, therefore it is necessary to close the loop.
- This generally entails sending a one-time "confirmation" email to the address which has been submitted, containing a link which must be clicked to confirm that the owner of the email address really does want to subscribe. Such links should contain sufficient information to identify the subscriber, but should not be guessable as this would enable a third party to simulate confirmation by constructing the confirmation URL manually.
- Once this has been done, we know that the people receiving our email broadcasts really have asked for them - and we can prove it.
- Each broadcast should contain an opt-out link and this should remove the recipient from the list in a single click. This is done similarly to the confirmation email, in that it contains a unique identifier which cannot be guessed.
- There is no need to ask for confirmation on opt-out as we have already established that the party clicking the opt-out link really is the party who opted in in the first place.
You're welcome.
* We are all but certain that he did.
Category: Spam miscellany
Technorati: Spam
Comments :
1. Nathan T. Freeman09/01/2008 13:13:01
Homepage: http://nathan.lotus911.com
I wonder if said person's title began with "chief" or "vice"?
2. Gregg Eldred09/01/2008 20:14:01
Homepage: http://www.ns-tech.com/blog/geldred.nsf
I have to admit that reporting solicited mail as spam is not uncommon. When asked "Did you sign up for this?," I usually get "no." Even for messages that I know are reputable mailers.
*sigh*
Unable to post a comment? Please read this for a possible explanation...
- 
