Do you want to have an Obituary to your email programs very soon?
Many a time email marketers turn a deaf ear when we ask them to pay greater attention on their email list acquisition processes and practices. In the month of August 2016, many of them ended up paying a hefty price by simply not able to send any email on their infrastructures. Sadly many Email Service Providers too burned their fingers in the ordeal.
The sequence started as follows; some cyber criminals used Bots to massive sign-ups through open and poorly secured web-signup forms. Obviously these emails got added to the mailing lists of many email marketers and potentially have done greater damage to those companies who simply accept all emails added to their subscription form without any form of verification or confirmation. Sadly the target was very malicious even the companies who follow COI (Confirmed Opt In) were not spared as the quantum of confirmation requests generated itself was sufficient enough to damage the reputation.
Spamhaus, one of the major blacklist and spam source monitoring agencies reports “It is interesting and concerning that the attacks were not all composed of list subscription responses; half consisted of account sign-ups at WordPress sites, so the emails were also seemingly legitimate, as they contained the new account credentials. This means the onus of stopping this kind of attack is not only on ESPs or mailing list owners. It is on everyone that has any sort of web-based signup that results in an email being sent: somebody clearly spent a great deal of time assembling URLs of mailing lists, and of account sign up pages, and has written a script to submit addresses to them at speed. We suspect that this was a test run for a tool that will soon be offered for sale in the ‘Underground Economy’: Mail-bombing as a Service – MaaS”
In response, Spamhaus has started creating the listing of all the IPs which they presumed to be the major sources of the list bombs to mitigate the damage. (I am not sure how error free this approach was, as there could be many cases of false positive and false negative too; even we had one of our IP Pools listed. Though we got delisted, the time and the efforts was elaborate and painful)
ESPs across the world know this is going to be an on-going challenge and should take the following proactive steps:
1. Educate their customers to ensure that they have fool-proof secure signup forms. For sure we need to make it mandatory to have a CAPTCHA like Google’s reCAPTCHA. The smartest marketer will be those who take the proactive step to follow COI and maintaining a CAPTCHA for signups.
2. In case if your Company has genuine reasons to not have a CAPTCHA implemented directly in the webforms, ensure to have same kept ready proactively so that you could “turn on” as and when required. There could be scenarios where you are suspecting a malicious attack on your website and your web administrator identifies that all your rest defenses failed, then immediately you need to go live with the CAPTCHA. You should not end up thinking on developing and integrating one on a fire-fight mode!
3. Continuous monitoring and rectification measures to see erratic data additions and spikes on auto-scheduled email communications (for instance, a sudden spike in triggered welcome emails across any of the customer lists should call for an immediate action)
4. Quality matters! And Not the Quantity – It’s the biblical rule for your customer acquisition programs. To build quality the only and the best way is to have proper permission from each of the user in your mailing list.
5. Global ESPs and other stake holders should collaborate more transparently to have greater access to alarming data trends and building proactive systems measures which should keep the spammers at bay. Question is who will bell the cat?
The concluding note from Spamhaus is very factual but alarming too for all stake holders, especially those who pay less attention to their customer acquisition processes and it’s as following:
“Internet harassment is not going away. In fact, it is becoming a bigger and bigger problem; the fact that this first wave has died down should not be a reason to become complacent. This situation should be viewed as a call to arms by all senders, ESPs, and any businesses that utilize online sign up methods. They need to neutralise the attack vectors, educate their customers, tighten their policies and ensure they cannot be used as a conduit for personal or corporate harassment or DDoS attacks meant to disrupt online activities.”
If you still believe that Single Opt in ( Unconfirmed Opt –in ) is the way to go to acquire new customers, I would strongly recommend to follow the link to better understand the long term risks and the legal hazards which should welcome your email programs, and mind you in the near future.