Can you trust a major corporation to keep your e-mail address out of spammers' hands
after you fill out the company's unsubscribe form?
Not always, according to a service that tracks what happens when addresses are submitted
to unsubscribe mechanisms on the Web.
I wrote last week that
a service called Lashback LLC
some 170,000 different "remove me" procedures that it's found on the Internet.
This small antispam firm says it's already caught some big fish in its net.
Riches from Nigeria
Brandon Phillips, the president and CEO of Lashback, says one of the worst
unsubscribe problems he's seen relates to the site of Gevalia Kaffe, a
subsidiary of Kraft Foods.
According to an "unsubscribe
abuse report" posted at the Lashback site, the service unsubscribed from
Gevalia's gourmet-coffee promotions using a unique, never-before-seen e-mail
address on Oct. 25, 2005. In the overwhelming majority of the thousands of unsub
forms Lashback has tested, the request works and no more e-mail is received.
On Jan. 20, 2006, however, Lashback began receiving spam messages to its virgin
address. The first one came from "Barrister Mark":
"I am MARK EDMUND (Esq.) a Solicitor. I am the Personal Attorney to Mr.
Fredrick Lauderdale, a national of your country, who is an oil merchant in
Nigeria. On the 21st of April 2001, my client, his wife and their two
children were involved in a car accident along Sagbama Express Road Balyasa
State, here in Nigeria. All occupants of the vehicle unfortunately lost
their lives. Since then I have made several inquiries to locate any of my
clients extended relatives, this has proving unsuccessful."
The message went on to offer the recipient -- which was just a made-up e-mail address,
as you recall --
a share of the estate, worth "USD$12 MILLION." For some reason, the attorney proposed to keep 60 percent
for himself, assigning only 40 percent for the next of kin and the payment of taxes.
Some steep attorney's fees they have in Nigeria.
This message is obviously fraudulent, and the other messages that arrived
weren't much better. Lashback's test e-mail address has received more than two
dozen spam messages since the problem began, according to documentation Phillips
A spokesman for Kraft Foods, Larry Baumann, told me in a telephone interview,
"Gevalia and Kraft have a zero-tolerance policy for spam. We have very strict
policies in place, both internally and with our vendors, that govern our e-mail
communications with consumers.
"We have a password-protected, secure site where we post our suppression list,"
Baumann continued. "That list is updated daily, and our affiliates are required
to upload the file."
How Unsub Addresses Get to Spammers
When Lashback finds an unsubscribe mechanism that results in the submitted
e-mail addresses receiving spam, is it because the operators of the unsub forms
sold the addresses to spammers? Not necessarily.
There's no way to say for sure what happened in Gevalia's case. But one clue can
be found at the bottom of one promotional message for the company's products:
"This message was sent to you by a trusted affiliate."
Many companies pay commissions on sales made by affiliates who send promotions
to their various e-mail lists. Under the CAN-SPAM Act, which went into effect in
the U.S. in January 2004, companies that promote their products via bulk e-mail
must honor unsubscribe requests. These companies are also required to make every
subsidiary or agent stop sending e-mail to the people who said, "Remove me."
Many corporations, therefore, maintain lists of e-mail addresses that have
requested cancellation. If these lists are provided to affiliates so they can
remove the names from their e-mailings, it takes only one dishonest affiliate
to sell the entire list to spammers.
E-mail addresses of these so-called suppression lists could be very attractive
to spam marketers. When an address is submitted to an untrustworthy unsubscribe
form, it proves that:
The e-mail address is valid;
• 2. Someone reads e-mails sent to that address; and
The recipient is comfortable enough with the Internet to correctly enter data
into a Web form.
These are the minimum qualifications needed to place an order for something that
spammers might want to advertise.
Keeping Suppression Lists Private
This kind of problem with unsubscribe lists is exactly why the U.S. Federal
recommended in 2004 that Congress not create a "do-not-email"
registry. Unfortunately, the fact that the suppression lists required by the
CAN-SPAM Act get into the hands of spammers is just one of the negative
side-effects of that poorly drafted legislation.
In a telephone interview, Lashback's Phillips says companies that provide
suppression lists to affiliates should, at a minimum, seed the lists with
unique, "decoy" addresses so privacy violators can be identified.
Although this could get a dishonest affiliate banned, it wouldn't help the
people whose addresses were turned over to spammers. A better solution, Phillips
says, is for companies to contract with go-between services that can "scrub" the
lists of affiliates. That way, the addresses on the unsubscribe list never get
into outsiders' hands. The leading third-party scrubbing service is
of e-mail service provider Skylist.
Despite the bad apples, Lashback's methodical testing of unsubscribe mechanisms
shows that about 92.5 percent of them are trustworthy and don't lead to more
To find out whether a particular unsub form can be trusted or not, enter the
domain name of the particular site into Lashback's free lookup form:
If a newsletter comes from a legitimate publisher, you should always use its
unsubscribe mechanism. But you should never enter an address into unsub forms
that are friendly to spammers.
Fortunately, with Lashback's new lookup tool, it's now easy to tell the