Building Trust 7 November 2016

Don’t Be a Tool – Verifying Subscriptions and Honoring Unsubscribes

By Jeff WilburSenior Director, Online Trust

Author: Jeff Wilbur

This summer the email marketing industry suffered a setback due to “list bomb” attacks in which thousands of targeted users were unknowingly subscribed to tens of thousands of mailings. In these attacks, ESP infrastructure and highly-reputed brands were used as a means to effectively create a “denial of service” against user inboxes, and email originating from many ESPs and brands was blocked by Spamhaus until the situation was better understood. Could this have been prevented?

Investigation into the list bomb attacks pointed to two key points – the bulk of the subscriptions were automated and few used “confirmed opt-in” (COI) to verify the subscriptions. This put users on the defensive, forcing them to unsubscribe from each bogus subscription to stop the inbox barrage.

As part of its recently released 3rd annual Email Marketing and Unsubscribe Audit report , OTA looked at the signup and verification practices of the top 200 online retailers. Only 3% of retailers used a CAPTCHA to prevent automated signups and only 6% used COI to confirm subscriptions. While use of such methods does increase signup friction, it also prevents bad actors from using the email marketing infrastructure as an attack tool. OTA encourages marketers to examine their use of CAPTCHA and COI to protect themselves and consumers from attack, and even offer verbiage on signup pages to explain how these practices help protect all involved.

Other key findings in the report were mixed – on the whole, retailers are honoring unsubscribes faster than ever (86% stopped sending immediately), yet 6% did not stop sending at all (up from 2% last year), violating CAN-SPAM and CASL. Of the ten best practices scored in the Audit, adoption rose for five – use of the unsubscribe header, ability to opt out of all email, use of a confirmation web page, use of a branded unsubscribe page and immediately stopping the subscription. Adoption dropped for the other five criteria – clear and conspicuous presentation of the unsubscribe link, text that is easy to read, use of commonly understood “unsubscribe” language, use of preference centers or opt-down choices during the unsubscribe process and solicitation of customer feedback on why they are unsubscribing. Surprisingly, 6% of retailers either never responded to the subscription or sent a confirmation but then never sent a newsletter or promotion email, thereby wasting the opportunity.

OTA encourages marketers to review the Audit results and take a close look at their own practices in light of the recent list bomb attacks, the practices of other retailers, and shifts in the regulatory environment. By making conscious choices about the entire process – from signup to mailing to unsubscribes – potential attacks and associated disruptions will be reduced and consumers will be better engaged. The resulting benefits are broad, not only to users and your brand, but also to the integrity of the email channel and the resiliency of the internet itself. 

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Building Trust 11 February 2020

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...