Linking identities to email addresses

As I predicted yesterday, a bunch of sites have popped up where you can input email addresses and find out if the address was part of the Ashley Madison hack. My spam trap address isn’t on it, which makes me wonder if unsubscribe data was kept elsewhere or if they just never bothered to save the requests.
One of the things I’m seeing in most articles about the hack is reassurance that Ashley Madison doesn’t verify addresses, so the accounts may not belong to the email address in question. We can’t say that the email address owner is the cheater, because Ashley Madison didn’t care who owned the email address.
The warnings have been published in security blogs.

Ashley Madison didn’t do any kind of email / ownership verification for new accounts.
Provide a fake email to Ashley Madison, get started with all free features immediately.
Yes, the really quick way to build a user base; a minimum of effort needed to get started. Graham Cluey, July 2015 (emphasis original)

The warnings have been published on television news sites.

It’s also important to note that Ashley Madison users aren’t required to verify their email addresses, meaning some found in the dump may have been hijacked by Ashley Madison users seeking to keep their own email addresses off their accounts. ABC News

Even financial reporting sites are mentioning the unverified email addresses.

Several reporters and security researchers have said the data dump appears legitimate, but, to be sure, that doesn’t mean the emails are. AshleyMadison.com doesn’t verify users’ email addresses after they sign up, which means people can make up fake emails or use the addresses of others when creating accounts. Marketwatch

In this case, some email address owners, whether or not they created the account at Ashley Madison may face repercussions in real life. Folks who are already in rocky relationships and now have to explain why their email address shows up in the data dump. Some articles suggest military members may face problems because of their information in the data dump. Had Ashley Madison take some step, any step, to confirm the addresses belonged to the recipients that would not be as big a concern. But they chose not to do any email verification. Even worse, people who wanted to clear up the accounts were asked to pay money to remove the account from the database.
Email addresses are becoming more and more important identifiers of our online identity. Almost everything we do, particularly in terms of commerce, online is tied to an email address. Too few companies actually verify that email address belongs to the person that submitted it. Companies resist verification. They want the easy signup and the fast accumulation of “users.” Verification creates friction. It also creates overhead and process. It leads to unconfirmed email addresses in the database just sitting there doing nothing. Organizations don’t want to verify email addresses because it’s hard to do and relies on the recipient taking some action. 
This can lead to problems for the recipients, but it can also lead to problems for the organizations. At least half of my consulting clients come to me with delivery problems that can be traced back to them not doing any address verification. They don’t make sure the address belongs to the person who gave it to them and they get bad data on their lists and them they get blocked or put on the SBL for spamming.
I’m sure someone is going to tell me that there are a half dozen or so “address verification companies” that help with this issue. Except they don’t do anything to the address the problem of someone giving an email address that doesn’t belong to them. Nothing any of the verification services do connects the email address to the person who submitted it. They just test to see if an address is deliverable. Many of my clients are using address verification to “clean” their lists and are still seeing SBL listings and other delivery problems. 
Failure to verify email addresses leads to problems for the organizations collecting addresses. We’ve now seen it can lead to problems for the people who have their addresses forged. It’s beyond time for organizations to step up and treat address verification, real address verification, as a vital part of their signup process.
 

Related Posts

Data is the key to deliverability

Last week I had the pleasure of speaking to the Sendgrid Customer Advisory Board about email and deliverability. As usually happens when I give talks, I learned a bunch of new things that I’m now integrating into my mental model of email.
One thing that bubbled up to take over a lot of my thought processes is how important data collection and data maintenance is to deliverability. In fact, I’m reaching the conclusion that the vast majority of deliverability problems stem from data issues. How data is collected, how data is managed, how data is maintained all impact how well email is delivered.
Collecting Data
There are many pathways used to collect data for email: online purchases, in-store purchases, signups on websites, registration cards, trade shows, fishbowl drops, purchases, co-reg… the list goes on and on. In today’s world there is a big push to make data collection as frictionless as possible. Making collection processes frictionless (or low friction) often means limiting data checking and correction. In email this can result in mail going to people who never signed up. Filters are actually really good at identifying mail streams going to the wrong people.
The end result of poor data collection processes is poor delivery.
There are lots of way to collect data that incorporates some level of data checking and verifying the customer’s identity. There are ways to do this without adding any friction, even. About 8 years ago I was working with a major retailer that was dealing with a SBL listing due to bad addresses in their store signup program. What they ended up implementing was tagged coupons emailed to the user. When the user went to the store to redeem the coupons, the email address was confirmed as associated with the account. We took what the customers were doing anyway, and turned it into a way to do closed loop confirmation of their email address.
Managing Data
Data management is a major challenge for lots of senders. Data gets pulled out of the database of record and then put into silos for different marketing efforts. If the data flow isn’t managed well, the different streams can have different bounce or activity data. In a worst case scenario, bad addressees like spamtraps, can be reactivated and lead to blocking.
This isn’t theoretical. Last year I worked with a major political group that was dealing with a SBL issue directly related to poor data management. Multiple databases were used to store data and there was no central database. Because of this, unsubscribed and inactivated addresses were reactivated. This included a set of data that was inactivated to deal with a previous SBL listing. Eventually, spamtraps were mailed again and they were blocked. Working with the client data team, we clarified and improved the data flow so that inactive addresses could not get accidentally or unknowingly reactivated.
Maintaining Data
A dozen years ago few companies needed to think about any data maintenance processes other than “it bounces and we remove it.” Most mailbox accounts were tied into dialup or broadband accounts. Accounts lasted until the user stopped paying and then mail started bouncing. Additionally, mailbox accounts often had small limits on how much data they could hold. My first ISP account was limited to 10MB, and that included anything I published on my website. I would archive mail monthly to keep mail from bouncing due to a full mailbox.
But that’s not how email works today. Many people have migrated to free webmail providers for email. This means they can create (and abandon) addresses at any time. Free webmail providers have their own rules for bouncing mail, but generally accounts last for months or even years after the user has stopped logging into them. With the advent of multi gigabyte storage limits, accounts almost never fill up.
These days, companies need to address what they’re going to do with data if there’s no interaction with the recipient in a certain time period. Otherwise, bad data just keeps accumulating and lowering deliverability.
Deliverability is all about the data. Good data collection and good data management and good data maintenance results in good email delivery. Doing the wrong thing with data leads to delivery problems.
 
 

Read More

Sending mail to the wrong person, part eleventy

Another person has written another blog post talking about their experiences with an email address a lot of people add to mailing lists without actually owning the email address. In this case the address isn’t a person’s name, but is rather just what happens when you type across rows on they keyboard.
These are similar suggestions to those I (and others) have made in the past. It all boils down to allow people who never signed up for your list, even if someone gave you their email address, to tell you ‘This isn’t me.” A simple link in the mail, and a process to stop all mail to that address (and confirm it is true if someone tries to give it to you again), will stop a lot of unwanted and unasked for email.

Read More

Can you verify email addresses in real time?

In a recent discussion about spamtraps and address lists and data collection a participant commented, “[E]very site should be utilizing a real-time email address hygiene and correction service on the front end.” He went on to explain that real time hygiene prevents undeliverable addresses and spamtraps and all sorts of list problems. I was skeptical to say the least.
Yes, there are APIs that can be queried at some of the larger ISPs to identify if an account name is taken, but this doesn’t mean that there is an associated email address. Yes, senders can do a real time SMTP transaction, but ISPs are quick to block SMTP transactions that quit before DATA.
I decided to check out one service to see how accurate it was. I’m somewhat lucky in that I created a username at Yahoo Groups over a dozen years ago but never activated the associated email address. This means that the account is shown as taken and no one else can register that address at Yahoo. But the address doesn’t accept any mail.

Read More