Skip to main content

Email spam is about to get way worse, and you can blame MailChimp

mailchimp double opt in spam mail chim feat
Image used with permission by copyright holder

Graham Cluley is an award-winning security blogger, researcher, podcaster, and public speaker. He has been a well-known figure in the computer security industry since the early 1990s when he worked as a programmer, writing the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows.

Do you have a problem with spam?

I do, but perhaps not the one that you imagine.

You see, the anti-spam system I have in place does do a pretty good job of siphoning away offers to purchase fake doctorates, malware posing as attached invoices, and emails in Cantonese or Russian that are trying to sell me… well, I don’t know what they’re trying to see me as I don’t speak those languages.

But what’s more difficult to filter out are the legitimate newsletters that bombard my inbox.

Newsletters that I never signed-up for.

When you’ve been doing what I do as long as I have there are inevitably some folks who end up not liking you. Some of them might be online criminals, others may be folks who are upset about something I said on Twitter.

And a small number of these people might think it’s worth their effort to sign up my publicly-available email addresses to hundreds, no… thousands of legitimate newsletters and mailing lists that I have no interest in.

I’m not the only one who has suffered from these kind of “email bomb” attacks – which are the equivalent of a denial-of-service attack on your inbox.

The only saving grace is that the better-managed newsletters ask you to confirm that you really really want to receive emails from them. They do this by sending a single email – normally with a clickable confirmation link – to the email address entered on their subscription form.

If you don’t respond to the confirmation email, you don’t get any follow-up emails. That’s how things are supposed to work. And it’s called double opt-in.

But when it comes to the benefits of double opt-in, don’t just take my word for it.

Here’s what MailChimp, a service that I and millions of others around the world use to send out email newsletters, was saying until quite recently:

MailChimp double-opt in
Image used with permission by copyright holder

Double opt-in adds a layer of confirmation to your signup process before adding new subscribed contacts to your list, and it has three main benefits compared to single opt-in.

  • Protection against spambots, email scams, and fake subscribers, which could increase your monthly benefit rates.

  • Assurance of valid email addresses, confirmation that your subscribed contacts want to hear from you, and an archived record of the subscriber’s consent.

  • Higher campaign open rates, and lower bounce and unsubscribe rates.

All very sensible. And a good example of why, in the past, I have recommended MailChimp to organisations and individuals wishing to send out legitimate email newsletters.

Only problem is… after years of protecting internet users from unwanted newsletter subscriptions, MailChimp has had a change of heart.

Last week it quietly (I only found out by logging into my account, I never — ironically — received an email advisory from them) revealed that it would be switching its customers’ mailing lists to “single opt-in” rather than “double opt-in.”

Image used with permission by copyright holder

What does that mean? It means that subscribers won’t have to confirm that they really really want to receive a newsletter. Which means that any toerag can enter your email address for a newsletter run on MailChimp’s systems that you don’t want and the onus will be on you to unsubscribe.

And MailChimp has, of course, removed the wording on its website about why double opt-in is a good thing that reduces unwanted emails and means that MailChimp users benefit from lower billing rates.

And how come MailChimp decided to change customers’ settings, and only gave them until October 31st to choose to stay with double opt-in going forward. Seven days notice is a ridiculously short amount of time, for a number of reasons – including that many of us have already got processes in place that tell subscribers to await a confirmation email, and explain how we require confirmed opt-in to avoid spam sign-ups.

You won’t be surprised to hear that many folks were less than impressed with MailChimp’s decision.

All of this adds up to one conclusion: MailChimp has gone bananas.

Evidence that MailChimp has simply not thought through this switch to the ghastly single opt-in model becomes ever more clear when you consider that double opt-in is necessary in the European Union as a proof of consent under GDPR and expressly required in Germany.

As MailChimp acknowledges in their latest pronouncement on their issue, they were completely clueless about the implications of what they were doing.

Well, they don’t quite say that. But it does appear that they’ve realised that what they tried to do might have ummm.. some legal implications:

“We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements. We heard you, and we’re sorry that we caused confusion. Customers located in the EU will receive an email from us today to let them know how we’ve changed the plan.”

“Please know we are committed to helping our customers get ready for the GDPR. Double opt-in provides additional proof of consent, and we suggest you continue using double opt-in if your business will be subject to the GDPR.”

(By the way MailChimp, I still haven’t received the first email – let alone the one you promise here)

So, MailChimp is turning around for lists run by European firms at least – we’ll stay as double opt-in by default.

Not that this necessarily avoids the GDPR issue however. As Marcus Bointon explained on Twitter:

Apparently in EU they remain on double opt in..

— marcel_lucht (@marcel_lucht) October 31, 2017

That means that American businesses using MailChimp, for instance, need double opt-in if they wish to send newsletters to European citizens. Back to the drawing board MailChimp!

And you know what? MailChimp hasn’t resolve my problem just by not switching my mailing list to single opt-in. Most MailChimp mailing lists are being switched to single opt-in, which means they will be used for email bombs, and their owners will end up paying MailChimp more money each month for all of those extra unapproved subscribers.

I complained publicly and privately, and was disappointed with MailChimp’s response.

As someone who has used and recommended MailChimp for *years* I feel massively let down by them.

Changing the settings for my own mailing list (which of course, I did) isn’t actually a solution. Sure, it stops toerags using my newsletter as an email bomb but it doesn’t stop many more MailChimp-run mailing lists switching to a system that will increase the amount of unwanted emails flying around the internet.

I can no longer recommend MailChimp. And with no other options available to me, and a company that seems unprepared to listen to its aggrieved users, the only thing I can do is switch mailing list provider and close my account.

They’ve got a few weeks to see the light and then I’ll be off.

To hear more about the MailChimp debacle, be sure to check out this edition of the “Smashing Security” podcast:

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.

Editors' Recommendations

Graham Cluley
Graham Cluley is an award-winning security blogger, researcher, podcaster, and public speaker. He has been a well-known…
JPEG vs. PNG: When and why to use one format over the other
A person using Adobe Lightroom CC on an iMac.

In digital imaging, two image formats prevail above all else: JPEG (or JPG) and PNG.

At first glance, a single image shown in both formats might seem identical, but if you look closely enough and dig into the data, there is quite a difference between them. One format isn't always better than the other, as each is designed to be used in specific circumstances based on your needs for image quality, file size, and more. Here's what you need to know about both formats to make the most of their strengths and weaknesses.
What is the JPEG format?
Short for Joint Photographic Experts Group -- the team that developed the format -- JPEG has become the standard compressed format in digital photography and online image sharing due to its careful balance of file size and image quality.

Read more
Is there a Walmart Plus free trial? Get a month of free delivery
Walmart logo.

Take a moment and think about how often you shop at your local Walmart. Is it weekly? Daily? If either of those is the case, it might be time to upgrade your shopping experience. The Walmart Plus free trial is your chance to check out what the retail giant has to offer. Walmart Plus is basically Amazon Prime for Walmart. You get free shipping on most orders, early access to deals and new product drops (like PS5 restocks), the best grocery delivery, and more. If Walmart is your go-to option for the best smart home devices or the best tech products in general, you should get a membership. If you want to test out the service, you can sign up for a free trial. We have all the information you need right here.
Is there a Walmart Plus free trial?
There is a Walmart Plus free trial available, and it’s one of the best free trials we’ve seen in terms of how many great features and conveniences you’re able to access. This is really a reflection of how great the Walmart Plus service is, as the Walmart Plus free trial is essentially a 30-day experience of what it would be like to be a paid Walmart Plus subscriber. A Walmart Plus membership can help you save over $1,300 per year, so taking advantage of the 30-day free trial is a great way to get in there and see what those savings will look like. And if grocery delivery is what you're really after, an alternative you might consider is the Instacart free trial -- they have more than one program to try!

As part of a Walmart Plus free trial, you’ll get free shipping with no minimum order, so even small orders will qualify for free shipping. You’ll get fresh groceries and more with no delivery fees, and all at the same low in-store prices Walmart shoppers are used to. Walmart Plus members, and Walmart Plus free trial members, get exclusive access to special promotions and events, as well as a savings of up to 10 cents per gallon on fuel. A new addition to the perks of being a Walmart Plus member is free access to Paramount Plus, a top-notch streaming service with more than 40,000 TV episodes and movies. All of this is accessible for 30 days through a Walmart Plus free trial, and once those 30 days are up, Walmart Plus is just $12.95 per month or $98 annually.

Read more
The 13 best early Black Friday deals you can shop this weekend
Digital Trends Best Black Friday Deals

Even though Black Friday is still a couple of weeks away, we're already starting to see a lot of great deals on several different types of products. So, if you can't wait for the upcoming Black Friday and need to grab a few things now, we've collected some of our favorite deals across products and budget ranges to make your life a little bit easier. Below, you'll find deals on cordless vacuums, laptops, TVs, headphones, and phones, so it's a great collection of stuff that we think you'll find useful and want to grab. That said, if you can't find what you want, be sure to check our main Black Friday deals page for even more great offers.
Wyze Cordless Stick Vacuum -- $98, was $150

While budget cordless vacuum cleaners can sometimes not be that great, we found the Wyze Cordless Stick Vacuum to be surprisingly good for its price point. At just 2.8 pounds of weight, it's light enough that you won't feel like you're doing a workout every time you use it, and it is great for those who might have issues with arm weakness. Just because it's light doesn't mean it's not powerful, though, with two motors providing 24,000 pascals of suction, which is quite a lot at this price. It also has a HEPA filter to keep the air you breathe clean while vacuuming, which is impressive, but sadly, it does have a big downside in that it only lasts for about 50 minutes of vacuuming. That's not necessarily a dealbreaker, and you can buy a backup battery, but it's an important thing to note.

Read more