One of the tenets of software QA is “Assume users are malicious”. That’s also one of the tenets of security engineering, but in a completely different way.

A security engineer treats users as malicious, as the users he or she is most concerned about are crackers trying to compromise their system, so they really are malicious. A QA engineer knows that if you have enough users in the field, making enough different mistakes or trying to do enough unusual things, they’ll find all the buggy little corners of your application eventually – and crash it or corrupt data more reliably than a genuinely malicious user.

As a QA engineer it’s easier to personify the forces of chaos you’re defending against as a single evil weasel than a million random monkeys.

In the bulk email world the main points where you interact with your users are signup, confirmation, unsubscription and click-throughs. Always think about what the evil weasel will do at that point.

Signup

• The weasel will enter an invalid email address – check it at signup time
• The weasel will enter a valid email address that belongs to someone else – there are many ways to defend against that, none of them clearly the best
• The weasel will enter leading or trailing spaces – strip ‘em off
• The weasel will enter non-ASCII characters in their name – and that’s OK unless it breaks your data handling
• The weasel will enter non-ASCII characters in their email address – and that’s probably not OK, not yet, anyway
• If you treat a character as “magic” anywhere in your data flow (whether that be a quote, a comma, tab or even a newline) your weasel will sneak it in to their data somewhere – always sanitize your inputs as soon as possible
• If you rely on client-side validation to ensure clean data, your weasel will turn off javascript – always validate server-side, even if you’re validating client-side
• The weasel will sign up multiple times, in different places – yet they don’t really want multiple emails
• The weasel has a million email addresses, and will sign them all up if you send him a million tchotchkes to do that – don’t incentivize that sort of behaviour
• The weasel has, inexplicably, a thousand friends and will sign them all up if you send him a thousand tchotchkes to do so – which could conceivably be what you want, but be very, very sure before incentivizing for it
• The weasel surely has the email addresses of 100,000 strangers who he’ll tell you are his friends – be very careful about offering incentives for signups, as the weasel will happily have you send 99,999 pieces of unwanted spam so that he gets his nickel for the one recipient who buys from you

Confirmation

• The weasel will run antivirus software that automatically prefetches everything in the email – either have your “yes I want to subscribe” link go to a page that requires additional action, or have a “hidden” link in the email that invalidates the opt-in link if it’s followed
• The weasel will visit the confirmation link multiple times, and will complain if it welcomes them to the list each time – consider “You’re already subscribed to…” type language, if they’re already subscribed
• The weasel will edit the URL the opt-in link goes to, changing the email address embedded in it – so make sure that it’s an opaque token or cryptographically signed
• If the opt-in link contains the number 10237, the weasel will also go to the same URL with the number 10236 or 10238 – make sure that they can’t affect other peoples signups that way
• The weasel will sign up for your list, then unsubscribe, then six months later find the old confirmation email and click on the opt-in link – make sure that doesn’t work, instead routing them to a signup page, perhaps

Unsubscription

• Your weasel doesn’t know their email address – make sure they don’t need to know it to unsubscribe
• Your weasel does know other peoples email addresses – make sure they need to know more than that to unsubscribe other people
• The weasel will run antivirus software that prefetches URLs in the email – so either require them to hit a button on the destination webpage or have a “hidden” link in the email that invalidates the opt-out link if it’s followed
• The weasel will hit the “this is spam” link to unsubscribe – make sure that doing that does suppress mail to them
• The weasel will appear almost intentionally stupid in their inability to navigate the complexities of your unsubscription mechanism – make sure that they can contact a human, and that that human has the power to suppress mail to them
• The weasel will share the email you send them with other people, who’ll then click on the unsubscription link – give them the email address on the unsubscription page, so they’re less likely to inadvertently unsubscribe the original weasel

Click-throughs

• The weasel won’t remember their username or password – so don’t make them log in to see the content you link to from the email
• The weasel will forward your email on to other people – so make sure the other people can’t see any of the weasel’s PII or spend the weasel’s money without more authentication
• The weasel will click on the links in the email repeatedly – so make sure that’s OK
• The weasel will suddenly find email you sent them three years ago, and expect the links to still work
• The weasel will try to copy and paste URLs from the text part of your email – so try and keep them under 70 characters or so

There are countless other things the evil weasel and the random monkeys will do to throw a spanner into your systems. Bear them in mind when you’re putting infrastructure, or a campaign, or policies together.

The other problem is that typos happen by real people signing up for mail they want. Because MAPS is using typo domains to drive listings, they’re going to see a lot of mail from companies that are doing single opt-in. I realize that there are problems with single opt-in mail, but the problems depends on a lot of factors. Not all single opt-in lists are full of traps and spam and bad data.

In fact, one ESP has a customer with a list of more than 50 million single opt-in email addresses. This sender mails extremely heavily, and yet sees little to no blocking by public or private blocklists.

Trend/MAPS policy is singling out senders that are sending mail people signed up to receive. We know for sure that hard core spammers spend a lot of time and money to identify spamtraps. The typo traps that Trend/MAPS use are pretty easy to find and I have no doubt that the real, problematic spammers are pulling traps out of their lists. Legitimate senders, particularly the ESPs, aren’t going to do that. As one ESP rep commented on yesterday’s post:

I work for an ESP and we don’t suppress domains like this, based on the theory that if a client is hitting spamtraps, we want to know so we can sanction or terminate them. But if Trend are acting in bad faith here, I guess my best bet is just to suppress any domain of theirs I can find (and it took about 30 seconds to find 2700 of them).   Another Anon

That’s a sentiment I heard over and over again from companies listed by Trend/MAPS. The companies are happy to force their customers to clean up their acts.  They want reports of bad behaviour by customers, but Trend/MAPS policy of forcing confirmations is taking a sledgehammer to kill a fly.

I think we have a reputation of being a bit harsh on customers, and we’re honestly a little proud of that. But I’m most proud of the fact that we are always fair and honest, even with the bad people.

We tell people what they need to change. The bad people who won’t take our advice are easy to kick out after that.

In this particular situation, we don’t have any advice to give. We don’t have a way to tell people “go do this.” Because it would be a lie. “Go remove inactives” won’t help. “Go re-confirm inactives” won’t help. Even “Go use double opt-in” won’t help if MAPS is clicking and opening everything.

And because MAPS is who they are, we can’t provide a lot of detail to customers, either.  An ESP Executive

COI is a tool. It is occasionally a good tool for keeping lists clean. But I’ve worked with dozens of senders over the year that aren’t using COI and are still keeping their lists clean because they have other processes in place to do so.

For some the only acceptable permission is round trip confirmation, also known as confirmed opt-in or double opt-in.

For others making a purchase constitutes permission to send mail.

For still others checking or unchecking a box on a signup page is sufficient permission.

I don’t think there is a global, over arching, single form of permission. I think context and agreement matters. I think permission is really about both sides of the transaction knowing what the transaction is. Double opt-in, single opt-in, check the box to opt-out area all valid ways to collect permission. Dishonest marketers can, and do, use all of these ways to collect email addresses.

But while dishonest marketers may adhere to all of the letters of the best practice recommendations, they purposely make the wording and explanation of check boxes and what happens when confusing. I do believe some people make the choices deliberately confusing to increase the number of addresses that have opted in. Does everyone? Of course not. But there are certainly marketers who deliberately set out to make their opt-ins as confusing as possible.

This is why I think permission is meaningless without the context of the transaction. What did the address collector tell the recipient would happen with their email address? What did the address giver understand would happen with their email address? Do these two things match? If the two perceptions agree then I am satisfied there is permission. If the expectations don’t match, then I’m not sure there is permission involved.

What are your thoughts on permission?

I got email today to an old work email address of mine from Strongmail. To be fair it was a technically correct email. Everything one would expect from a company handling large volumes of emails.  It’s clear that time and energy was put into the technical setup of the send. If only they had put even half that effort into deciding who to send the email to. Sadly, they didn’t.

My first thought, upon receiving the mail, was that some new, eager employee bought a very old and crufty list somewhere. Because Strongmail has a reputation for being responsible mailers, I sent them a copy of the email to abuse@. I figured they’d want to know that they had a new sales / marketing person who was doing some bad stuff.

I know how frustrating handling abuse@ can be, so I try to be short and sweet in my complaints. For this one, I simply said, “Someone at Strongmail has appended, harvested or otherwise acquired an old email address of mine. This has been added to your mailing list and I’m now receiving spam from you. ”

They respond with an email that starts with:

“Thank you for your thoughtful response to our opt-in request. On occasion, we provide members of our database with the opportunity to opt-in to receive email marketing communications from us.”

Wait. What? Members of our database? How did this address get into your database?

“I can’t be sure from our records but it looks like someone from StrongMail reached out to you several years ago.  It’s helpful that you let us know to unsubscribe you.  Thank you again.”

There you have it. According to the person answering email at abuse@ Strongmail they sent me a message because they had sent mail to me in the past. Is that really what you did? Send mail to very old email addresses because someone, at some point in the past, sent mail to that address? And you don’t know when, don’t know where the address came from, don’t know how it was acquired, but decided to reach out to me?

How many bad practices can you mix into a single send, Strongmail? Sending mail to addresses where you don’t know how you got them? Sending mail to addresses that you got at least 6 years ago? Sending mail to addresses that were never opted-in to any of your mail? And when people point out, gently and subtly, that maybe this is a bad idea, you just add them to your global suppression list?

Oh. Wait. I know what you’re going to tell me. All of your bad practices don’t count because this was an ‘opt-in’ request. People who didn’t want the mail didn’t have to do anything, therefore there is no reason not to spam them! They ignore it and they are dropped from your list. Except it doesn’t work that way. Double opt-in requests to someone has asked to be subscribed or is an active customer or prospect is one thing. Requests sent to addresses of unknown provenance are still spam.

Just for the record, I have a good idea of where they got my address. Many years ago Strongmail approached Word to the Wise to explore a potential partnership. We would work with and through Strongmail to provide delivery consulting and best practices advice for their customers. As part of this process we did exchange business cards with a number of Strongmail employees. I suspect those cards were left in a desk when the employees moved on. Whoever got that desk, or cleaned it out, found  those cards and added them to the ‘member database.’

But wait! It gets even better. Strongmail was sending me this mail, so that they could get permission to send me email about Email and Social Media Marketing Best Practices. I’m almost tempted to sign up to provide me unending blog fodder for my new series entitled “Don’t do this!”

This particular blog has been around for a long time, probably close to 10 years. It allows anyone to join and create their own blogs and comment with registered users. As part of their new mailing list, they added everyone who has ever registered to their mailing list. They did not send a “we have a new list, want to join it?” email, they added every registered user to the list and said “you can opt out if you want.”

This is such a bad idea. My own account was used once, to make one comment, back in 2005. Yes, 2005. It’s been almost 5 years since I last logged into the site. Sure, I have email addresses that go back that far, but not everyone does. That list is going to be full of problems: dead addresses, spamtraps, duplicates, unengaged and uninterested.

Seriously, they’re adding people who’ve not logged into their site in 5 years to a mailing list. How can this NOT go horribly wrong?

My initial thought was this was going to blow up in a week. I’m now guessing they’ll start seeing delivery problems a lot sooner than that.

Activist groups are attractive targets for forged signups. Think about it, when people get deeply involved in arguments on the internet, they often look for ways to harass the person on the other end of the disagreement. They will often signup the people they’re disagreeing with for mailing lists. When the disagreements are political, the logical target is a group on the other side of the political divide.

People also sign up spamtraps and bad addresses as a way to cause problems or harass the political group itself. Often this results in the activist group getting blocked. This never ends well, as instead of fixing the problem, the group goes yelling about how their voice is being silenced and their politics are being censored!!

No, they’re not being silenced, they’re running an open mailing list and a lot of people are on it who never asked to be on it. They’re complaining and the mail is getting blocked.

With that as background, I noticed one of the major political blogs announced their brand new mailing list today. Based on their announcement it seemed they that they may have talked to someone who knew about managing a mailing list.

Email activism is a key weapon in a modern activist organization’s arsenal, yet [website] has never jumped in. It was less a matter of will, and more a lack of resources and expertise. Managing a big email list is surprisingly complex, and we’ve been too small and overworked to do something we should’ve done a long time ago.

As a matter of professional curiosity, I signed up. What’s their signup like? Are they following best practices?

Sadly. No.

Their signup form asks for a first name, an email address and a zip code. Fill in the information and hit “submit.” The landing page says “Thanks for signing up” but provides none of the data that any delivery expert recommends. They mention nothing about frequency. They mention nothing about what they’re going to do with my email address.

They do send a welcome message almost immediately. It’s a bit bare bones:

Thanks for joining the [website] email action list!

If you would like to tell a friend to join, just point them to the following URL:

http://campaigns.example.com/signup_page/Signup1

Thanks again,
[signoff]
Founder, [website]

This should, at a minimum, have information about my signup and the chance to opt-out if there was an error. Comply with CAN SPAM, while not required as they are a political group, is such a minor thing they should be doing so. And, of course, this site is a big enough target, that I think they should be confirming every subscription. That will reduce the complaints from the targets of harassment and prevent people who don’t like them from being able to harm their delivery.

It’s funny, I found this thread by searching for alternate means to contact Yahoo FBL. This is because I desperately need to communicate with them and their ‘normal channel’ has been literaly as effective as a shout down a wishing well. [...]

I’ve signed up for all the various FBL’s with the major providers and we’re tracking reputation nicely as we warm up the sending IP’s with about 75K mails a day over the last month. Yahoo! of course is 35%+ of that mail. However they’re blocking the heck out of my mails from time to time. For the last few days one of my sending IP’s is almost completely blocked while the other three are not. This causes horrible delays. I think that the longer expected mail is delayed the more likelihood it has of being marked as spam or ignored.

There are a couple suggestions I have for people in Jon’s position.

1. IP address warmup can take from 6 – 8 weeks, particularly at Yahoo. Given the current situation with bots, IP addresses that have never sent mail to the major ISPs don’t start out with a neutral reptuation, they actually start out with a negative reputation. In 99 out of 100 times, the IP address that has never sent mail is an infected machine sending spam. Real IP addresses will send mail consistently over the long term, but it can take time to establish a reputation with the ISP.  While it’s not really what anyone wants to hear, senders need to be patient during the warm up process. If it’s possible, starting with low sending volumes (under 5000 emails per ISP per day) and increasing the amount slowly seems to help minimize the temporary failures.
2. Confirmation emails can be problematic, depending on how the email addresses are being collected. If there are too many fake or incorrect subscriptions coming in through a subscription form,  then you will see excessive complaints that may damage the reputation of the sending IP.  Likewise, if the subscription page does not correctly set the expectations of the recipient, the sender may see a high number of complaints. Subscription problems can be managed if you understand what the complaints are about, but you need to do some research to determine that.
3. Confirm that your technology is sending mail in a way that the recipient ISP likes. For Yahoo, this means limiting the number of connections and the number of emails per connection. One of my clients was having difficulty with Yahoo delivery and we resolved the problem by throttling their server to 2 connections at a time and 4 emails per connection. Yahoo will throttle senders that try more than 5 emails in a single connection, and this is simple to fix.
4. Read the bounce messages. Yahoo has rolled out an extensive Postmaster Site in the last few months, which includes a lot of information about bounces and improving delivery. If none of the FAQ questions answer your question, there is also the Yahoo Delivery Support Form.

One important thing to remember, when reaching out to any ISP for help with a delivery issue is that the contact is extremely unlikely to result in the ISP letting all your mail in. As I tell my clients all the time, there is no place in the spam filtering for “this is a good guy” or “this persons mail should be exempt from all our checks.” Senders can troubleshoot 95% of issues themselves. However, in those relatively rare cases where the sender can’t fix the issue, generally the only the the ISPs can do is answer questions. They can’t provide solutions, just more places to look for troubleshooting.

In one venue, the conversation centered around how small a portion of deliverability the initial subscription process affects. Sure, sending unwanted, unexpected email can and does cause reputation problems, but merely using COI as a subscription methodolgy doesn’t automatically give a sender a good reputation or good delivery. Senders using COI as a subscription practice need to also need to send relevant and engaging mail that their recipients expect to receive. They need to handle their bounces well and purge or re-engage inactive subscribers. They need to keep their complaints low and their responses high.

How you manage subscriptions is only one factor in reputation schemes, and even if the subscription method is COI other factors can negate any bonus involved.

The second conversation involved Ken challenging me on the comment I left on his quiz yesterday. I said COI wasn’t foolproof and he challenged me to explain how. I did, and he’ll be following up next week.

The email blogs have been discussing the question for a few weeks now, since one ClickZ columnist decided to stir controversy by claiming that “it is impossible to grow a list using double opt-in.” The original column inspired many other people to comment on the issue.

This is really a tempest in a teapot. There are situations where no address should be added to a mailing list without some sort of confirmation or verification step. Senders must protect themselves from bad subscription requests and double opt-in is one way to do this. Likewise, there are situations where a single opt-in with good list management will create a very clean list. Double opt-in isn’t necessary to stop spam.

Senders who think that they can’t grow their list with double opt-in are already behind the 8-ball in terms of list management. Yes, lists will grow slower. In the present environment, many users are very used to submitting a registration to a web page and then looking in their mailbox for an email to complete the process. No longer is “double opt-in” a foreign concept. Social networking sites, web forums and mailing lists commonly use double opt-in.

The challenge is for marketers to construct a signup process that is engaging enough to convince users to check their mailbox and click on the link. Senders with good marketing strategy will be able to do this, when it’s necessary.

Not every mailing list has to be double opt-in, but every engaging list could be without decreasing the number of subscribers.