Down in the trenches, as it were, I see a lot of miscommunication and misdirection on the subject of confirmed opt-in/double opt-in. Here’s some quick notes, thoughts spurred by recent discussion on various forums I participate in.

Confirmed opt-in and double opt-in both mean the following and only the following: A potential recipient submits an email address at a web page. This triggers a confirmation request email. No further emails are sent to the end recipient until and unless they take positive action to confirm the subscription in response to this confirmation request email. That means the person who received the confirmation message has to click on a link (or respond to a token, but I prefer the link method) to confirm the subscription. If they didn’t do that, then you don’t consider them opt-in, and you don’t email them further.

Sometimes you have people doing the right thing but in the worst possible way don’t be like Goofus and pound on unconfirmed recipients over and over and over, unless you like poor deliverability. A second confirmation request might be reasonable, but anything more and you’re guaranteeing spam complaints against you. It defeats the whole purpose (improved deliverability) of doing the right thing.

If somebody uses the term confirmed opt-in to mean filling out a web form and receiving an email saying Your subscription is confirmed. If this is incorrect, click here, then they are mistaken. This isn’t confirmed opt-in or double opt-in. It’s a signup form with a welcome message. The welcome message lets the recipient opt-out if necessary, and that’s great but it’s not confirming anything as far as the opt-in police (ISPs, blacklists, etc.) are concerned. I see a lot of confusion surrounding this and it’s important to remember the following: It’s not confirmed opt-in or double opt-in unless the recipient has to take that active step of clicking on a YES link or taking some other YES-affirming action.

Confirmed opt-in doesn’t make it okay to buy/sell lists. If somebody offers to sell you a guaranteed double opt-in list that they’ve been compiling for years and it’s super awesome and you’ll get great response!!!, run for the hills. There’s no way that people on this list know about you or expect to get your email. It might be totally legal, but it’ll put you on the fast track to getting blocked by all the large ISPs. (And the list seller is probably lying about it being double opt-in, anyway.) (Looking for legit ways to build your list? Here’s a previous article on the topic.) And if you’re taking your confirmed opt-in list and selling it, everybody buying it is a sucker. All of those people are going to start sending to that list, diluting its value, driving high spam complaints, and regardless of how clear the opt-in was, people who send to it are going to get blocked.

I spend lots of time working with clients undoing damage from co-reg lists, append list, etc., because somebody told the client (before I was involved) that this list is guaranteed opt-in and it’ll have a great match rate, everybody wants to hear from you, and it’ll drive great response. So the client signs on the dotted line, some append list does a poor opt-out introduction email, then passes over any addresses that don’t opt-out, and you never hear from them again. And then the client struggles with deliverability starting about a week later, and lasting for months. They end up pulling me into the loop (because, of course, I’m awesome!) to figure out what went wrong, and it fixing the problem inevitably boils down to jettisoning these not direct opt-in list segments. Save your money and avoid this in the first place.

There are best practices you can and should apply to confirmation emails just like you would for any other email you send.

• HTML tends to work better (drive a higher confirmation completion rate) than text. My tests have always confirmed this. Maybe it won’t work for you so test it if you’re concerned that this won’t be the case.

• Branding is important. Make sure people know that the message is from you. From line, subject line, and header in the email should all refer to the sender. A logo is an excellent idea, but also make sure the email degrades gracefully if images are blocked by the recipient.

• The opt-in process should be nothing more than a simple, easy-to-click hyperlink. Nothing fancy, no captchas, no enter a code, etc. (But make sure that link can’t be spoofed to opt-in a different recipient.)

• Include clear wording that says what the person is signing up for, how often you’re going to send them emails, and how they can unsubscribe from the list if/when they change their mind.

• Include information about the source of the opt-in request. The IP address from where the web form submit occurred, and the date/time (with time zone) are necessary bits of data to include. (You’re tracking this already, right? If not, uh oh.) What this does is it allows people who get forged subscription requests to hunt down the source ISP on their own and leave you alone. Anti-spam groups really like this step.

• Short and sweet is the key. If it takes a three page email to explain why people want to opt-in or how to confirm, then you’re doing something wrong. Recipients eyes will glaze over and your confirmation rate will suffer. You should be able to fit the key messages of why to opt-in, how to opt-in, and anything else you want to convey, in just a few inches of email.

You will find that none of this is a 100% guarantee against blacklisting. Sadly, you’ll find people who will attack you for doing COI/DOI just because they don’t like you, or they don’t like that somebody forged their address, or that your email contains HTML. Ignore them and do the right thing regardless. Why? Because the smart anti-spam folks who control the keys to the inbox at the large ISPs have significantly fewer issues with folks who run confirmed opt-in/double opt-in. If you do it and stick to it, you’ll get blocked much less often and have a strong message to convey to any anti-spam group or ISP who takes issue with you.

And finally, DON’T LIE! If I had a nickel for every time somebody lied to me about a list being confirmed opt-in, I’d be a rich man. How stupid do you think ISPs are? They can instantly tell when you’re hitting spamtraps, when too much of your mail attempts bounce, and when your mail generates too many complaints. Just because some ISPs provide data on this back to you doesn’t mean it’ll help you evade their filters and processes. Trust me, I’ve met most of these ISP guys, and they’re smarter than both me and you.

Read More… (From Al Iverson’s Spam Resource)

I don’t know what’s going on, but every so often I get an email message in Microsoft Entourage that doesn’t have any message body, even though the person who sent it insists that they included a message. via Ask Dave Taylor!
Read More… (From Email Spam News)

A new round of greeting-card spam that draws users to visit attack sites relies on a sophisticated multipronged, multiexploit attack to infect machines.
Read More… (From Spam News)

Some security vendors report a dramatic drop in pump-and-dump volumes, but others disagree.
Read More… (From Spam News)

Spam continues to evolve in interesting directions. Here’s a quick roundup of some recent developments.
Read More… (From Spamnation)

Two men were convicted in Arizona on charges of money laundering and transportation of obscene materials, in connection with running a pornographic spamming business.
Read More… (From Spam News)

Cruise.com has until the end of the week to decide whether to collect $330,000 in damages for being called a “spammer” by Mark Mumma, or seek a new trial.
Read More… (From Spam News)

A new type of image spam found this week is able to bypass many filters by presenting a message as wallpaper within an e-mail.
Read More… (From Spam News)

The US Department of Justice has warned email users against fraudulent email that pretends to be from the Department, but actually contains a Trojan downloader buried in a Word document.
Read More… (From Spam News)

OK, here’s one for the books. Spammer Bill Stanley created businesses called DefamationAction.com and ComplaintRemover.com which are and I’m not making this up “reputation services” dedicated to helping clients clear their good names by removing defamatory information about them from the internet.

Well, it ended about as well as you would expect. Stanley’s methods apparently consist of putting up defamatory web pages about, and making death threats to, web sites that won’t remove material his clients object to. For example, he sent this message to RipOffReport’s owner, Ed Magedson:

This letter is being sent to you in the name of more than 500 businesses. No matter where you go, we will cause you a problem. Your life is in danger until you comply with our demands. This is your last warning. …

Stanley has also targeted Magedson’s lawyers and business providers.

On May 11, an Arizona judge issued a restraining order against Stanley and others in the reputation services business. Needless to say, Stanley ignored the restraining order, leading to more unpleasantness in court on June 21.

For the full story, including much longer excerpts from Stanley’s death threats, visit c|net article Police Blotter: Dark side of ‘reputation defending’ service.
Read More… (From The Spam Diaries)

The war between spam gangs continues, as the Mpack trojan attempts to remove rival rootkits from computers it infects, and the authors of the Storm worm respond with counterattacks against servers used to configure Mpack.
Read More… (From Spam News)

Web-based attack poses as greeting card, tries three exploits June 28, 2007 — A new round of greeting-card spam that draws users to visit attack sites relies on a sophisticated multipronged, multiexploit … via Computerworld
Read More… (From Email Spam News)

My original plan when doing the series on sender authentication (which is not yet finished) was to write a series of uninterrupted posts. I didn’t want to break my mometum by diverting to another topic.

However, as serendipity would have it, the start of my series coincided exactly with the start of a new spam outbreak. I’ve been wanting to comment on it but at the same time wanted to maintain my discipline by staying on topic. My desire to do both were contradictory, and ultimately, my desire to comment on the latest spam outbreak has won over.

On our networks, we are seeing more traffic in the past three weeks than we have ever seen in the history of our network. And, it’s not by a small margin, it’s by a very large margin. In fact, Wednesday, June 27, we saw twice as many messages as the daily average for April and May. I’ve been commenting to others around the office that we are blocking more spam per day than McDonald’s sells hamburgers.

I don’t know what’s behind this latest outbreak. Perhaps Robert Soloway sold his zombie network to spammers who have woken up his sleeping giant; perhaps the virus outbreak we saw a couple of months ago was lying in stasis, just waiting to rear its ugly head. In any event, the spam breakout to the upside (which started in June) is definitely outside of the statistical parameters of standard deviation and we are, indeed, in a new blizzard of spam.

This reminds me of last year when we saw the same thing… at around the same time.

Read More… (From Terry Zink’s Anti-spam Blog)

‘Talktech Telemedia expects gains of 300% in next 5 trading sessions!’. MX Lab has intercepted the first stock spam messages on Wednesday that don’t have content or images attached to the email but instead a full PDF of the German Stock Insider.
Read More… (From Email Spam News)

Pesky phishers impersonate keepers of Justice

The US Department of Justice has issued a warning to the public urging them not to respond to a bogus email that purports to be from the DoJ.
Read More… (From The Register - Security: Spam)

Pesky phishers impersonate keepers of JusticeThe US Department of Justice has issued a warning to the public urging them not to respond to a bogus email that purports to be from the DoJ.Original post by Dougal and a wordpress plugin by Elliott
Read More… (From The War on Spam)

Got an email last night that tugged at my worthy cause heartstrings. But I don’t know if this is legitimate because it came to me through an unsolicited email–some might call it spam it sounds too real to be … via ALLIED by Jeneane Sessum
Read More… (From Email Spam News)