Linking identities to email addresses

As I predicted yesterday, a bunch of sites have popped up where you can input email addresses and find out if the address was part of the Ashley Madison hack. My spam trap address isn’t on it, which makes me wonder if unsubscribe data was kept elsewhere or if they just never bothered to save the requests.
One of the things I’m seeing in most articles about the hack is reassurance that Ashley Madison doesn’t verify addresses, so the accounts may not belong to the email address in question. We can’t say that the email address owner is the cheater, because Ashley Madison didn’t care who owned the email address.
The warnings have been published in security blogs.

Ashley Madison didn’t do any kind of email / ownership verification for new accounts.
Provide a fake email to Ashley Madison, get started with all free features immediately.
Yes, the really quick way to build a user base; a minimum of effort needed to get started. Graham Cluey, July 2015 (emphasis original)

The warnings have been published on television news sites.

It’s also important to note that Ashley Madison users aren’t required to verify their email addresses, meaning some found in the dump may have been hijacked by Ashley Madison users seeking to keep their own email addresses off their accounts. ABC News

Even financial reporting sites are mentioning the unverified email addresses.

Several reporters and security researchers have said the data dump appears legitimate, but, to be sure, that doesn’t mean the emails are. AshleyMadison.com doesn’t verify users’ email addresses after they sign up, which means people can make up fake emails or use the addresses of others when creating accounts. Marketwatch

In this case, some email address owners, whether or not they created the account at Ashley Madison may face repercussions in real life. Folks who are already in rocky relationships and now have to explain why their email address shows up in the data dump. Some articles suggest military members may face problems because of their information in the data dump. Had Ashley Madison take some step, any step, to confirm the addresses belonged to the recipients that would not be as big a concern. But they chose not to do any email verification. Even worse, people who wanted to clear up the accounts were asked to pay money to remove the account from the database.
Email addresses are becoming more and more important identifiers of our online identity. Almost everything we do, particularly in terms of commerce, online is tied to an email address. Too few companies actually verify that email address belongs to the person that submitted it. Companies resist verification. They want the easy signup and the fast accumulation of “users.” Verification creates friction. It also creates overhead and process. It leads to unconfirmed email addresses in the database just sitting there doing nothing. Organizations don’t want to verify email addresses because it’s hard to do and relies on the recipient taking some action. 
This can lead to problems for the recipients, but it can also lead to problems for the organizations. At least half of my consulting clients come to me with delivery problems that can be traced back to them not doing any address verification. They don’t make sure the address belongs to the person who gave it to them and they get bad data on their lists and them they get blocked or put on the SBL for spamming.
I’m sure someone is going to tell me that there are a half dozen or so “address verification companies” that help with this issue. Except they don’t do anything to the address the problem of someone giving an email address that doesn’t belong to them. Nothing any of the verification services do connects the email address to the person who submitted it. They just test to see if an address is deliverable. Many of my clients are using address verification to “clean” their lists and are still seeing SBL listings and other delivery problems. 
Failure to verify email addresses leads to problems for the organizations collecting addresses. We’ve now seen it can lead to problems for the people who have their addresses forged. It’s beyond time for organizations to step up and treat address verification, real address verification, as a vital part of their signup process.
 

Related Posts

Email verification services

Just yesterday a group of delivery folks were discussing email verification services over IRC. We were talking about the pros and cons, when we’d suggest using them, when we wouldn’t, which ones we’ve worked with and what our experiences have been. I’ve been contemplating writing up some of my thoughts about verification services but it’s a post I wanted to spend some time on to really address the good parts and the bad parts of verification services.
Today, Spamhaus beat me to the punch and posted a long article on how they view email verification services. (I know that some Spamhaus folks are part of that IRC channel, but I don’t think anyone was around for the discussion we had yesterday.)
It’s well worth a read for anyone who wants some insight into how email verification is viewed by Spamhaus. Their viewpoints are pretty consistent with what I’ve heard from various ISP representatives as well.
In terms of my own thoughts on verification services, I think it’s important to remember that the bulk of the verification services only verify that an address is deliverable. The services do not verify that the address belongs to the person who input it into a form. The services do not verify that an address matches a purchased profile. The services do not verify that the recipient wants email from the senders.
Some of the services claim they remove spamtraps, but their knowledge of spamtraps is limited. Yes, stick around this industry long enough and you’ll identify different spamtraps, and even spamtrap domains. I could probably rattle off a few dozen traps if pressed, but that’s not going to be enough to protect any sender from significant problems.
Some services can be used for real time verification, and that is a place where I think verification can be useful. But I also know there are a number of creative ways to do verification that also check things like permission and data validity.
From an ESP perspective, verification services remove bounces. This means that ESPs have less data to apply to compliance decisions. Bounce rate, particularly for new lists, tells the ESP a lot about the health of the mailing list. Without that, they are mostly relying on complaint data to determine if a customer is following the AUP.
Spamhaus talks about what practices verification services should adopt in order to be above board. They mention actions like clearly identifying their IPs and domains, not switching IPs to avoid blocks and not using dozens or hundreds of IPs. I fully support these recommendations.
Email verification services do provide some benefit to some senders. I can’t help feeling, though, that their main benefit is simply lowering bounce rates and not actually improving the quality of their customers’ signup processes.

Read More

Email verification – what are we verifying

One of the ongoing discussions in the email space is the one about address verification. Multiple companies have sprung up to do “real time” email address verification. They ensure that addresses collected at the point of sale are valid.
But what does valid mean? In most of these contexts, valid means that the addresses don’t bounce and aren’t spam traps. And that is one part of validating email addresses.
That isn’t the only part, though. In my opinion, an even more important thing to validate is that the email address belongs to the person giving it to you. The Consumerist has had an ongoing series of articles discussing people getting mis-directed email from various companies.
Today the culprit is AT&T, who are sending a lot of personal information to an email address of someone totally unconnected to that account. There are a lot of big problems with this, and it’s not just in the realm of email delivery.
The biggest problem, as I see it, is that AT&T is exposing personally identifiable information (PII) to third parties. What’s even worse, though, is that AT&T has no process in place for the recipient to correct the issue. Even when notified of the problem, support can’t do anything to fix the problem.

Read More

Opt-in Reconfirmation in the Wild

What’s an opt-in reconfirmation email? Also called, as fellow blogger Al
Iverson mentioned lately, a re-engagement email, or a permission pass email.
Al links to DJ Waldow’s write up on Shop.org’s recent re-engagement
strategy, and today I see that Janine Popick, CEO of VerticalResponse,
talking about Coach’s turn at culling their list through this process. What’s interesting here is that, according to Janine, Coach didn’t target this reconfirmation email only at recipients who never open or click. She says she does both, regularly, and received this email message anyway. Another friend of mine, who is also a Coach subscriber, reports to me that she receives regular emails from them (most recently as just about
ten days ago), but that she did not receive this reconfirmation email message.

Read More