[mailop] Legit-looking mail to the wrong address with no unsubscribe

[Chris Adams via mailop]

What do you do when legitimate mail (lately, DoorDash order info and
Delta Airlines tickets) is sent to the wrong address?  These types of
messages rarely have an unsubscribe method.  I get a ton of crap to a
Gmail address that I really only use for Google-related stuff (not as a
general email box), so I know instantly that this is not to me.

Why do vendors think they don't need an unsubscribe in this type of
mail?  Just because their customers are dumb and don't know their own
email address doesn't mean they should continue sending personal
information about them to other people.
-- 
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Christine Borgia via mailop]

Because it's not a subscription. The person is entering the email address
where they want their order info to go, and they are entering your email.
The onus is on that person and not the vendor.

On Thu, Aug 24, 2023 at 8:16 AM Chris Adams via mailop 
wrote:

> What do you do when legitimate mail (lately, DoorDash order info and
> Delta Airlines tickets) is sent to the wrong address?  These types of
> messages rarely have an unsubscribe method.  I get a ton of crap to a
> Gmail address that I really only use for Google-related stuff (not as a
> general email box), so I know instantly that this is not to me.
>
> Why do vendors think they don't need an unsubscribe in this type of
> mail?  Just because their customers are dumb and don't know their own
> email address doesn't mean they should continue sending personal
> information about them to other people.
> --
> Chris Adams 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Raymond Dijkxhoorn via mailop]

Hello Christine,

Because it's not a subscription. The person is entering the email 
address where they want their order info to go, and
they are entering your email. The onus is on that person and not the 
vendor


Not sure if i agree with that statement. In the majority of cases they 
auto add you to their mailinglist. As i pointed out with doordash also 
before on this list.


Account creations from airlines should already have a COI to begin with 
when siging up for an account.


COI should be pretty much standard to avoid tickets beeing sent out to 
the wrong person...


Just my 2 cents.

Bye, Raymond
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Christine Borgia via mailop]

> Account creations from airlines should already have a COI to begin with
when siging up for an account.

If there is an account creation involved, I agree with you. Same with
auto-subscribing for marketing. I'm speaking only with regards to
transactional messages being sent when someone enters their email address.

On Thu, Aug 24, 2023 at 8:26 AM Raymond Dijkxhoorn 
wrote:

> Hello Christine,
>
> > Because it's not a subscription. The person is entering the email
> > address where they want their order info to go, and
> > they are entering your email. The onus is on that person and not the
> > vendor
>
> Not sure if i agree with that statement. In the majority of cases they
> auto add you to their mailinglist. As i pointed out with doordash also
> before on this list.
>
> Account creations from airlines should already have a COI to begin with
> when siging up for an account.
>
> COI should be pretty much standard to avoid tickets beeing sent out to
> the wrong person...
>
> Just my 2 cents.
>
> Bye, Raymond
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Chris Adams via mailop]

Once upon a time, Christine Borgia  said:
> Because it's not a subscription. The person is entering the email address
> where they want their order info to go, and they are entering your email.
> The onus is on that person and not the vendor.

That's a very vendor-centric look at it.  When I get order confirmation,
a your order is being prepped, your order has been picked up, your order
has been delivered emails, what is that but not a subscription to a
series of events that I did not request?  The sender does in fact bear
responsibility - they are the one sending the messages and the only one
that can make them stop.

A few vendors manage to put a "this is not me" link in messages (which
is functionally an unsubscribe, even if you don't want to call it that).

-- 
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Mike Hillyer via mailop]

Adding an unsub link for truly transactional mail can result is missed messages 
later on, which is why there's usually not an unsub link.

You get a doordash status message, you decide you don't need them, you 
unsubscribe. A couple of months later you need to reset your password and now 
you never get the reset link because you unsubscribed from transactional 
messages? Sure, we can get infinitely granular or always exempt password 
resets, but it becomes a slippery slope that results in a lot of engineering 
hours.

And as I said at the start of this message, I am only applying this logic to 
truly transactional messages, which in my mind are those triggered by a user 
action and those in the chain of events triggered by a user action. If someone 
at the vendor has to click Send, it's not a transactional message.

Mike

-Original Message-
From: mailop  On Behalf Of Chris Adams via mailop
Sent: Thursday, August 24, 2023 8:13 AM
To: mailop@mailop.org
Subject: [mailop] Legit-looking mail to the wrong address with no unsubscribe

What do you do when legitimate mail (lately, DoorDash order info and Delta 
Airlines tickets) is sent to the wrong address?  These types of messages rarely 
have an unsubscribe method.  I get a ton of crap to a Gmail address that I 
really only use for Google-related stuff (not as a general email box), so I 
know instantly that this is not to me.

Why do vendors think they don't need an unsubscribe in this type of mail?  Just 
because their customers are dumb and don't know their own email address doesn't 
mean they should continue sending personal information about them to other 
people.
--
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Paul Menzel via mailop]

Dear Chris,


Am 24.08.23 um 14:12 schrieb Chris Adams via mailop:

What do you do when legitimate mail (lately, DoorDash order info and
Delta Airlines tickets) is sent to the wrong address?  These types of
messages rarely have an unsubscribe method.  I get a ton of crap to a
Gmail address that I really only use for Google-related stuff (not as a
general email box), so I know instantly that this is not to me.

Why do vendors think they don't need an unsubscribe in this type of
mail?  Just because their customers are dumb and don't know their own
email address doesn't mean they should continue sending personal
information about them to other people.


I guess it’s ignorance, and that nobody complains to them. Depending on 
your jurisdiction you can report this case to the “data privacy office”, 
and you can contact the data protection officer of the offending company.


(You could also try to reset the password, often sent to the registered 
email address.)



Kind regards,

Paul
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Mike Hillyer via mailop]

One more note: in my opinion transactional messages should never come from a 
noreply@ but instead should route to customer support, so that cases of 
mistaken identity can be resolved by replying and letting them you that the 
messages are not reaching their intended recipient.

-Original Message-
From: mailop  On Behalf Of Mike Hillyer via mailop
Sent: Thursday, August 24, 2023 9:03 AM
To: Chris Adams ; mailop@mailop.org
Subject: Re: [mailop] Legit-looking mail to the wrong address with no 
unsubscribe

Adding an unsub link for truly transactional mail can result is missed messages 
later on, which is why there's usually not an unsub link.

You get a doordash status message, you decide you don't need them, you 
unsubscribe. A couple of months later you need to reset your password and now 
you never get the reset link because you unsubscribed from transactional 
messages? Sure, we can get infinitely granular or always exempt password 
resets, but it becomes a slippery slope that results in a lot of engineering 
hours.

And as I said at the start of this message, I am only applying this logic to 
truly transactional messages, which in my mind are those triggered by a user 
action and those in the chain of events triggered by a user action. If someone 
at the vendor has to click Send, it's not a transactional message.

Mike

-Original Message-
From: mailop  On Behalf Of Chris Adams via mailop
Sent: Thursday, August 24, 2023 8:13 AM
To: mailop@mailop.org
Subject: [mailop] Legit-looking mail to the wrong address with no unsubscribe

What do you do when legitimate mail (lately, DoorDash order info and Delta 
Airlines tickets) is sent to the wrong address?  These types of messages rarely 
have an unsubscribe method.  I get a ton of crap to a Gmail address that I 
really only use for Google-related stuff (not as a general email box), so I 
know instantly that this is not to me.

Why do vendors think they don't need an unsubscribe in this type of mail?  Just 
because their customers are dumb and don't know their own email address doesn't 
mean they should continue sending personal information about them to other 
people.
--
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Chris Adams via mailop]

Once upon a time, Mike Hillyer  said:
> You get a doordash status message, you decide you don't need them, you 
> unsubscribe. A couple of months later you need to reset your password and now 
> you never get the reset link because you unsubscribed from transactional 
> messages? Sure, we can get infinitely granular or always exempt password 
> resets, but it becomes a slippery slope that results in a lot of engineering 
> hours.

Not spamming people does sometimes require more work.  And I believe
this kind of stuff is exactly the definition of spam: UCE.  There is no
doubt that it is unsolicited, no doubt that it is commercial.  Why
should it get a pass?  "Because it's hard" is no more of an excuse for
this than any other type of spam.

So yeah, password resets and/or email resets could still go (although
still a "not me" link should at least signal somebody that "something is
wrong"), but everything else should follow at minimum an opt-out system,
if not opt-in.

-- 
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Chris Adams via mailop]

Once upon a time, Paul Menzel  said:
> I guess it’s ignorance, and that nobody complains to them. Depending
> on your jurisdiction you can report this case to the “data privacy
> office”, and you can contact the data protection officer of the
> offending company.

I hadn't thought about trying that route... but it's also like telling
people they can track down spammers IMHO.  It shouldn't be acceptable
behavior.

> (You could also try to reset the password, often sent to the
> registered email address.)

So for a few of these, I've considered that... but also think that in
some jurisdictions someone could then try to come after me for accessing
an account that wasn't mine.  In the Delta Airlines case this week,
there isn't even an account; it's a case of an employee getting a ticket
for a family member and sending ticket messages (so I'm getting the
family member messages - no Delta account to log in to).

-- 
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Mike Hillyer via mailop]

Because 99.9% of the time it is solicited, outside of the scenario you are 
dealing with, someone engaged in an action with the vendor systems which is 
triggering a notification to the user of the status of their action, and on top 
of that a remote MTA is accepting that message as going to a real address. 
Granted in this case there's clearly no COI, but the vendor is operating under 
the reasonable assumption that they are not sending an unsolicited message. So 
no, I'm not saying they get a pass because it's hard, they get a pass because 
they are operating in good faith and the message is not in fact unsolicited 
since it's triggered by a user action.

That said, this is getting circular, we both agree that people should be able 
to indicate this is not the right recipients, either by reply or other 
mechanism, and that to me is the best practice that needs to be emphasized to 
transactional senders.

Mike

-Original Message-
From: mailop  On Behalf Of Chris Adams via mailop
Sent: Thursday, August 24, 2023 9:26 AM
To: mailop@mailop.org
Subject: Re: [mailop] Legit-looking mail to the wrong address with no 
unsubscribe

Once upon a time, Mike Hillyer  said:
> You get a doordash status message, you decide you don't need them, you 
> unsubscribe. A couple of months later you need to reset your password and now 
> you never get the reset link because you unsubscribed from transactional 
> messages? Sure, we can get infinitely granular or always exempt password 
> resets, but it becomes a slippery slope that results in a lot of engineering 
> hours.

Not spamming people does sometimes require more work.  And I believe this kind 
of stuff is exactly the definition of spam: UCE.  There is no doubt that it is 
unsolicited, no doubt that it is commercial.  Why should it get a pass?  
"Because it's hard" is no more of an excuse for this than any other type of 
spam.

So yeah, password resets and/or email resets could still go (although still a 
"not me" link should at least signal somebody that "something is wrong"), but 
everything else should follow at minimum an opt-out system, if not opt-in.

--
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[John Levine via mailop]

It appears that Chris Adams via mailop  said:
>What do you do when legitimate mail (lately, DoorDash order info and
>Delta Airlines tickets) is sent to the wrong address? 

My Gmail account gets a lot of mail for people who imagine that my
account is their account. They have names similar to mine
and forget that their addresses include a number.

>Why do vendors think they don't need an unsubscribe in this type of
>mail? 

I can see why there's no unsub for transactions but particularly for
high value stuff like plane tickets and bank statements and a doctor's
hospital shift schedule (yes really), it would make sense to have a
button for "this mail is for someone else."

Mostly I just mark it as spam, and say yes if it asks if I also want
to unsubscribe as it does about half the time. One particularly
persistent guy gave me control of his Amazon account, which I
closed since I had no way (nor much inclination) to give it back.
I resisted the urge to send him a sexy parlor maild outfit first.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Jaroslaw Rafa via mailop]

Dnia 24.08.2023 o godz. 07:12:52 Chris Adams via mailop pisze:
> What do you do when legitimate mail (lately, DoorDash order info and
> Delta Airlines tickets) is sent to the wrong address?  These types of
> messages rarely have an unsubscribe method.  I get a ton of crap to a
> Gmail address that I really only use for Google-related stuff (not as a
> general email box), so I know instantly that this is not to me.
> 
> Why do vendors think they don't need an unsubscribe in this type of
> mail?  Just because their customers are dumb and don't know their own
> email address doesn't mean they should continue sending personal
> information about them to other people.

I see no good solution to this.

When these mails are sent to an address registered with an account eg. in an
online shop, this is certainly an error on the side of the sender, because
account creation should always involve confirmation of the email that was
given by the user.

But what about one-time actions, when someone is doing a purchase in an
online shop *without* creating an account and just enters wrong email
address? Ask yourself: as a user doing such purchase, would you really want
to go through email verification process for every one-time action? To
receive first an email requesting you to confirm your address, only to next
receive another email from them with the actual information? That seems
over-engineered...

And the email verification actually doesn't fully solve the problem in that
case: if the user enters the wrong email, a wrong person (like you) will
still receive an unwanted message, only instead of an order confirmation or
similar, it will be a message asking to confirm your email by clicking on a
link. It makes any difference only in terms of data protection - ie. the data
belonging to the actual customer is not revealed to a third party - but it
makes no difference with regard to getting unwanted mail.

I think one has to live with that. The only thing we can do is to set up an
individual, per-user filter that will put all messages from services you
don't use to spam. I guess most people use only a handful of online
services and they know and recognize emails from them. So if you get
anything you don't recognize, set up a filter to put further mails from them
to spam. Of course, this needs constant updating; but for example if you
never shop at Amazon, and you receive any order confirmation from them, you
set up a filter that puts all further mail from Amazon to spam. Amazon
shouldn't bother you anymore. Then, if you receive another mail from a
service you don't even know about, you set up a filter to put all mail from
them to spam. And so on...

If you later happen to make a purchase at one of these services, and you are
expecting an email from them, the case is simple: you don't get an email you
are expecting, so you look for it in the spam folder.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Jay R. Ashworth via mailop]

Oh dear ghod yes.  

I want to line everyone who's ever recommended noreply@ up against the wall and

[ At this point in the broadcast, Jay thought better of saying what he wanted 
to 
do in a posting to a public mailing list, but trust me, it was going to be very 
satisfying to hear about, for everyone who's ever wanted to reply to such a 
message. 

And could not. ]

Cheers,
-- jra

- Original Message -
> From: "Mike Hillyer via mailop" 
> To: "Mike Hillyer" , "Chris Adams" , 
> mailop@mailop.org
> Sent: Thursday, August 24, 2023 9:23:40 AM
> Subject: Re: [mailop] Legit-looking mail to the wrong address with no 
> unsubscribe

> One more note: in my opinion transactional messages should never come from a
> noreply@ but instead should route to customer support, so that cases of
> mistaken identity can be resolved by replying and letting them you that the
> messages are not reaching their intended recipient.
> 
> -Original Message-
> From: mailop  On Behalf Of Mike Hillyer via mailop
> Sent: Thursday, August 24, 2023 9:03 AM
> To: Chris Adams ; mailop@mailop.org
> Subject: Re: [mailop] Legit-looking mail to the wrong address with no
> unsubscribe
> 
> Adding an unsub link for truly transactional mail can result is missed 
> messages
> later on, which is why there's usually not an unsub link.
> 
> You get a doordash status message, you decide you don't need them, you
> unsubscribe. A couple of months later you need to reset your password and now
> you never get the reset link because you unsubscribed from transactional
> messages? Sure, we can get infinitely granular or always exempt password
> resets, but it becomes a slippery slope that results in a lot of engineering
> hours.
> 
> And as I said at the start of this message, I am only applying this logic to
> truly transactional messages, which in my mind are those triggered by a user
> action and those in the chain of events triggered by a user action. If someone
> at the vendor has to click Send, it's not a transactional message.
> 
> Mike
> 
> -Original Message-----
> From: mailop  On Behalf Of Chris Adams via mailop
> Sent: Thursday, August 24, 2023 8:13 AM
> To: mailop@mailop.org
> Subject: [mailop] Legit-looking mail to the wrong address with no unsubscribe
> 
> What do you do when legitimate mail (lately, DoorDash order info and Delta
> Airlines tickets) is sent to the wrong address?  These types of messages 
> rarely
> have an unsubscribe method.  I get a ton of crap to a Gmail address that I
> really only use for Google-related stuff (not as a general email box), so I
> know instantly that this is not to me.
> 
> Why do vendors think they don't need an unsubscribe in this type of mail?  
> Just
> because their customers are dumb and don't know their own email address 
> doesn't
> mean they should continue sending personal information about them to other
> people.
> --
> Chris Adams 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Anne Mitchell via mailop]

> On Aug 24, 2023, at 6:12 AM, Chris Adams via mailop  wrote:
> 
> What do you do when legitimate mail (lately, DoorDash order info and
> Delta Airlines tickets) is sent to the wrong address?  These types of
> messages rarely have an unsubscribe method.  I get a ton of crap to a
> Gmail address that I really only use for Google-related stuff (not as a
> general email box), so I know instantly that this is not to me.
> 
> Why do vendors think they don't need an unsubscribe in this type of
> mail?  Just because their customers are dumb and don't know their own
> email address doesn't mean they should continue sending personal
> information about them to other people.
> -- 

Well, and also *confirming* the email address to start with.  Because not doing 
so, (oh gosh *especially* for delivery services!) can lead to very bad 
outcomes, and even liability for the sender!  Here are two real examples 
(pasting them in but link at bottom to full article):

Mary and WeedWhackers
Mary placed an order with her local dispensary, we’ll call them WeedWhackers. 
When the order was ready, the online order tracking and notification service 
that WeedWhackers uses, GetNoticed, sent an email notification to Mary that her 
order at the dispensary was ready for pickup. Only that notification didn’t go 
to Mary. It went to someone else, a total stranger named John, because Mary had 
mistyped her email address, and neither WeedWhackers nor GetNoticed had 
bothered to confirm Mary’s email address. Within 5 minutes of receiving one of 
the misdirected emails, using just the information available in that 
notification, John knew where Mary lived, her date of birth, that she ran away 
from home at 17, where she gets her taxes done, where she works, what her 
position is at her job, and that she’s a pot smoker.

Mary’s position at her job is one where she is responsible for interacting with 
customers, and handling a lot of cash. John also knew the frequency with which 
Mary was picking up pot from WeedWhackers. In any situation where John does 
something bad to Mary with this information, whether it’s going to her place of 
work and harassing her, attempting to blackmail her with the information he 
has, or possibly even assaulting her, both WeedWhackers and GetNoticed would be 
named as defendants in any lawsuit that Mary brought, as their actions were 
directly responsible for that information falling into John’s hands. Because 
the generally accepted best practice in email handling is to confirm an email 
address, Mary would have a good chance of prevailing in her lawsuit against 
both WeedWhackers and GetNoticed.

Amber and QVC
Amber orders a lot of stuff from QVC. We mean a lot of stuff. Amber gets 3 to 4 
orders a week from QVC. And QVC emails Amber confirmation notices of each of 
her orders. And QVC’s delivery carrier, Hermes, emails Amber notices of 
upcoming deliveries, and also notices of completed deliveries.

The only problem is that Amber is not receiving these email notices, because 
she mistyped her email address; in fact Jason is receiving these notices. These 
notices include her full address, and even the description and value of the 
items that Amber has ordered from QVC. Because Amber orders a lot of makeup and 
skin care items, Jason infers that she is a youngish, single woman. And because 
he has her full name and address, he finds her Facebook profile, which confirms 
it. When Jason goes to Amber’s house to break in and rob her (not to mention 
possibly to do physical harm to Amber) he knows exactly what high-value items 
to look for.

Amber should readily win a lawsuit against both QVC and Hermes, especially 
because, in the actual situation, both QVC and Hermes were repeatedly put on 
notice that they were sending the emails to the wrong person, and yet Amber’s 
misdirected emails continued to flow to Jason.

-

Full article at 
https://www.isipp.com/blog/the-hidden-legal-dangers-in-not-confirming-email-addresses/

Anne

--- 
Anne P. Mitchell
Attorney at Law
Email Law & Policy Attorney
CEO Institute for Social Internet Public Policy (ISIPP)
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law)
Author: The Email Deliverability Handbook
Board of Directors, Denver Internet Exchange
Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School
Prof. Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
Counsel Emeritus, eMail Abuse Prevention System (MAPS)




___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Michael Grant via mailop]

> (You could also try to reset the password, often sent to the registered
> email address.)

I have this issue with my gmail account.  I get literally a TON of
crap for other people who think they have my gmail account.
Unfortunately putting the mail in spam and telling gmail to block it
but it does absolutely no good.  Mail continues to come and straight
into my inbox in many if not most cases.

Some repeat offenders are that I can't rid myself of:

  CVS - a pharmacy in the US.  They have an unsub link but it's blocked
  outside the USA!

  Safeway

  Lifeline&ACP

  Mediacom mobile phone, I keep getting account notifications that
  someone's bill is about to be cut off for non payment because they
  never get notifications to log in and pay.

  Spectrum, same as above, presuably a different customer.

  Boost Mobile, again, same as above.

  Honda of New Rochelle - unsubscribed multiple times, mail put into
  spam, it keeps coming right back into my inbox.  Someone has a Honda
  in my email.

  BMW of Fort Myers - same, unsubed, keeps coming.

  classmates.com, apparently no way to get off their list ever.

  New Row Dental Practice in the UK.  They use some dental email spam
  engine named 'soegateway.com'.

In one email I was getting from Sirus XM, I esclated it by phone
through their abuse department.  Their customer service refused to
talk to me as I wasn't their actual customer.  After more than a year
and multiple phone calls, they finally started doing double-optin.

In another case, a paper letter was sent in the mail to Cornell
University.  The IT director personally responded to me, appoligized,
and it took another several weeks to fully extricate my email from
their system.  I have no idea if they managed to get their unsub
working.

In yet another case, Sprint, the now merged phone company with
T-Mobile, I was getting someone else's bill.  I just so happened to be
friends with someone who worked in their security department and he
walked my unsub request to the head of security there.

In a very similar case, I did the same thing with Discover, the credit
card company in the US.

I have in some cases done a password reset and removed my email or set
it to something like noreply@wherever.  Unfortunately in some cases,
they ask things like date of birth or social security number.

To all of you out there creating these mailers:

1) always do double-option to verify the email address of clients you
intend on sending account related stuff like statements or anything
sensitive. 

2) always provide a working unsub or not-me link, and

3) it does absolutely no good to put some ridiculous legal directive
in an email.  Your system sends me email at your peril, I will do
whatever I want with it.

Michael Grant


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Chris Woods via mailop]

On Thu, 24 Aug 2023 at 18:43, Michael Grant via mailop 
wrote:

> > (You could also try to reset the password, often sent to the registered
> > email address.)
>
> I have this issue with my gmail account.  I get literally a TON of
> crap for other people who think they have my gmail account.
> Unfortunately putting the mail in spam and telling gmail to block it
> but it does absolutely no good.  Mail continues to come and straight
> into my inbox in many if not most cases.
>

I'm another person who experiences this almost daily. As I'm sometimes
feeling altruistic, I'll at least reach out to the companies - where
there's a means of contact. The most clueful vendors and service providers
have some automated- or semi-automated mechanism for the recipient to
indicate that they were not expecting this email, either a link or a valid
reply-to. It infuriates me when vendors send emails, sometimes with the
hashed from address for bounce detection, but provide no valid reply-to
address or other contact mechanism.

Every ESP which facilitates this sort of bad practice should be forced to
walk over hot coals during their lunchbreak. It also annoys me when this
sort of failure mode isn't anticipated - or accommodated - whenever you
contact a sender or corporation through social media channels, and they
simply have no means to deal with your email address being incorrectly
applied to someone else's account. Prime example: my email address is on
someone else's XBL account and has been for about 8 years now, Microsoft
have flatly refused to remove it. I do so look forward to periodically
receiving their XBL and NBA2K subscription renewals.

I also get the usual list of junkmail, mis-addressed emails, in some cases
valid emails intended for professionals who share a name but omitted their
initial or a trailing number - and thanks to GMail's interpretation of any
version of your username with dots, I get emails to 'first.last' as well as
the 'firstlast' version. Takes a while to explain to people sometimes.

Occasionally if I'm really bored, or it's something important like a debt
being chased, criminal records check, job application reference, flight
check-ins or something professional (medical records, patient discussion
and procedure-related paperwork were commonplace for a while) I'll try to
contact the sender. Other times, I'll have a bit of fun with it... The
depth of profiling of other people you could theoretically do from the
emails I've had over the years can be quite surprising. Some companies
really need an explainer on the Swiss Cheese model, in terms of what
they're willing to blast into the ether cleartext.

Mantra: always provide a valid reply-to method on emails which preferably
directs to a customer service team capable of resolving the problem. It can
sometimes come in very useful.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[postfix--- via mailop]

On 2023-08-24 09:40, Mike Hillyer via mailop wrote:

Because 99.9% of the time it is solicited


really? think again, and also the definition of transactional email.  
Here is an example from OpenTable whatever that belongs to the 
Booking.com horror show.


some restaurant now *require* (as in: you won't even get in) a booking 
via OpenTable.  OpenTable *requires* users to create an account and to 
enter email and mobile number, along with a credit card.


There is a small checkbox saying "do send text messages." OpenTables 
ignores it -- see further below.


Immediately after the reservation is made, I log into "my" OpenTable 
account and have more than a dozen unwanted subscriptions, which I have 
all to uncheck and unsubscribe.  I do a thorough round of whatever 
options I have to mute the account to my liking, and not to the noisy 
smart marketers liking.


I receive a first email, confirming the reservation.  Fine, it is 
transactional and I want it.  However, that email is bugged.  It is a 
principle of mine not to load bugged GIFs etc. - no need for them to 
know if I am still at home, or already in the destination country where 
the booked restaurant is located, or at work wasting employer's 
bandwidth and time.  I also do not click on anything in those email.  I 
placed my reservation and the only reason I would have to click a link 
is to cancel it.


In the week between that wanted transactional mail and me entering the 
restaurant follow three (!) additional emails and a text message (while 
roaming! and after I clearly expressed "no text messages" on their 
form).  All just "reminders" asking to confirm, which happen to have 
additional sales propositions. Totally unwanted:  I manage my own 
calendar, I do not need an annoying third party sending me reminders, 
nor do I need to add their stuff to my calendar.  And asking to 
re-confirm a reservation is a big waste of my time.  Maybe they should 
ask me every five minutes if I have changed my mind /s ???


Cringe factor:  2 minutes after I am seated at the restaurant my mobile 
buzzes.  Email.  Subject: "you are now seated at the restaurant."  WTF???


Lucky me, I have a throwaway domain for  all of these people who think 
they can consume my time; I create disposable aliases for them; I route 
the aliases to the important mailbox when I expect something important 
from them; and I send them to /dev/null when they deserve so.  It is a 
bit more difficult to do with mobile phone numbers, and I will gladly 
join any class action claiming roaming fees.  The real class action 
should be about them stealing user's time.


Needless to say:  I will avoid restaurants using OpenTable, whether 
while visiting destinations or at home.  If they cannot choose a service 
provider that is respectful of my choices, they do not deserve my business.


AND: no, except maybe the first email, none of their communications were 
solicited.  It is unsolicited tacked on to what may be lazily / lousily 
argued is solicited.  Solicited should be (a) limited strictly to what 
user has asked for; b) predictible; and (c) allow for the user's 
granular preference.


On the other end of the spectrum: Amazon stopped about two years ago 
sending an email at the time of package delivery. It sends plenty of 
irrelevant emails from order placed to order shipped, but the only 
relevant piece of information it does not email.  I recall an option to 
get that information in their app or by text message.  Not interested 
having Amazon's app tracking me; not interested to have Amazon's stuff 
pushed via app or via text message; and last but not least not 
interested for them to match with other lists over phone number that is 
less easily changed than email alias.


Yuv


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Jarland Donnell via mailop]

I usually reply and ask them to cancel the order/reservation. Maybe next 
time the person won't be so careless writing down their email.


On 2023-08-24 07:12, Chris Adams via mailop wrote:


What do you do when legitimate mail (lately, DoorDash order info and
Delta Airlines tickets) is sent to the wrong address?  These types of
messages rarely have an unsubscribe method.  I get a ton of crap to a
Gmail address that I really only use for Google-related stuff (not as a
general email box), so I know instantly that this is not to me.

Why do vendors think they don't need an unsubscribe in this type of
mail?  Just because their customers are dumb and don't know their own
email address doesn't mean they should continue sending personal
information about them to other people.___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Hal Murray via mailop]

> To receive first an email requesting you to confirm your address, only to
> next receive another email from them with the actual information? That seems
> over-engineered...

How often is it only one message?  I typically get 3, often 4 sometimes even 5:
  we got your order
  we shipped it
  it was delivered
  how did you like it?
  please please please give us a good rating

They are often full of bloat, pages of HTML only
and lots of crappy advertising.

Even if there was an unsubscribe/error link, it would be hard to find.

How many people are selling make-more-money by sending lots of bloated email?


> Mantra: always provide a valid reply-to method on emails which preferably
> directs to a customer service team capable of resolving the problem. It can
> sometimes come in very useful. 

I wonder how often that type of address would get added to a spammer's list?


-- 
These are my opinions.  I hate spam.



___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[David Conrad via mailop]

If the address isn’t a “no-reply@“, I generally do the same, but more and more 
I’m getting “this message is sent from an unmonitored email address, please do 
not reply”.

The worst so far is Royal Bank of Canada.  One of their customers used my gmail 
address and I’ve been getting all sorts of private information about them like 
low balance alerts with the exact amount in their bank account, etc.

I’ve tried contacting their security dept., their customer service dept., and 
even @rbc or equivalent in various social media (which I detest) saying 
“please, for the love of all gods, STOP.”  Once, via twitter, an RBC person 
gave me a number to call and through various hoops and literally _hours_ of 
sitting on hold, explaining the situation, jumping through stupid automated 
phone trees, etc., I finally spoke to a person who said they’d discuss it _with 
the customer_ during an appointment I knew the customer was having with them 
because I received the reminder notices.  That was about a year and a half ago.

Yet the email keeps coming.

It boggles my mind.

Regards,
-drc

> On Aug 24, 2023, at 3:59 PM, Jarland Donnell via mailop  
> wrote:
> 
> I usually reply and ask them to cancel the order/reservation. Maybe next time 
> the person won't be so careless writing down their email.
> 
> 
> 
> On 2023-08-24 07:12, Chris Adams via mailop wrote:
> 
>> What do you do when legitimate mail (lately, DoorDash order info and
>> Delta Airlines tickets) is sent to the wrong address?  These types of
>> messages rarely have an unsubscribe method.  I get a ton of crap to a
>> Gmail address that I really only use for Google-related stuff (not as a
>> general email box), so I know instantly that this is not to me.
>> 
>> Why do vendors think they don't need an unsubscribe in this type of
>> mail?  Just because their customers are dumb and don't know their own
>> email address doesn't mean they should continue sending personal
>> information about them to other people.
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop



signature.asc
Description: Message signed with OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Michael Rathbun via mailop]

On Thu, 24 Aug 2023 11:30:19 -0600, Anne Mitchell via mailop
 wrote:

>Well, and also *confirming* the email address to start with.

Let's think about Heather, a mother of three in eastern Kansas, who signed up
a while ago for real estate topics, presumably at a co-reg site of some sort.

Cometh now some e-penders, who have the co-reg database with ALL of the
personal information that Heather gave the site, but somehow managed to
associate my email address with that specific datawad:  Now I get all of the
stuff that the e-penders' customers have in store for Heather, about real
estate and many unrelated topics.  To prove their bona fides, they often
include personal detail morsels from that datawad.

As a result, over the years, I have Heather's full name, date of birth,
physical address, driver license facsimile, photographs of her home and her
family's two vehicles, the names and ages of her children, and the names and
locations of the schools they attend.

"Heather", like "Nadine", is not her real name, for obvious reasons.

>Because not doing so, (oh gosh *especially* for delivery services!) can lead 
>to very bad outcomes, and even liability for the sender!

Imagine that.  There are times when my opposition to the death penalty suffers
challenges.

At least I get to cancel healthcare service accounts, Amazon accounts,
insurance policies, and for others, to change their forgotten password to
%Disabled0.   Then trash all of the desperate password recovery emails; I
couldn't wise up the victim no matter how intense my desire might be, since
for their privacy all personal details have been elided.  

Just like CitiBank sending me ALL account update mails for a certain MD Rahman
somewhere in New York.  FOR YEARS.  And refusing to do ANYTHING about 
that -- I can't validate myself as the account holder, so it is utterly
impossible to change the contact email address.  Call back when I have MD
Rahman's DOB and SSAN, thanks for being a loyal Citi customer.  ("But... but I
can tell you the current balance on the accouts, and the last five deposits
and withdrawals to each of them (his financial situation has improved -- he
now has balances north of $40K, when he used to get lots of overdraft 
notices -- Yay, MD!), and the name of the person MD talked to the last time he
visited his local branch!")

mdr
-- 
The hits just keep on coming for poor "Nadine". See the sad tale 
of email lists gone horribly wrong at 
F - IWAA #2157 GEVNP

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Sean Kamath via mailop]

> On Aug 24, 2023, at 05:12, Chris Adams via mailop  wrote:
> 
> What do you do when legitimate mail is sent to the wrong address? 

Various things:

* If it’s a valid reply-to, I reply and say “wrong person”.
* I try and find a way to contact the intended recipient.
* I try and contact the source of the email to say “wrong person” (support, 
other contact method)
* I reset the password and close the account.

One time I was added to a school community distribution list.  I started 
replying to it. :-). No, I would not be bringing cookies to the next park 
outing.

I’ve looked up recipients on random sites (like LinkedIn) and contacted them 
there.

Pepperfry is the only place I got really annoyed at, so I just forwarded them 
all the wrong emails to their support@ email address.  Took ‘em about a month, 
but they stopped.

I don’t see why confirmed opt-in is so hard: Click a button on a web page that 
opens a mailto: with content of a key.  If the key is valid (and maybe from the 
email address entered) you’re done.

Sean
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Carsten Schiefner via mailop]

David & all -

the EU's GDPR wrt. Information Security and PII Protection luckily hands 
a quite sharp sword to consumers: the fines for offenders are, well..., 
"fine".


If the real recipient of RBC's communication you are getting instead of 
her or him would be domiciled in EU territories (-> French overseas 
departments!) and would file a complaint with the appropriate DPA, RBC 
better sets aside a bit of money already. Even more so as they have been 
flagged multiple times already, in this instance by you, David.


Cheers,

-C.

On 25.08.2023 03:20, David Conrad via mailop wrote:
If the address isn’t a “no-reply@“, I generally do the same, but more 
and more I’m getting “this message is sent from an unmonitored email 
address, please do not reply”.


The worst so far is Royal Bank of Canada.  One of their customers used 
my gmail address and I’ve been getting all sorts of private information 
about them like low balance alerts with the exact amount in their bank 
account, etc.


I’ve tried contacting their security dept., their customer service 
dept., and even @rbc or equivalent in various social media (which I 
detest) saying “please, for the love of all gods, STOP.”  Once, via 
twitter, an RBC person gave me a number to call and through various 
hoops and literally _hours_ of sitting on hold, explaining the 
situation, jumping through stupid automated phone trees, etc., I finally 
spoke to a person who said they’d discuss it _with the customer_ during 
an appointment I knew the customer was having with them because I 
received the reminder notices.  That was about a year and a half ago.


Yet the email keeps coming.

It boggles my mind.

Regards,
-drc

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Brotman, Alex via mailop]

Are you suggesting that an unsub results in a suppression?  That hardly seems 
ideal.  That seems to suggest I sign up for a brand's email list.  Order some 
stuff, get receipt.  Later unsub.  Later buy again, but get no receipt?  
(Presuming it comes from the same ESP)

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: mailop  on behalf of Mike Hillyer via mailop 

Sent: Thursday, August 24, 2023 9:02:54 AM
To: Chris Adams ; mailop@mailop.org 
Subject: [EXTERNAL] Re: [mailop] Legit-looking mail to the wrong address with 
no unsubscribe

Adding an unsub link for truly transactional mail can result is missed messages 
later on, which is why there's usually not an unsub link.

You get a doordash status message, you decide you don't need them, you 
unsubscribe. A couple of months later you need to reset your password and now 
you never get the reset link because you unsubscribed from transactional 
messages? Sure, we can get infinitely granular or always exempt password 
resets, but it becomes a slippery slope that results in a lot of engineering 
hours.

And as I said at the start of this message, I am only applying this logic to 
truly transactional messages, which in my mind are those triggered by a user 
action and those in the chain of events triggered by a user action. If someone 
at the vendor has to click Send, it's not a transactional message.

Mike

-Original Message-
From: mailop  On Behalf Of Chris Adams via mailop
Sent: Thursday, August 24, 2023 8:13 AM
To: mailop@mailop.org
Subject: [mailop] Legit-looking mail to the wrong address with no unsubscribe

What do you do when legitimate mail (lately, DoorDash order info and Delta 
Airlines tickets) is sent to the wrong address?  These types of messages rarely 
have an unsubscribe method.  I get a ton of crap to a Gmail address that I 
really only use for Google-related stuff (not as a general email box), so I 
know instantly that this is not to me.

Why do vendors think they don't need an unsubscribe in this type of mail?  Just 
because their customers are dumb and don't know their own email address doesn't 
mean they should continue sending personal information about them to other 
people.
--
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://urldefense.com/v3/__https://list.mailop.org/listinfo/mailop__;!!CQl3mcHX2A!BxL4AAMeuI77MjnKmDvzGueA1MkfZJasfvzFGPo9ayh5VvBAoi50rFGSoeTMZWIUtvT5DeOKkgz5h6-paKI$
___
mailop mailing list
mailop@mailop.org
https://urldefense.com/v3/__https://list.mailop.org/listinfo/mailop__;!!CQl3mcHX2A!BxL4AAMeuI77MjnKmDvzGueA1MkfZJasfvzFGPo9ayh5VvBAoi50rFGSoeTMZWIUtvT5DeOKkgz5h6-paKI$
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[David Conrad via mailop]

Carsten,

Even if the RBC customer were in the EU, I think the challenge would be that he 
(safe guess given the email address chosen) wouldn’t know and/or be bothered to 
file a complaint. Whoever he is, he provided an email address years ago and 
hasn’t noticed he’s never received anything at that address (including 
statement notifications, low balance alerts, appointment reminders, etc.).  If 
RBC can be trusted (doubtful, but…), he also chose not to change it when he was 
informed it was wrong at the RBC branch he made an appointment to go to a year 
and a half ago. Now if I, as the impacted third party, could file a complaint… 
maybe some sort of UCE-related complaint?  Anyone know if Canada has laws like 
that?

Part of the annoyance is that at least some RBC staff are apparently aware they 
are sending email to the wrong email address yet there doesn’t appear to be a 
way to have that email address deleted from the customer's profile. I’m 
guessing it’s a systemic thing, perhaps the result of social engineering 
attacks. Still insane though…

Regards,
-drc

On Aug 25, 2023, at 4:43 AM, Carsten Schiefner via mailop  
wrote:
> David & all -
> 
> the EU's GDPR wrt. Information Security and PII Protection luckily hands a 
> quite sharp sword to consumers: the fines for offenders are, well..., "fine".
> 
> If the real recipient of RBC's communication you are getting instead of her 
> or him would be domiciled in EU territories (-> French overseas departments!) 
> and would file a complaint with the appropriate DPA, RBC better sets aside a 
> bit of money already. Even more so as they have been flagged multiple times 
> already, in this instance by you, David.
> 
> Cheers,
> 
>   -C.
> 
> On 25.08.2023 03:20, David Conrad via mailop wrote:
>> If the address isn’t a “no-reply@“, I generally do the same, but more and 
>> more I’m getting “this message is sent from an unmonitored email address, 
>> please do not reply”.
>> The worst so far is Royal Bank of Canada.  One of their customers used my 
>> gmail address and I’ve been getting all sorts of private information about 
>> them like low balance alerts with the exact amount in their bank account, 
>> etc.
>> I’ve tried contacting their security dept., their customer service dept., 
>> and even @rbc or equivalent in various social media (which I detest) saying 
>> “please, for the love of all gods, STOP.”  Once, via twitter, an RBC person 
>> gave me a number to call and through various hoops and literally _hours_ of 
>> sitting on hold, explaining the situation, jumping through stupid automated 
>> phone trees, etc., I finally spoke to a person who said they’d discuss it 
>> _with the customer_ during an appointment I knew the customer was having 
>> with them because I received the reminder notices.  That was about a year 
>> and a half ago.
>> Yet the email keeps coming.
>> It boggles my mind.
>> Regards,
>> -drc
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop



signature.asc
Description: Message signed with OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Carsten Schiefner via mailop]

Hi David,

On 25.08.2023 13:54, David Conrad wrote:

Even if the RBC customer were in the EU, I think the challenge would be that he 
(safe guess given the email address chosen) wouldn’t know and/or be bothered to 
file a complaint. Whoever he is, he provided an email address years ago and 
hasn’t noticed he’s never received anything at that address (including 
statement notifications, low balance alerts, appointment reminders, etc.).  If 
RBC can be trusted (doubtful, but…), he also chose not to change it when he was 
informed it was wrong at the RBC branch he made an appointment to go to a year 
and a half ago. Now if I, as the impacted third party, could file a complaint… 
maybe some sort of UCE-related complaint?  Anyone know if Canada has laws like 
that?


what you have described is clearly an Information Security Incident. Period.

And it equally clearly affects PII. Period again.

The least RBC could - and SHOULD! - have done within a reasonable time 
frame after your initial report (to double-check on legitimacy, 
authenticy etc. of your claim) is to delete your email address from 
their customer's record.



Part of the annoyance is that at least some RBC staff are apparently aware they 
are sending email to the wrong email address yet there doesn’t appear to be a 
way to have that email address deleted from the customer's profile. I’m 
guessing it’s a systemic thing, perhaps the result of social engineering 
attacks. Still insane though…


That their customer doesn't seem to care and therefore does not attempt 
to rectify the wrong email address on his record at RBC's: that's an 
irritating shame, but somebody else's problem.


But that RBC has failed to delete *YOUR* email address (PII for sure 
according to GDPR) from a totally unrelated customer record for at least 
18 months now and after multiple attemps of yours to get this ironed 
out, makes *YOU* an affected individual, too. Certainly at least 
according to European GDPR.


I have filed an inquiry recently with a company I stopped having 
business with years ago, when they all of a sudden started to send me 
emails again. It was truly remarkable how quickly I received their 
apologies combined with a comprehensive explanation how this had 
happened and what they have done to prevent this from happening again.


Why? Because they knew and probably still know very well what otherwise 
might be at stake for them.


Best,

-C.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Mike Hillyer via mailop]

Not a suppression, just an unexpected behavior if an unsub means all 
transactional, and I'm not talking about unsub from a list, I was specifically 
addressing unsub links in transactional mail and the potential unintended 
impact.

Mike

From: Brotman, Alex 
Sent: Friday, August 25, 2023 6:50 AM
To: Mike Hillyer ; Chris Adams ; 
mailop@mailop.org
Subject: Re: [mailop] Legit-looking mail to the wrong address with no 
unsubscribe

Are you suggesting that an unsub results in a suppression?  That hardly seems 
ideal.  That seems to suggest I sign up for a brand's email list.  Order some 
stuff, get receipt.  Later unsub.  Later buy again, but get no receipt?  
(Presuming it comes from the same ESP)

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: mailop mailto:mailop-boun...@mailop.org>> on 
behalf of Mike Hillyer via mailop mailto:mailop@mailop.org>>
Sent: Thursday, August 24, 2023 9:02:54 AM
To: Chris Adams mailto:c...@cmadams.net>>; 
mailop@mailop.org<mailto:mailop@mailop.org> 
mailto:mailop@mailop.org>>
Subject: [EXTERNAL] Re: [mailop] Legit-looking mail to the wrong address with 
no unsubscribe

Adding an unsub link for truly transactional mail can result is missed messages 
later on, which is why there's usually not an unsub link.

You get a doordash status message, you decide you don't need them, you 
unsubscribe. A couple of months later you need to reset your password and now 
you never get the reset link because you unsubscribed from transactional 
messages? Sure, we can get infinitely granular or always exempt password 
resets, but it becomes a slippery slope that results in a lot of engineering 
hours.

And as I said at the start of this message, I am only applying this logic to 
truly transactional messages, which in my mind are those triggered by a user 
action and those in the chain of events triggered by a user action. If someone 
at the vendor has to click Send, it's not a transactional message.

Mike

-Original Message-
From: mailop mailto:mailop-boun...@mailop.org>> On 
Behalf Of Chris Adams via mailop
Sent: Thursday, August 24, 2023 8:13 AM
To: mailop@mailop.org<mailto:mailop@mailop.org>
Subject: [mailop] Legit-looking mail to the wrong address with no unsubscribe

What do you do when legitimate mail (lately, DoorDash order info and Delta 
Airlines tickets) is sent to the wrong address?  These types of messages rarely 
have an unsubscribe method.  I get a ton of crap to a Gmail address that I 
really only use for Google-related stuff (not as a general email box), so I 
know instantly that this is not to me.

Why do vendors think they don't need an unsubscribe in this type of mail?  Just 
because their customers are dumb and don't know their own email address doesn't 
mean they should continue sending personal information about them to other 
people.
--
Chris Adams mailto:c...@cmadams.net>>
___
mailop mailing list
mailop@mailop.org<mailto:mailop@mailop.org>
https://urldefense.com/v3/__https://list.mailop.org/listinfo/mailop__;!!CQl3mcHX2A!BxL4AAMeuI77MjnKmDvzGueA1MkfZJasfvzFGPo9ayh5VvBAoi50rFGSoeTMZWIUtvT5DeOKkgz5h6-paKI$<https://urldefense.com/v3/__https:/list.mailop.org/listinfo/mailop__;!!CQl3mcHX2A!BxL4AAMeuI77MjnKmDvzGueA1MkfZJasfvzFGPo9ayh5VvBAoi50rFGSoeTMZWIUtvT5DeOKkgz5h6-paKI$>
___
mailop mailing list
mailop@mailop.org<mailto:mailop@mailop.org>
https://urldefense.com/v3/__https://list.mailop.org/listinfo/mailop__;!!CQl3mcHX2A!BxL4AAMeuI77MjnKmDvzGueA1MkfZJasfvzFGPo9ayh5VvBAoi50rFGSoeTMZWIUtvT5DeOKkgz5h6-paKI$<https://urldefense.com/v3/__https:/list.mailop.org/listinfo/mailop__;!!CQl3mcHX2A!BxL4AAMeuI77MjnKmDvzGueA1MkfZJasfvzFGPo9ayh5VvBAoi50rFGSoeTMZWIUtvT5DeOKkgz5h6-paKI$>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Chris Adams via mailop]

Once upon a time, Brotman, Alex  said:
> Are you suggesting that an unsub results in a suppression?  That hardly seems 
> ideal.  That seems to suggest I sign up for a brand's email list.  Order some 
> stuff, get receipt.  Later unsub.  Later buy again, but get no receipt?  
> (Presuming it comes from the same ESP)

So even for transactional messages, there's usually an account making
the purchase, or something is being delivered to an address, or the
like.  So a "this is not me" link should be able to note that (a) don't
send more mail about the current transaction to this address and (b)
don't send any mail for future transactions with the same delivery to
the same address without further input.  Future orders that would have
transactional emails blocked should pop up and say "hey, this address is
flagged as NOT YOU, are you sure?".

-- 
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Jaroslaw Rafa via mailop]

Dnia 25.08.2023 o godz. 09:48:35 Chris Adams via mailop pisze:
> 
> So even for transactional messages, there's usually an account making
> the purchase, or something is being delivered to an address, or the
> like.  So a "this is not me" link should be able to note that (a) don't
> send more mail about the current transaction to this address and (b)
> don't send any mail for future transactions with the same delivery to
> the same address without further input.  Future orders that would have
> transactional emails blocked should pop up and say "hey, this address is
> flagged as NOT YOU, are you sure?".

This does not solve the problem of one-time purchases WITHOUT an account
(actually may be multiple "one-time" purchases, but without registering an
account at the shop and logging in).

YMMV, but from my experience, I purchased quite a lot of things online
without creating any accounts (and still do).
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Chris Adams via mailop]

Once upon a time, Jaroslaw Rafa  said:
> Dnia 25.08.2023 o godz. 09:48:35 Chris Adams via mailop pisze:
> > 
> > So even for transactional messages, there's usually an account making
> > the purchase, or something is being delivered to an address, or the
> > like.  So a "this is not me" link should be able to note that (a) don't
> > send more mail about the current transaction to this address and (b)
> > don't send any mail for future transactions with the same delivery to
> > the same address without further input.  Future orders that would have
> > transactional emails blocked should pop up and say "hey, this address is
> > flagged as NOT YOU, are you sure?".
> 
> This does not solve the problem of one-time purchases WITHOUT an account
> (actually may be multiple "one-time" purchases, but without registering an
> account at the shop and logging in).

"or something is being delivered to an address"

One of the things that prompted me to send the initial message here is
DoorDash delivering food to the same person.  In that case, it appears
they made an account, but even if they didn't, it's probably going to
the same place.  So "delivery address+email" is a unique identifier.
-- 
Chris Adams 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[postfix--- via mailop]

On 2023-08-25 04:43, Carsten Schiefner via mailop wrote:


the EU's GDPR wrt. Information Security and PII Protection luckily 
hands a quite sharp sword to consumers: the fines for offenders are, 
well..., "fine".


If the real recipient of RBC's communication you are getting instead 
of her or him would be domiciled in EU territories (-> French overseas 
departments!) and would file a complaint with the appropriate DPA, RBC 
better sets aside a bit of money already. Even more so as they have 
been flagged multiple times already, in this instance by you, David.


wishful dreaming!  The sword is not in the hands of consumers, it is in 
the hand of a government agency (DPA?).  The RBC in question is most 
likely the Canadian retail bank.  Experience in Canada is that 
government agencies do not use this kind of sword nearly enough to 
tickle offenders.  What we need is a private cause of action where the 
user (who cares more than the bureaucrat) is handed the sword directly 
and can sue the offender.  There was one intended in Canadian anti-spam 
laws, but it was never activated.


Even with private right of action, there are two users here that are 
harmed: the one whose PII is leaked; and the one on the receiving end of 
the spam.


The one whose PII is leaked has the biggest damage, but they are not 
innocent.  The root cause of the problem is they entered a wrong email 
address.  They did not bother checking that they were not receiving 
expected information.  Not minimizing the damage caused by RBC's 
negligence exposes this user to blame.  Not taking side of the spammer, 
just saying that the assignment of responsibility will be contested; and 
frankly, the careless user entering the wrong email address deserves a 
tap on their fingers too.


The one on the receiving end of the spam has arguably near-zero damage.  
Just hit delete and move on with it, argue the spammer. No, I do not 
condone this.  Everyone who wastes your time should be punished; and you 
should be compensated for the time that is irreparably stolen from you.


What we need is for all of these government agencies to become swords in 
the hand of the user whose time is being stolen; and a compensation 
mechanism that is easy and streamlined to compensate the user for the 
stolen time.


Within the Canadian governance model, instead of having the CRTC 
(Canadian Radio & Telecommunication Commissioner), the Privacy 
Commissioner, and other bureacracies regulating the industry with 
GDPR-like swords that only experts understand, we need to grant the 
Competition Commissioner simple administrative powers to hand small 
fines efficiently; and the Canada Revenue Agency (CRA) the simple 
administrative power to add those fines to a taxpayer's tax bill.


I propose the creation of the Tribunal Against the Bad Business 
Practices and Other Papercuts.  Laughter, laughter!


The newly created Tribunal would be a branch of the Competition 
Tribunal.  The Competition Commissioner would keep updated regulations 
listing those bad business practices.  Any user at the receiving end of 
the business practice will be able to submit a simple web-form with 
details that would be assumed to be true unless rebutted.  The user can 
point finger at any beneficiary of the spam (so if the spam benefits a 
local business with an off-shore spam gun, the local business can be 
taxed for it). After basic automated verification, the Tribunal issues a 
standardized penalty and the tax authority adds it to the tax bill of 
the entity that is benefitting from the conduct, and credit the user's 
tax bill for the same amount less a fee to cover the cost of the 
mechanism.  The entity accused can rebut, but it is up to them to prove 
that they have not wasted the user's time.  General (contractual) terms 
and condition should not be allowed to override the mechanism.


The Competition Tribunal would regulate what are offenses and what is 
the penalty amount.  For example:


- for a text messages that was sent without explicit user consent: $50 
per instance


- for a purely promotional email message: $100 per instance

- for a transactional email that includes promotional messages despite 
the user not wanting to receive promotional messages: $50 per instance


- for a reminder when the user does not want to be reminded: $100 per 
instance


- for bugging the email with trackers when the user does not want to be 
tracked: $500 per instance


- for not listening to the recipient wishes or for repeat offenses on 
the same user: 2x for the first repetition, 3x for the second, and so on 
until 10x.


and so on

When a sender becomes problematic enough that the complaints to the 
Tribunal come from so many recipients in such a short time to raise 
concern, that's when the government bureaucrats could, in theory, start 
to become active.  reality is that the spammers are so much nimbler than 
the bureaucrats, it won't really matter.


now it is me, the wishful dreamer.  unti

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Jay Hennigan via mailop]

On 8/24/23 05:12, Chris Adams via mailop wrote:

What do you do when legitimate mail (lately, DoorDash order info and
Delta Airlines tickets) is sent to the wrong address?  These types of
messages rarely have an unsubscribe method.  I get a ton of crap to a
Gmail address that I really only use for Google-related stuff (not as a
general email box), so I know instantly that this is not to me.

Why do vendors think they don't need an unsubscribe in this type of
mail?  Just because their customers are dumb and don't know their own
email address doesn't mean they should continue sending personal
information about them to other people.


Subscriptions are for recurring events. A DoorDash order or airline 
ticket is not a recurring event.


It's kind of like the difference between a misaddressed snail-mail 
personal letter and a misaddressed snail-mail magazine.


Now, if DoorDash and Delta capture transactional email addresses and use 
them to spam you back to the stone age (otherwise known as, "Present you 
with offers of other products and services that may be of interest to 
you"), then that's a different story.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[postfix--- via mailop]

On 2023-08-25 15:55, Jay Hennigan via mailop wrote:

Subscriptions are for recurring events
Subscriptions are for monetization. Look at the speeches to investors of 
Marry Barra (GM CEO) and other in the industry that is turning cars into 
cellphones on wheels for hints.  Gyms have discovered it long ago that 
they can oversubscribe and buyers underuse.  Same for Netflix & Co. - 
users either underuse, or overconsume.  In both cases they are paying 
more than what a market without subscription would do.  Car 
manufacturers think they have you captive in your seat and sell 
subscriptions for seat heating (BMW), are trying again to sell 
subscriptions to GPS data (after their yearly SD-card upgrades at cost 
of more than a decent Garmin or Tomtom were tanked by "free" 
GoogleMaps).  In most cases, user is better off without subscriptions.  
If cellular operators were forced to advertise a spot price per minute 
or GB, rational economics predict that the cost of cellular bandwidth 
would be very low most places / times, except where and when there is a 
concentration of users because events.  They prefer you subscribe, and 
their pricing is intentionally set according to the formula: bundle 1: 
$X for 10% less than the data quantity that user in the 70%-quantile 
need; bundle 2: $X+10 for 2*data in bundle1; bundle 3: $X+20 for 
"unlimited" data. Because financial analyst are looking at revenue per 
subscriber per month.  So they blind the public and the regulator with a 
low $X/month offering, but end up with most users paying $X+10 or 
splurging on $X+20.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[John Levine via mailop]

It appears that Carsten Schiefner via mailop  said:
>If the real recipient of RBC's communication you are getting instead of 
>her or him would be domiciled in EU territories (-> French overseas 
>departments!)

Don't hold your breath. RBC is the largest bank in Canada, and has a
substantial US subsidiary and some offshore branches in the Caribbean
but no consumer banking anywhere in France. The closest they get is St
Maarten which is not St Martin.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Alessandro Vesely via mailop]

On Fri 25/Aug/2023 17:36:06 +0200 Chris Adams via mailop wrote:

Once upon a time, Jaroslaw Rafa  said:

Dnia 25.08.2023 o godz. 09:48:35 Chris Adams via mailop pisze:


So even for transactional messages, there's usually an account making 
the purchase, or something is being delivered to an address, or the 
like.  So a "this is not me" link should be able to note that (a) don't 
send more mail about the current transaction to this address and (b) 
don't send any mail for future transactions with the same delivery to 
the same address without further input.  Future orders that would have 
transactional emails blocked should pop up and say "hey, this address is 
flagged as NOT YOU, are you sure?".


This does not solve the problem of one-time purchases WITHOUT an account 
(actually may be multiple "one-time" purchases, but without registering an 
account at the shop and logging in).


"or something is being delivered to an address"

One of the things that prompted me to send the initial message here is 
DoorDash delivering food to the same person.  In that case, it appears 
they made an account, but even if they didn't, it's probably going to 
the same place.  So "delivery address+email" is a unique identifier.



If you have an unsub button —which some suggest be /always/ set in automated 
mails— you should store unsubbed addresses whether they have an account or not. 
 So Chris' solution is good for all cases.  Re-entering an unsubbed address 
should trigger extra checks, COI or whatever.



Best
Ale
--




___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Gellner, Oliver via mailop]

> On 25.08.2023 at 13:29 Brotman, Alex via mailop wrote:
>
>  Are you suggesting that an unsub results in a suppression?  That hardly 
> seems ideal.  That seems to suggest I sign up for a brand's email list.  
> Order some stuff, get receipt.  Later unsub.  Later buy again, but get no 
> receipt?  (Presuming it comes from the same ESP)

Yes, this is absolutely not ideal, and basically the opposite behavior of what 
is reported in this thread: If you complain once you will not receive any 
messages ever again, not even when you actually requested them yourself.

I’m under the impression Sendgrid operates like this and also another member on 
this list suggested this approach a few days ago: If you report their emails as 
spam, they add your address to a suppression list. If you request password 
reset emails or other transactional messages later on which are sent via 
Sendgrid as well, they are silently discarded.

I’m not sure if anyone is sending opt-in confirmations for transactional 
emails, but if you do then you have to send them again for every new 
transaction and cannot assume that a recipient is not interested in any future 
messages just because he wasn’t interested in one before.

—
BR Oliver




dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Alessandro Vesely via mailop]

On Fri 25/Aug/2023 23:12:56 +0200 postfix wrote:
users either underuse, or overconsume.  In both cases they are paying more than 
what a market without subscription would do.



Aha, so that's why they tend to give the wrong address...

For comparison, the delivery address is wrong in rare cases, which are solved 
quickly.



Best
Ale
--





___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Slavko via mailop]

Dňa 26. augusta 2023 11:29:34 UTC používateľ Alessandro Vesely via mailop 
 napísal:
>On Fri 25/Aug/2023 23:12:56 +0200 postfix wrote:
>> users either underuse, or overconsume.  In both cases they are paying more 
>> than what a market without subscription would do.
>
>Aha, so that's why they tend to give the wrong address...

Or people simple do not want to share own email, as it is
not related for delivery, but required by the form. Thus
they fill semi random email like string.

This will prevent to receive (and bother with filter/delete)
a) tons of marketing spams and b) tons of real spams after
compromise, etc...

And, from time to time, that random email can be real.

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Jaroslaw Rafa via mailop]

Dnia 26.08.2023 o godz. 13:58:21 Slavko via mailop pisze:
> 
> Or people simple do not want to share own email, as it is
> not related for delivery, but required by the form. Thus
> they fill semi random email like string.

In many cases either the correct email address OR a phone number is needed
for delivery.
If you buy anything and choose your order to be delivered to a parcel
machine (you may not know them in the US, but in my country they are
extremely popular as they are super convenient, and it's the preferred
method of delivery for many people), you NEED a way to receive the code that
allows you to pick up the package at the machine. The code comes via email
and via a text message to the specified phone number, so you need at least
one of them.
Even if the delivery comes via a regular courier, providing your email when
placing order is helpful, because 1) usually you get a message with a link
that allows you to track your package on the delivery company's website so
you know when it's about to be delivered; 2) many delivery companies send
you (usually a day before planned delivery) another mail with a link that
allows you to eg. redirect the package to another address if you cannot
pick it up, or change the delivery date.

And because of GDPR (already mentioned in the thread), I actually NEVER see
here the cases when email given for transactional purposes is used to spam
you, unless you actually checked the box saying that you agree to marketing
email when placing your order... Yes, it did happen several years ago, but
now nobody will risk fines for GDPR non-compliance.

They do it a different way. They often offer a discount if you subscribe to
marketing email. Especially cell phone providers and ISPs. It is now almost
a "standard" that with typical contract you pay X per month if you don't
agree to marketing email, and X-5 or X-10 per month if you do.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Jay Hennigan via mailop]

On 8/26/23 06:58, Slavko via mailop wrote:


Or people simple do not want to share own email, as it is
not related for delivery, but required by the form. Thus
they fill semi random email like string.


That's what mailinator is for, or the temporary addresses offered by 
several browser plugins, or if you know they're going to use it to spam 
you, abuse@ their domain. nob...@example.com works as well, and 
1-900-976-1212 for a "required" phone number.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Ángel via mailop]

On 2023-08-24 at 14:29 -0400, postfix--- via mailop wrote:
> (...)
> Needless to say:  I will avoid restaurants using OpenTable, whether 
> while visiting destinations or at home.  If they cannot choose a
> service provider that is respectful of my choices, they do not
> deserve my business.

Great opportunity lost here to add a tip in the bill, then subtracting
in an itemized way a fee for the text message on roaming, for every
reminder email and for suggesting you're so dumb to need an email
telling you you're seated at the restaurant (maybe that reflects the
average IQ of their patrons?)


Not sure they would take action on clearly viewing the monetary results
of their "awesome system", but it would certainly be a bill that would
do rounds on the internet for years.


Cheers


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Legit-looking mail to the wrong address with no unsubscribe

[Steve Shipway via mailop]

On Thu, 2023-08-24 at 08:26 -0500, Chris Adams via mailop wrote:

(although still a "not me" link should at least signal somebody that "something 
is

wrong")

Yes, this.  If your service doesn't do a challenge-response verification of 
email address when people sign up, then at least include a "This is not me" 
link in the footer to allow people to stop the messages and highlight something 
is wrong!  Otherwise, you're asking for lost emails at best, and being an 
accessory to harassment at worst.

Steve


--

Steve Shipway | Senior Email Security Administrator
Mobile: +64 21 753 189
Support, Sales & Accounts: NZ 0800 769 769 | AU 1800 476 976
Support, Sales & Accounts International: +64 9 302 0515
SMX Limited: B:HIVE, Smales Farm, Auckland, NZ
Web: 
https://smxemail.com/
[https://smxemail.com/media/rr0ps101/smxlogotext.png]

[https://smxemail.com/media/y1iop0lz/email_twitter.png]
 [https://smxemail.com/media/qs1kg2x3/email_linkedin.png] 


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop