Graham Cluley is an award-winning security blogger, researcher, podcaster, and public speaker. He has been a well-known figure in the computer security industry since the early 1990s when he worked as a programmer, writing the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows.
Do you have a problem with spam?
I do, but perhaps not the one that you imagine.
You see, the anti-spam system I have in place does do a pretty good job of siphoning away offers to purchase fake doctorates, malware posing as attached invoices, and emails in Cantonese or Russian that are trying to sell me… well, I don’t know what they’re trying to see me as I don’t speak those languages.
But what’s more difficult to filter out are the legitimate newsletters that bombard my inbox.
Newsletters that I never signed-up for.
When you’ve been doing what I do as long as I have there are inevitably some folks who end up not liking you. Some of them might be online criminals, others may be folks who are upset about something I said on Twitter.
And a small number of these people might think it’s worth their effort to sign up my publicly-available email addresses to hundreds, no… thousands of legitimate newsletters and mailing lists that I have no interest in.
I’m not the only one who has suffered from these kind of “email bomb” attacks – which are the equivalent of a denial-of-service attack on your inbox.
The only saving grace is that the better-managed newsletters ask you to confirm that you really really want to receive emails from them. They do this by sending a single email – normally with a clickable confirmation link – to the email address entered on their subscription form.
If you don’t respond to the confirmation email, you don’t get any follow-up emails. That’s how things are supposed to work. And it’s called double opt-in.
But when it comes to the benefits of double opt-in, don’t just take my word for it.
Here’s what MailChimp, a service that I and millions of others around the world use to send out email newsletters, was saying until quite recently:
Double opt-in adds a layer of confirmation to your signup process before adding new subscribed contacts to your list, and it has three main benefits compared to single opt-in.
Protection against spambots, email scams, and fake subscribers, which could increase your monthly benefit rates.
Assurance of valid email addresses, confirmation that your subscribed contacts want to hear from you, and an archived record of the subscriber’s consent.
Higher campaign open rates, and lower bounce and unsubscribe rates.
All very sensible. And a good example of why, in the past, I have recommended MailChimp to organisations and individuals wishing to send out legitimate email newsletters.
Only problem is… after years of protecting internet users from unwanted newsletter subscriptions, MailChimp has had a change of heart.
Last week it quietly (I only found out by logging into my account, I never — ironically — received an email advisory from them) revealed that it would be switching its customers’ mailing lists to “single opt-in” rather than “double opt-in.”
What does that mean? It means that subscribers won’t have to confirm that they really really want to receive a newsletter. Which means that any toerag can enter your email address for a newsletter run on MailChimp’s systems that you don’t want and the onus will be on you to unsubscribe.
And MailChimp has, of course, removed the wording on its website about why double opt-in is a good thing that reduces unwanted emails and means that MailChimp users benefit from lower billing rates.
And how come MailChimp decided to change customers’ settings, and only gave them until October 31st to choose to stay with double opt-in going forward. Seven days notice is a ridiculously short amount of time, for a number of reasons – including that many of us have already got processes in place that tell subscribers to await a confirmation email, and explain how we require confirmed opt-in to avoid spam sign-ups.
You won’t be surprised to hear that many folks were less than impressed with MailChimp’s decision.
All of this adds up to one conclusion: MailChimp has gone bananas.
Evidence that MailChimp has simply not thought through this switch to the ghastly single opt-in model becomes ever more clear when you consider that double opt-in is necessary in the European Union as a proof of consent under GDPR and expressly required in Germany.
As MailChimp acknowledges in their latest pronouncement on their issue, they were completely clueless about the implications of what they were doing.
Well, they don’t quite say that. But it does appear that they’ve realised that what they tried to do might have ummm.. some legal implications:
“We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements. We heard you, and we’re sorry that we caused confusion. Customers located in the EU will receive an email from us today to let them know how we’ve changed the plan.”
“Please know we are committed to helping our customers get ready for the GDPR. Double opt-in provides additional proof of consent, and we suggest you continue using double opt-in if your business will be subject to the GDPR.”
(By the way MailChimp, I still haven’t received the first email – let alone the one you promise here)
So, MailChimp is turning around for lists run by European firms at least – we’ll stay as double opt-in by default.
Not that this necessarily avoids the GDPR issue however. As Marcus Bointon explained on Twitter:
Apparently in EU they remain on double opt in.. pic.twitter.com/tXDpmOMe7D
— marcel_lucht (@marcel_lucht) October 31, 2017
That means that American businesses using MailChimp, for instance, need double opt-in if they wish to send newsletters to European citizens. Back to the drawing board MailChimp!
And you know what? MailChimp hasn’t resolve my problem just by not switching my mailing list to single opt-in. Most MailChimp mailing lists are being switched to single opt-in, which means they will be used for email bombs, and their owners will end up paying MailChimp more money each month for all of those extra unapproved subscribers.
I complained publicly and privately, and was disappointed with MailChimp’s response.
As someone who has used and recommended MailChimp for *years* I feel massively let down by them.
Changing the settings for my own mailing list (which of course, I did) isn’t actually a solution. Sure, it stops toerags using my newsletter as an email bomb but it doesn’t stop many more MailChimp-run mailing lists switching to a system that will increase the amount of unwanted emails flying around the internet.
I can no longer recommend MailChimp. And with no other options available to me, and a company that seems unprepared to listen to its aggrieved users, the only thing I can do is switch mailing list provider and close my account.
They’ve got a few weeks to see the light and then I’ll be off.
To hear more about the MailChimp debacle, be sure to check out this edition of the “Smashing Security” podcast: