Skip to content

AOL users and list confirmations

Someone just signed up for a mailing list on my day job’s web site. Our system uses Mailman, which sends a confirmation email back to the email address given to get confirmation that the address should be added to the mailing list. An AOL user filed a spam complaint about the confirmation message. Now, that is an interesting conundrum. For years, we (the anti-spam community) has been railing that all mailing lists should be confirmed opt-in. An email address should only be added to a mailing list if the email address has been confirmed through some kind of tagged email. This is usually done with a hash of some sort that can only be read by the owner of the email address. This prevents an attack on a victim by signing them up for zillions of lists without their permission.

Of course, now what could happen is the attacker attempts to sign them up for zillions of lists. The victim still gets zillions of messages, but these now are the confirmation messages. The flood of mail will stop very shortly after the attacker’s computer stops generating the requests. The victim will have no choice but to either ignore the list requests, or to file a spam complaint on the requests.

What’s the answer? Do list managers (who are mostly all using confirmed opt-ins for new subscriptions) now need to start using a CAPTCHA to protect themselves from abuse?

In the specific example above, I will chalk up the abuse report I got from AOL as being from an idiot AOL user who did not understand that by submitting their email address they would be getting email from us.