Al has another post about another company sending mail to a customer that gave an email address that didn’t belong to them. The person receiving the misdirected email has no effective way to make it stop, and is getting more and more frustrated with the ongoing spam. (Consumerist article)
A couple weeks ago I wrote a post about handling abuse complaints. As a bit of a throwaway I mentioned that new companies don’t always think about how their service can be abused before releasing it on the unsuspecting internet.
Today’s blog post by Margot Romary at the Return Path In the Know blog reminds me that it’s not always new companies that don’t think about abuse potential before launching services.
One of the things that never ceases to amaze me about phishers is how incredibly creative they can be in writing text that encourages recipients to open their emails.
There have been two separate incident recently that inspired me to talk about phishing.
The first was watching viruses propagate through my local neighborhood mailing list. I live in Silicon Valley and we do have an email list for neighbors to talk, plan and generally share information. Last week one of the neighbors got infected with a virus, and their address started posting links to more viruses to the list. Over the weekend I watched half a dozen neighbors get infected and post more viruses to the list.
The second is the dozens of messages I’ve been receiving telling me there are naked photos of me on the Internet. They have a couple different forms. Some pretend to be concerned friends worried that my private photos have leaked. Others threaten legal action or that the police are investigating me. Still others tell me I’ve ruined a friendship by sharing these photos.
None of those things are true, of course. They’re all trying to get me to open a file and infect my machine with some virus or another.
The question of putting unsub links on transactional messages came up on multiple lists recently. As with any question that has to do with email and controlling it, there were a lot of different opinions.
A number of people believed that transactional mail should never, ever have an unsubscribe. Their argument was that transactional mail is too valuable to allow recipients to unsubscribe from it.
Other people argued that the recipient should always be able to stop mail and that an unsub link was important, even in transactional mail.
A third group pointed out that under CASL transactional mail to Canadian residents may have to have an unsub link, even if the sender doesn’t want to add one in.
As with most questions, I don’t think there is necessarily a single answer for every mailer or sender.
There are absolutely cases where transactional messages should have an unsubscribe. Twitter notifications and Facebook notifications are just some of the examples of mail a lot of people just want to stop.
But should companies allow recipients to unsubscribe from receipts? Some people feel very, very strongly that recipients should never be allowed to unsubscribe from receipts.
The problem with that stance is it ignores the fact that people don’t always correctly type their email addresses and end up giving the address of another person as part of a purchase. Al found a report at the Consumerist where someone is getting flooded with receipts for Nook books she’s never purchased.
This isn’t the first time this has happened, not by a long shot. In fact, in the past year I negotiated a Spamhaus delisting for a very large company that wasn’t confirming email addresses of their customers. This company sells a service that sends email alerts triggered when certain actions happen. Because they were not confirming their customer’s email addresses, they ended up sending alerts to spamtraps. The alerts triggered a SBL listing.
I don’t think that the Nook owner or the alert purchaser are actually malicious or that they purposely gave the wrong email address to their vendors. But it happens, and it happens not infrequently.
What do I recommend?
Transactional mail that is only ever a single event and where that address is not associated with an account don’t need to have an unsubscribe link. If it’s a one-time email, then it’s OK to not have an opt-out link. It’s OK to have an opt-out link, but not necessary.
Transactional mail that’s associated with some sort of account should have a process in place to make sure that mail is going to the right person and if it’s not, that the wrong person can make the mis-directed mail stop. There are multiple ways to do this. One is to confirm the email address associated with the account during the account creation process. Or you can allow anyone receiving the mail to click on a link and opt-out of receiving mail.
Whatever it is, it needs to be effective and protect everyone involved. Requiring the victim recipient to hand over a bunch of personal information, like Virgin Mobile does, helps no one. Continuing to send purchase receipts to an unrelated third party is poor business practice, particularly when you’ve been informed that this is the wrong person.