Skip to main content

Email spam is about to get way worse, and you can blame MailChimp

mailchimp double opt in spam mail chim feat
Image used with permission by copyright holder

Graham Cluley is an award-winning security blogger, researcher, podcaster, and public speaker. He has been a well-known figure in the computer security industry since the early 1990s when he worked as a programmer, writing the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows.

Do you have a problem with spam?

I do, but perhaps not the one that you imagine.

You see, the anti-spam system I have in place does do a pretty good job of siphoning away offers to purchase fake doctorates, malware posing as attached invoices, and emails in Cantonese or Russian that are trying to sell me… well, I don’t know what they’re trying to see me as I don’t speak those languages.

But what’s more difficult to filter out are the legitimate newsletters that bombard my inbox.

Newsletters that I never signed-up for.

When you’ve been doing what I do as long as I have there are inevitably some folks who end up not liking you. Some of them might be online criminals, others may be folks who are upset about something I said on Twitter.

And a small number of these people might think it’s worth their effort to sign up my publicly-available email addresses to hundreds, no… thousands of legitimate newsletters and mailing lists that I have no interest in.

I’m not the only one who has suffered from these kind of “email bomb” attacks – which are the equivalent of a denial-of-service attack on your inbox.

The only saving grace is that the better-managed newsletters ask you to confirm that you really really want to receive emails from them. They do this by sending a single email – normally with a clickable confirmation link – to the email address entered on their subscription form.

If you don’t respond to the confirmation email, you don’t get any follow-up emails. That’s how things are supposed to work. And it’s called double opt-in.

But when it comes to the benefits of double opt-in, don’t just take my word for it.

Here’s what MailChimp, a service that I and millions of others around the world use to send out email newsletters, was saying until quite recently:

MailChimp double-opt in
Image used with permission by copyright holder

Double opt-in adds a layer of confirmation to your signup process before adding new subscribed contacts to your list, and it has three main benefits compared to single opt-in.

  • Protection against spambots, email scams, and fake subscribers, which could increase your monthly benefit rates.

  • Assurance of valid email addresses, confirmation that your subscribed contacts want to hear from you, and an archived record of the subscriber’s consent.

  • Higher campaign open rates, and lower bounce and unsubscribe rates.

All very sensible. And a good example of why, in the past, I have recommended MailChimp to organisations and individuals wishing to send out legitimate email newsletters.

Only problem is… after years of protecting internet users from unwanted newsletter subscriptions, MailChimp has had a change of heart.

Last week it quietly (I only found out by logging into my account, I never — ironically — received an email advisory from them) revealed that it would be switching its customers’ mailing lists to “single opt-in” rather than “double opt-in.”

Image used with permission by copyright holder

What does that mean? It means that subscribers won’t have to confirm that they really really want to receive a newsletter. Which means that any toerag can enter your email address for a newsletter run on MailChimp’s systems that you don’t want and the onus will be on you to unsubscribe.

And MailChimp has, of course, removed the wording on its website about why double opt-in is a good thing that reduces unwanted emails and means that MailChimp users benefit from lower billing rates.

And how come MailChimp decided to change customers’ settings, and only gave them until October 31st to choose to stay with double opt-in going forward. Seven days notice is a ridiculously short amount of time, for a number of reasons – including that many of us have already got processes in place that tell subscribers to await a confirmation email, and explain how we require confirmed opt-in to avoid spam sign-ups.

You won’t be surprised to hear that many folks were less than impressed with MailChimp’s decision.

All of this adds up to one conclusion: MailChimp has gone bananas.

Evidence that MailChimp has simply not thought through this switch to the ghastly single opt-in model becomes ever more clear when you consider that double opt-in is necessary in the European Union as a proof of consent under GDPR and expressly required in Germany.

As MailChimp acknowledges in their latest pronouncement on their issue, they were completely clueless about the implications of what they were doing.

Well, they don’t quite say that. But it does appear that they’ve realised that what they tried to do might have ummm.. some legal implications:

“We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements. We heard you, and we’re sorry that we caused confusion. Customers located in the EU will receive an email from us today to let them know how we’ve changed the plan.”

“Please know we are committed to helping our customers get ready for the GDPR. Double opt-in provides additional proof of consent, and we suggest you continue using double opt-in if your business will be subject to the GDPR.”

(By the way MailChimp, I still haven’t received the first email – let alone the one you promise here)

So, MailChimp is turning around for lists run by European firms at least – we’ll stay as double opt-in by default.

Not that this necessarily avoids the GDPR issue however. As Marcus Bointon explained on Twitter:

Apparently in EU they remain on double opt in.. pic.twitter.com/tXDpmOMe7D

— marcel_lucht 🇪🇺 (@marcel_lucht) October 31, 2017

That means that American businesses using MailChimp, for instance, need double opt-in if they wish to send newsletters to European citizens. Back to the drawing board MailChimp!

And you know what? MailChimp hasn’t resolve my problem just by not switching my mailing list to single opt-in. Most MailChimp mailing lists are being switched to single opt-in, which means they will be used for email bombs, and their owners will end up paying MailChimp more money each month for all of those extra unapproved subscribers.

I complained publicly and privately, and was disappointed with MailChimp’s response.

As someone who has used and recommended MailChimp for *years* I feel massively let down by them.

Changing the settings for my own mailing list (which of course, I did) isn’t actually a solution. Sure, it stops toerags using my newsletter as an email bomb but it doesn’t stop many more MailChimp-run mailing lists switching to a system that will increase the amount of unwanted emails flying around the internet.

I can no longer recommend MailChimp. And with no other options available to me, and a company that seems unprepared to listen to its aggrieved users, the only thing I can do is switch mailing list provider and close my account.

They’ve got a few weeks to see the light and then I’ll be off.

To hear more about the MailChimp debacle, be sure to check out this edition of the “Smashing Security” podcast:

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.

Graham Cluley
Former Digital Trends Contributor
Graham Cluley is an award-winning security blogger, researcher, podcaster, and public speaker. He has been a well-known…
PayPal vs. Venmo vs. Cash App vs. Apple Cash: which app should you use?
PayPal, Venmo, Cash App, and Apple Wallet apps on an iPhone.

We’re getting closer every day to an entirely cashless society. While some folks may still carry around a few bucks for emergencies, electronic payments are accepted nearly everywhere, and as mobile wallets expand, even traditional credit and debit cards are starting to fall by the wayside.

That means many of us are past the days of tossing a few bills onto the table to pay our share of a restaurant tab or slipping our pal a couple of bucks to help them out. Now, even those things are more easily doable from our smartphones than our physical wallets.

Read more
How to change margins in Google Docs
Laptop Working from Home

When you create a document in Google Docs, you may need to adjust the space between the edge of the page and the content --- the margins. For instance, many professors have requirements for the margin sizes you must use for college papers.

You can easily change the left, right, top, and bottom margins in Google Docs and have a few different ways to do it.

Read more
What is Microsoft Teams? How to use the collaboration app
A close-up of someone using Microsoft Teams on a laptop for a videoconference.

Online team collaboration is the new norm as companies spread their workforce across the globe. Gone are the days of primarily relying on group emails, as teams can now work together in real time using an instant chat-style interface, no matter where they are.

Using Microsoft Teams affords video conferencing, real-time discussions, document sharing and editing, and more for companies and corporations. It's one of many collaboration tools designed to bring company workers together in an online space. It’s not designed for communicating with family and friends, but for colleagues and clients.

Read more