Slashdot Mirror
When Does Signing Up Become 'Opting In?'
AmyVernon writes "This piece from RWW got me thinking about whether, when you sign up for access to a site, you're actually signing up to get a slew of email spam from them. The single opt-in is still really popular, which I've noticed because I often check the box indicating I don't want further emails from a company or publisher. I always assume that giving my actual email address means I'm going to get spam-type emails from whomever. It still surprises me that most people don't. But it does raise a good question: Shouldn't you be able to sign up for something without automatically being signed up for a never-ending stream of 'updates?'"
This is very, very slowly getting through to the managers, though.
I had a boss not too long ago who simply assumed that everyone who ever bought a product wants to get our newsletter. I warned him that we might end up on blacklists, he chose to belittle my being a scaredy-cat and ignore me.
Last I heard is that he's fighting a losing uphill battle to get off the various spam blacklists because NONE of his emails get to their recipients anymore, and he noticed that it's not building trust in a company when you have to phone a possible business partner who has a commercial spam filter to tell him that he has to dig through his spam for your mail.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I worked for a company that had a manager who insisted on sending out a newsletter to everyone in the company customer database. We warned him that was illegal. We warned him that would be spamming.
He refused to listen and ordered the email sent.
The entire company was blocked from sending emails less than 24 hours later.
You should have seen him rant and rave about the importance of getting the emal "fixed." His manager found out about the "newsletter", and fired him on the spot.
I do not fail; I succeed at finding out what does not work.
Sign up using a throwaway account that is name-related to the site you are signing up to. That way you will always know who are the ones that send you spam, or sell your address to spammers.
gmail accounts don't care about dots in your email user name - which makes it easy to tell who leaks your email address to spammers. Eg. sign up to gmail and dickhead@gmail.com - then sign up to slashdot as dick.head@gmail.com. All spam addressed to dick.head@gmail.com came via slashdot. NOTE: slashdot doesn't sell email addresses - but I certainly caught companies doing using this technique.
If you are a business you HAVE to. From the start I made my mailing list completely opt-in. That doesn't stop AOL users from using the spam button instead of the prominent link at the top that gracefully removes them from the list. You can't have customers not receiving order confirmations or order updates or have business email blackholed because some webmail users decide they don't want your mail anymore.
Blame that on all the asshats sending spam who take a link to opt out as a confirmation that your email address is live and proceed to sell it to ten more spam lists. Simple people need simple rules so the rule became to always click the spam button and never any opt out link. To fix this you'd have to fix the email system so we can tell the real opt-ins from the linkbait.
Live today, because you never know what tomorrow brings
There's two different types of spam. One is commercial email that is sent legitimately but which you don't want
I would argue that if they autosubscribed me without asking, or actively ignored the preference I made when I signed up (both of which are illegal in this country) then it is not "sent legitimately". True, they tend not to fake the sender, but they are indistinguishable from spam sent from false identities (at least, not trivially distinguishable), and you therefore can't trust the "unsubscribe" link will actually unsubscribe you rather than harvesting your address (also, would you trust such a link if the sender had previously ignored your preferences anyway?).
In the other hand, in some cases there is a real problem with sending spam. I have in the past dealt with a bank (who I closed my accounts with then they started with this) who took to emailing me with marketing. The emails came from a domain that wasn't identical to their normal domain and instructed me to follow a link to a website which, again, wasn't their normal trading domain. The email told me that I could verify that it was legitimate because it contained some trivial PII (I think it was the first half of my postcode, or something similar... basically something that pretty much anyone could find out). So there are 2 problems here:
1. The bank is teaching people that they can authenticate an email based on some very spoofable details instead of securely signing it using a readily available, standard and widely supported technology such as S/MIME.
2. The bank is teaching their customers that it is ok to follow links in emails to random websites claiming to be their bank but being served from a domain that isn't recognisably the bank's own domain.
Whilst the website in question was purely marketing and didn't ask for any personal details, it strikes me that it was a little too close to what phishing looks like and that teaching the general public that they can expect their bank will communicate in this way is a Bad Thing... A good chunk of the public don't have a good enough grasp of security to consider the difference between this and a phishing mail.
http://blog.nexusuk.org