Download the authoritative guide: Cloud Computing 2018: Using the Cloud to Transform Your BusinessCan you trust a major corporation to keep your e-mail address out of spammers' hands after you fill out the company's unsubscribe form?
Not always, according to a service that tracks what happens when addresses are submitted to unsubscribe mechanisms on the Web.
I wrote last week that a service called Lashback LLC has tested some 170,000 different "remove me" procedures that it's found on the Internet. This small antispam firm says it's already caught some big fish in its net.
Riches from Nigeria
According to an "unsubscribe abuse report" posted at the Lashback site, the service unsubscribed from Gevalia's gourmet-coffee promotions using a unique, never-before-seen e-mail address on Oct. 25, 2005. In the overwhelming majority of the thousands of unsub forms Lashback has tested, the request works and no more e-mail is received.
On Jan. 20, 2006, however, Lashback began receiving spam messages to its virgin address. The first one came from "Barrister Mark":
"I am MARK EDMUND (Esq.) a Solicitor. I am the Personal Attorney to Mr. Fredrick Lauderdale, a national of your country, who is an oil merchant in Nigeria. On the 21st of April 2001, my client, his wife and their two children were involved in a car accident along Sagbama Express Road Balyasa State, here in Nigeria. All occupants of the vehicle unfortunately lost their lives. Since then I have made several inquiries to locate any of my clients extended relatives, this has proving unsuccessful."
The message went on to offer the recipient -- which was just a made-up e-mail address, as you recall -- a share of the estate, worth "USD$12 MILLION." For some reason, the attorney proposed to keep 60 percent for himself, assigning only 40 percent for the next of kin and the payment of taxes. Some steep attorney's fees they have in Nigeria.
This message is obviously fraudulent, and the other messages that arrived weren't much better. Lashback's test e-mail address has received more than two dozen spam messages since the problem began, according to documentation Phillips sent me.
A spokesman for Kraft Foods, Larry Baumann, told me in a telephone interview, "Gevalia and Kraft have a zero-tolerance policy for spam. We have very strict policies in place, both internally and with our vendors, that govern our e-mail communications with consumers.
"We have a password-protected, secure site where we post our suppression list," Baumann continued. "That list is updated daily, and our affiliates are required to upload the file."
How Unsub Addresses Get to Spammers
When Lashback finds an unsubscribe mechanism that results in the submitted e-mail addresses receiving spam, is it because the operators of the unsub forms sold the addresses to spammers? Not necessarily.
There's no way to say for sure what happened in Gevalia's case. But one clue can be found at the bottom of one promotional message for the company's products: "This message was sent to you by a trusted affiliate."
Many companies pay commissions on sales made by affiliates who send promotions to their various e-mail lists. Under the CAN-SPAM Act, which went into effect in the U.S. in January 2004, companies that promote their products via bulk e-mail must honor unsubscribe requests. These companies are also required to make every subsidiary or agent stop sending e-mail to the people who said, "Remove me."
Many corporations, therefore, maintain lists of e-mail addresses that have requested cancellation. If these lists are provided to affiliates so they can remove the names from their e-mailings, it takes only one dishonest affiliate to sell the entire list to spammers.
E-mail addresses of these so-called suppression lists could be very attractive to spam marketers. When an address is submitted to an untrustworthy unsubscribe form, it proves that:
• 1. The e-mail address is valid;
• 2. Someone reads e-mails sent to that address; and
• 3. The recipient is comfortable enough with the Internet to correctly enter data into a Web form.
These are the minimum qualifications needed to place an order for something that spammers might want to advertise.
Keeping Suppression Lists Private
This kind of problem with unsubscribe lists is exactly why the U.S. Federal Trade Commission recommended in 2004 that Congress not create a "do-not-email" registry. Unfortunately, the fact that the suppression lists required by the CAN-SPAM Act get into the hands of spammers is just one of the negative side-effects of that poorly drafted legislation.
In a telephone interview, Lashback's Phillips says companies that provide suppression lists to affiliates should, at a minimum, seed the lists with unique, "decoy" addresses so privacy violators can be identified.
Although this could get a dishonest affiliate banned, it wouldn't help the people whose addresses were turned over to spammers. A better solution, Phillips says, is for companies to contract with go-between services that can "scrub" the lists of affiliates. That way, the addresses on the unsubscribe list never get into outsiders' hands. The leading third-party scrubbing service is UnsubCentral, an offshoot of e-mail service provider Skylist.
Despite the bad apples, Lashback's methodical testing of unsubscribe mechanisms shows that about 92.5 percent of them are trustworthy and don't lead to more spam.
To find out whether a particular unsub form can be trusted or not, enter the domain name of the particular site into Lashback's free lookup form:
If a newsletter comes from a legitimate publisher, you should always use its unsubscribe mechanism. But you should never enter an address into unsub forms that are friendly to spammers.
Fortunately, with Lashback's new lookup tool, it's now easy to tell the difference.