Category Archives: spam

Another Year, Another Look Back

Leave a reply

Nearing the end of the second year of the pandemic, it’s time for our annual look back on the year in email. As with the year before, many of us spent the year under at least partial lockdown. The businesses that could, continued to engage in email marketing. The ones that couldn’t…, well, the ones that couldn’t went out of business. A few companies stopped sending emails at the beginning of the situation back in 2020, only to discover that this wasn’t the right approach. When those companies started sending again, they found their deliverability had slipped (see Coming Back After Quarantine for more on this).

Looking back on this year’s mailings, one thing is readily apparent: email marketers have gotten far better at their jobs. There were far fewer mail merge and dynamic content errors this year. We’re also seeing a shift to simpler designs based on what works in email rather than what a graphic artist thinks is a good-looking composition. This is a double-edged sword, however. While it led to fewer mistakes, it also led to an increase in fairly uninteresting email designs. Most of the mailings we received this year followed the same header, hero image, text, and footer block format that you’ll find in every email template. It’s a good format, but when you see it too often your brain stops registering both the design and the content, and that’s never a good thing.

We’ll start with the gaffe heard round the world.

Testing… 1…2…3…

On June 17th of last year, all 44 million subscribers to HBOMax’s mailing list received the message shown above. People immediately started posting to Twitter about it. HBOMax went on Twitter to explain that it was an intern who made the mistake, promising to help the intern through it. This led to even more posts, with people defending the intern and admitting to some terrible mistakes of their own that they made while working as an intern. In one case, a person tweeted:

Proving things can always get worse.

They call me Hell. They call me Stacey.

Over the past few years, I’ve received many emails that began:

“Dear [first name]”

That has mostly gone away. Marketers now know that an attempt to be personal that fails has exactly the opposite effect. I also saw far fewer typos, which is probably a side effect of the improvements in spelling and grammar features and apps such as Grammarly.1

Now that marketers have learned the dangers of empty fields in their mail merges, some have made sure that there is always a first name to refer to in the subscriber data. This can also come at a cost. In this example, somewhere along the line, someone in the office decided that my first name was Greg (it’s not). This might be even worse than a dangling comma or a placeholder. At least there’s no confusion over whether or not the email is intended for me. Maybe there’s some guy named Greg out there wondering why he hasn’t heard from them.

Sometimes an ampersand remains an ampersand

Mojang, the creators of Minecraft, have been owned by Microsoft since 2014. You’d think with a company like that behind them, you wouldn’t see these kinds of simple coding errors in the emails, and yet, here we are. “'” is a standard way to add an apostrophe in HTML, but I can’t see anyone doing that in email. More likely, the coding information got screwed up. Either way, a test send would have caught the problem.

Ma, fetch me the magnifying Glass!

I talked about this last year, but every year there are always a few people who haven’t learned that not everyone reads their emails on a desktop monitor. In fact, less that 20% of email is opened on the desktop now!2 Some graphic artists still like to design their emails like they’re pages from a magazine. Most email marketers have learned to either use media queries to make their mailings responsive or, at the very least, mobile friendly. Yet, there are a few who haven’t received the memo. It’s probably not coincidental that these examples come from sources with smaller email lists. Five years ago, this wasn’t at all uncommon, but the fact is almost everyone is reading email on their phones these days, and this type of email design is a relic of the past.

Hey! Who turned out the lights?

In 2020, there was a lot of chatter in the email marketing community about “dark mode.” A feature of many mobile devices, dark mode inverts the display, making the background black and the lettering white. This works well in most cases, but marketers who like to use unusual background and type colors could find their results turn into something strange if they’re not careful. The biggest problems occur with images, and specifically with PNG logos. Dark mode can’t invert a black logo with a transparent background, so the result is a black logo on a black background. Not exactly eye-catching.

Unsubscribe? Good luck!

One thing you never want to see when you click unsubscribe is a placeholder. This is from a Klaviyo service, but I doubt that ESP is entirely responsible, more likely someone was trying to set up their own unsubscribe page and did a poor job of it.

By far the worst offender when it comes to emails is Warby Parker. Clicking on their unsubscribe button, I received this notice:

On my laptop, this was showing up as DNS not found. On my desktop, I received the warning above. As you might imagine. Warby Parker’s emails now go to my spam folder.

Click to go…Oops!

Some years, we received dozens of emails with broken or missing links. I was expecting dozens of these around the holidays—a prime time for this sort of thing when companies go into panic mode making sure their mailings get out on time—but this year there was far less of it than in the past. Of course, the thing to do is exactly what New York Magazine’s The Strategist newsletter did here, although few senders get this creative with their mistake.

You Already Said That

Forgetting a link is embarrassing, but how about sending out an email you already sent? I know that sometimes marketers will do this on purpose, but that’s clearly not what Skyword’s CEO Andrew Wheeler had in mind with his Content & Context newsletter. He admits it in the green subhead and the “Oops, wrong newsletter” in the subject line Fortunately, the marketing team was on the ball, and it only took a couple hours to straighten everything out.

Unclear on the Concept

There will always be spam, and if you want to see bad email formatting and grammar mistakes, you’ll find there’s no shortage of them in your spam folder. My personal favorite is when the spammer decides to send their email as a graphic (sometimes base64 encoded as well). This does get past the filter more often, and the spammers probably consider this a win, but while that email might just reach the inbox, they’ve lost the war. Any links they included are lost. By far the worst example of this I received was one that asked the recipient to cut and paste a long code number in order to deposit money into a bitcoin account. They didn’t stop to consider that you can’t cut and copy a number from a graphic (go ahead and insert your favorite Jean Luc Picard facepalm gif here).

And while we’re on the subject of spam, this one is one of my favorites:

It’s just ordinary spam, but I like the way it pretends to be about helping you avoid being a victim. Isn’t being a victim what spam is all about? It’s a bit like the used car dealer that calls himself “Honest Abe.”

That’s it for this year. If nothing else, this year’s mailings showed more people paying attention to the little things, or, at least, the use of templates has reduced the errors.

Go to Goolara website

1. I’d include autocorrect here, but that feature, while good at correcting typos, sometimes leaves things unintelligible. I’d include a link here to the Damn You Autocorrect website, but it’s definitely NSFW.

2. This statistic is taken from SuperOffice’s article on the topic. Naturally, there are some discrepancies between various sources as to the actually number, but most agree that mobile device email viewing now far outstrips desktop viewing.

© Goolara, LLC, 2022. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Goolara, LLC and the Goolara Blog with appropriate and specific directions (i.e., links) to the original content.

A couple years ago, as a gift to our readers for the holidays, we offered The Email Game, a simple luck-based game that also served as an instructional tool for learning what to do, and what not to do when sending out your mailings. This year we’re back with a game we call Spam Attacks, based on the subscription bomb attacks that plagued ESPs everywhere in late 2016. The game is a dice and board game similar to Backgammon where each player moves from opposite points on the board and landing on an opponent’s piece will send it back to the beginning (or, in this case, into the Blacklist area). unlike the previous game, this you can win this game with strategy, although a certain amount of chance will still keep things exciting. Enjoy, and Happy Holidays!

Email Gameboard
Pieces:

Playing pieces

How to Play:

Before you begin: Print out the game board and playing pieces (envelopes and bombs). Cut out the six playing pieces separately. You will also need a standard, six-sided die.

Number of players: Two. Each player has three pieces
These are designated as the Email Marketer and the Spam Attacker. The Email Marketer uses the three envelope pieces. These are referred to as emails. The Spam Attacker uses the bomb pieces. These are referred to as spam attacks.

Object: For the Email Marketer, it is to get at least one of their emails delivered before all three are blacklisted. An email is considered delivered when it successfully moves off the playing board. For the Spam Attacker, it is to get all three of the Email Marketer’s emails blacklisted before they can be delivered. The Spam Attacker causes an email to be blacklisted by landing on the square occupied by an email. That email is then sent to the bottom of the blacklist (the square labeled “Blacklisted!”). The Email Marketer must restart the journey for that piece from that point. The first player to achieve their objective wins the game.

Rules:

The Email Marketer begins their journey around the game board by placing a piece on the square in the upper left corner of the board (labeled with a ►), They then move their pieces clockwise around the board to the finish line. The Spam Attacker starts by placing a piece in the square in the lower left corner (labeled with a star) and initially moving counterclockwise. The spam player pieces cannot leave the board once they are in play, nor can the enter the blacklist area. If a spam attack piece reaches either end of the playing area, it continues its journey back in the opposite direction. The Email Marketer may only move forward in a counterclockwise direction. They do not need an exact count to leave the playing area. The Spam Attacker can move in either direction, so it’s possible for the Spam Attacker to double back and tag a piece they have already past.

Each player can decide at what point they wish to add each piece to the playing field. If they have more than one piece in play, they can choose which piece they want to move next. They can only move one piece with each die toss, but they must move one of their pieces with each toss.

Safety Zones: There are three Safety Zones on the board (labeled with the Goolara rings). The Spam attacker cannot land on these squares. The Spam Attacker must jump over them in their move counts. The Email Marketer can land on these squares, and can keep a piece on one of the these squares as long as they want. Two emails cannot occupy the same Safety Zone. If an envelope lands on Safety Zone that is already occupied, the second piece must move to the next square after the Safety Zone. The email marketer can, however, create a temporary Safety Zone by placing two pieces in the same square (see Special Cases).

Winning the game: The Email Marketer wins the game when at least one of their pieces moves off the board. The Spam Attacker wins if they get all three of the Email Marketer’s pieces in the blacklist area.

Special Cases: If the only move an Email Marketer can make causes that piece to land on a Spam Attacker’s piece, the Email Marketer cannot move and loses that turn. If the Email Marketer has two pieces on the same square, that square becomes a safety zone as long as two pieces of email occupy it, and the Spam Attacker cannot land on it.

Variation: The game can be played with four players: Three Email Marketers and one Spam Attacker. Each player must move on their turn, so the Safety Zones offer limited protection. Play continues until one of the Email Marketers has successfully moved their piece off the board. The first player to do so wins the game. The Spam Attacker wins if they manage to get all three players in the blacklist area.

Go to Goolara website

Special kudos to Sabine Kroschel of Pixaline for her lovely background image.

The Year in Email: A Look Back At 2016

Leave a reply

By all accounts, 2016 was an extraordinarily eventful year. It saw the deaths of Fidel Castro, Muhammad Ali, David Bowie, Leonard Cohen, Carrie Fisher, George Michael, Leon Russell, Debbie Reynolds, Gene Wilder, and a whole host of others. Politically, it was the year of Brexit and a presidential election that caused the New York Times to take a hard look at their polling methodology. In sports, it was the year that the Chicago Cubs, after 108 years of losing, finally won a world series in a final game that played out like a movie script.

It was an eventful year in email too, but not necessarily in a good way. Some might argue that email—or, at least, email that wasn’t meant to be seen by the general public—helped lose the election for Hillary Clinton. August saw an organized subscription bomb attack of suspicious origin that temporarily landed several respectable news organizations on spam lists and caused Spamhaus to update their opt-in verification recommendations. In one respect, 2016 was a better than previous years. We saw fewer of the kind of clumsy design errors that we’ve seen in the past. Most of the really terrible errors came from sources that were questionable to begin with.

The Importance of Testing Across Platforms

It should go without saying that whenever you send out a message you should test it. If you are using Goolara Symphonie, or another ESP that has a preview feature built in, I’d start there. If you want to be extra careful, you can also send test mailings to several different addresses, or use the email previews available from Litmus and Email on Acid. Sometimes, a message looks fine in one email reader, but not so good in another. Here are some examples.

Aw Gee-Mail

misaligned iamges

If you’re going to have a problem displaying your email design in one provider, the provider should never be Gmail. After all, it is the most popular email reader out there, and it doesn’t cost anything to get an address, so what’s the problem? The folks at Orchard apparently didn’t learn this lesson, though. This particular email looked fine everywhere else, including the always problematic Live Mail, but completely fell apart in Gmail.

Dynamic Content Mishap

Bad dymamic content

One time when you absolutely must test before sending is when you are using mail merge or dynamic content.1 The example above is an actual email, sent to us with the subject line: “Your email.” A blank space between “Hello” and the comma would have been better than this. Well constructed dynamic content instructions would have prevented this from happening.

Hide and Seek

images covering type

A picture’s worth a thousand words, but this is email is pushing it. At first glance, it looks like Wired expects these images to do all the work, but look closely at the right edge of the top photo, just below the horizon. There’s a series of small dots there. A closer investigation reveals that those dots are the text hidden under each photo. This particular problem occurs in Microsoft’s recently abandoned Live Mail, and if Live Mail was the only email reader that had trouble with this mailing, I probably wouldn’t bother mentioning it. But Thunderbird also has trouble with the file, pushing the text and social links out to the right of the main table. Live Mail, at least, brings the text and social links back into the area where they belong, but then plops the photo down on top of everything. This wouldn’t matter if Wired bothered to provide meaningful alt tags, but the alt tags read: “Image for story 1,” “Image for story 2,” etc. Not exactly helpful.

A close inspection of the source code reveals the problem. Whoever put this email together did go to the trouble of using tables, but then they inserted divs into the mix. The code is also littered with ids and class tags that have no corresponding style instructions. It’s worth noting that all of the other mailings from the magazine look fine, and the ones for subscription offers include highly descriptive alt tags.

Honestly Missing Logo

Missing logo

That “Honest Mail Email Marketing” logo, looks suspiciously like nothing at all. A quick check of the HTML code reveals the problem:

<img src=”” alt=”Honest Mail Email Marketing Logo” width=”160″ height=”50″ border=”0″ style=”width:160px; height:50px;” />

They remembered to include the height, width, and border information. They even added alt text There’s only one thing missing: the actual source location for the image. Honestly, one test preview would have revealed this problem. There’s no excuse for it.

Code Fails

Some problems are simply the result of bad HTML. Sometimes it’s an out-and-out typo, but sometimes the problem is something subtle like including the DOCTYPE and HTML tags when you paste the email into the ESP app. Test previews and test send should catch most of these problems.

It’s Important, Procrustes

Bad image sizing

This email from Keurig suffers from a few problems. The image of the people chatting over coffee and the “Shop Today” button are obviously stretched. The designer put the correct size information in the properties for each of these images, but they forgot to add !important, so the sizing information was overridden in favor of the master table, stretching the images to match the master table’s 100% width requirement.

Knowing When to Link

button design

Having linking buttons is always a good idea, but knowing where to put the link is important. In this example from Camper, only the words “Women,” “Men,” and “Kids” are links. Since this text is placed in its own table, and that table has a bordered cell, it would make more sense to add the link to either the table or the cell. As it stands now, clicking anywhere inside the black border does nothing unless you click directly on the words. It’s a minor thing, but one worth remembering. Judging from the number of div tags in this email, I suspect that the author of this email is new to the form.

Button, Button, Who’s Got the Button?

fake button

Providing buttons that link to web content is never a bad idea. What is a bad idea is providing a button that is not a button at all. This email from Template Monster makes that mistake. Clicking on “Learn Now” simply brings up the image. To make matters worse, they’ve given it a blue border, further enforcing the perception that this is a link and not just an image.

Oops, I Did It Again!

Not to rag on Template Monster, but they don’t seem to have anyone checking the email before they send it. Here is the top of one of their emails:

Missing code

And here is the code for the logo at the top:

<a href=”#” style=”border:none;” target=”_blank”><img alt=”TemplateMonster” border=”0″ height=”40″…

Look at the href at the beginning of the line of code. This should link to their website, but it doesn’t. The pound sign (#) is a placer that indicates that although there is a link, it’s not going anywhere. Hover over it and it appears active, but clicking on it accomplishes nothing.

A little further down the page in the same email we get this:

Typo

The text in the orange button reads “Download You Gift.” I confess, I am always typing “you” instead of “your” so I can relate to this one, but a second pair of qualified eyes would have caught this immediately.

In the same email, every headline and image has a different link, even when they go to the same place. The headline about 20 free writing tools goes to the same page as the image next to it. I’m going to give them the benefit of the doubt on that one, and say that they did this to find out whether the images or the headlines are responsible for the most clickthroughs, but in the long run, isn’t that less important than the fact that they did click through?

That’s Code for …Code!

badly coded spam

I love it when spammers screw up. This was already obviously a spam message without having to even open it, but upon opening you’re presented with the HTML code for the message. When putting together a mailing in your ESPs visual editor, always make sure you are in the right tab (usually marked HTML) before pasting HTML code. Otherwise this might happen to you. Of course, any decent email marketer would have previewed the mailing, but these people tend to work fast. I’m surprise this doesn’t happen more often, actually.

Shopping Links

Sometimes there’s nothing wrong with an email, until you click on one of the links. Then you suddenly find yourself staring at a page that has nothing to do with anything. Retail stores appear to be the worst offenders, which is odd since so much of their business is contingent on people getting to the right page and ordering the product they want.

I Know It’s Here Somewhere

missing products

Fab has, in the past, shown products in their mailings that aren’t on the landing page. In most cases, the products shown are available, but buried on the second or third page of the sale listings. That’s fine. Lots of companies do this, so the public is used to it. But in the email shown above, the “Cosmo Complete Set” and Captain America print don’t even show up in any of the lists. Clicking on them takes you to the a sale page, but neither product is on any of the sales pages. If you want to buy either of these items, you’ll need to enter them as search queries on the web site.

Now Go and Find Me

not on site

Normally, Bed, Bath & Beyond is one of the better companies when it comes to email marketing, they always provided meaningful alt tags, their design is easy to read on both a desktop computer and a mobile phone, and their links, in most cases, go directly to the products shown. Here is one of their rare missteps. Clicking on this product does not take you to the products, or even anywhere near the product. A clue lies in the button labeled “Find a Store”—only it’s not a button. Clicking anywhere in the image will take you to BB&B’s Find a Store page. I suppose they justify this by pointing out that the product isn’t available online, but that’s no reason that this couldn’t be included on a page with more information on the product.

Alt, Right?

I bring it up every year, but every year there are plenty of examples of companies forgetting to add alt information to the img tags. While it’s true that services such as Gmail and the iPhone display images as the default, some people still prefer to keep the images turned off. Alt tags not only impart information on what they are missing, they also can provide incentive to display images as well. Here’s an example from Warby Parker that demonstrates the worst case scenario:

no alt tags

Now here’s a company that knows how to do it right, Bed, Bath & Beyond:

Good alt tags

Quite a difference. Perhaps the guys at Warby Parker assume that people will always want to display their images, a questionable assumption.

Unsubscribe Catastrophes

Unsubscribing should never be a hassle. Nobody is happy when a recipient unsubscribes, but it’s better than having that person mark your mailings as spam because they can’t figure out how else to get you to stop sending them things. Some marketers go to extraordinary lengths to making unsubscribing difficult, treading very close to the legal requirements of CAN-SPAM. A few cross over to the dark side. Here are this year’s worst offenders.

Unsubscribe? fUGGedaboutit!

No unsub link

CAN-SPAM has a few hard and fast rules. One of them is that you have to have an unsubscribe link. You also have to have a physical address. This email has neither. The supposed unsubscribe link takes you to the home page for the company. Not surprisingly, this email is not from an official UGG site at all, but a spammer that is trying to make their site look as legitimate as possible.

Email Purgatory

Missing unsub link

Unlike the previous email, this one is from a legitimate company (T-Mobile). This part of the email—which is commented in the HTML as “legal footer”—contains the physical address, privacy policy information, links to their various plan options, and instructions for how to ensure that email from them does not wind up in the spam folder. What it doesn’t include, however, is an unsubscribe link—an unequivocal violation of CAN-SPAM.

Go Ahead and Try to Unsubscribe! I Dare You!

bad unsub link

When it comes to anti-spam laws, the USA is about the most lax, but they still require two things: A physical address and an unsubscribe link. So when I get an email like this, it makes my blood boil. Here’s what you get when you click the unsubscribe link:

unsub fail

As one might imagine, this one went straight to the spam folder.

Crouching Promo and Hidden Unsub

unsub in image off

A nearly as devious method of hiding the unsubscribe was used by Lids, a company that specializes in sports caps. Here’s the bottom of their email with the images turned off:

You can see there’s a physical address, but where’s the unsubscribe link? Now here’s the same section of the email with the images displayed:

unsub in image on

Ah, there it is! They’ve made unsubscribe part of an image. To make matters worse, they used an image map to separate the various categories shown. I’m not sure what the thinking was here. Attempts to reach them went unanswered. Just to add insult to injury, I never signed up for this email, it was someone entering the wrong address either accidentally or on purpose.

Sure, There’s an Unsub. It’s Just Not Yours.

Another highly questionable approach to handling unsubscribes came from, of all companies, Salesforce:

Salesforce CAN-SPAM violation

I’ve blurred the names to save some embarrassment, but I can verify that the author of this email comes from Salesforce, promoting a webinar Salesforce has co-sponsored. Yes, there’s an unsubscribe link, but only in the forwarded content. Presumably that will only work for the original recipient, not for the person to whom the email was forwarded. This means that Salesforce, the largest SaaS-based, customer relationship management (CRM) provider on the planet, a company with its own email marketing solution, just sent me a promotional email without an unsubscribe link. It is a tactic worthy of a Viagra spammer. It doesn’t help that there’s a typo in the very first sentence. I dearly hope the author of this email is new to Salesforce.

Subject Line Fun

The subject line is the most important part of your mailing. If a subject line doesn’t provoke the recipient to open the email, then all your hard work providing good content and responsive design is for naught. Here area few subject lines that either failed miserably or worked brilliantly, or, in the case of the first example, simply overdid things.

Hello, It’s Me Again

Too many emails

Some email marketing experts are big fans of the practice of sending high quantities of email to your recipient list. It is a topic hotly discussed on email marketing forums, and each side can back up their position with plenty of facts and figures. But even the most ardent fan of high-volume sending would agree that Travelocity is pushing it here, sending an email every hour or so from two in the morning to five. It doesn’t help that all of these were sent at times when no others were sending out email, leading to all four messages being bunched together. Perhaps that was the idea, to create a sort of billboard for Travelocity residing in the inbox.

Did I mention…?

same email

It’s not usual for companies to offer multiple newsletters. Nor is it unusual to send these newsletters out on the same day. What is unusual is the use exactly the same subject line and content on both mailings, right down to the “You are subscribed to PCMag Tech Deals as…” at the bottom of each page. Given that a normal announcement from PCMag reads “You are subscribed to PCMag Announcements as…” and is usually some sort of deal on a PCMag subscription, I’d chalk this one up to either a mistake or laziness.

I’m Either a Realtor or a Marketer

email goof

Even we email marketers make boneheaded mistakes. To their credit, the folks at EEC caught this and quickly followed up with an apology.

A Special Odaer, Ordrre, Ordeorr…Oh Forget It!

typo in subject line

“Order” is a hard word to screw up, but whoever put this email together seems to have had a terrible time with it. They misspelled it in the subject line, and then again in the content.

Okay, I’m not REALLY Out of the Office

Out of Office trick subject line

I think I know what Sephora was trying to do here. This was an attempt to equate being out of the office with their summertime contest. Sending a fake out-of-office autoreply isn’t the worst misuse of a subject line, but it’s pretty sneaky and isn’t likely to endear you to anyone.

You know nothing, Jon Snow.

Game sof Throne subject line

As a fan of Game of Thrones, I enjoyed the use of GoT references in the subject line and “friendly” from, but I’m not sure that a company that specializes in predictive marketing is the right place for this approach. This link leads to a series of videos in which they try to show the marketing lessons available in the HBO series. That is more a testament to the ability of the human brain to find patterns where none exist than any marketing subplots lurking in George R.R. Martin’s on-going saga. This kind of subject is better served on a site such as ThinkGeek, which specializes in products attached to all aspects of geekdom, from TV shows or computer games. For them, even this is acceptable:

Konami Code subject line

A combination of keystrokes known as the Konami Code, a cheat that gives gamers additional powers while playing. If you’re in the real estate business, this probably isn’t a good subject line, but it works quite well for a company whose primary audience resembles the cast from The Big Bang Theory.

Location, Location, Location!

Deliverability fail

Sometimes, a subject line, by itself isn’t anything special, but where you find it makes all the differences. I found this one in my spam folder. I could say “Physician heal thyself,” but this just demonstrates what a complicated subject deliverability is.

That’s it for this year! We can’t wait to see what 2017 will bring. We predict more email address providers will follow Gmail’s lead in allowing CSS in email. On one hand, this means we can get more creative in our email designs, but on the other hand, it means more places for things to go wrong. If there is a moral to this blog post, it should be obvious by now: test, test, test. For more on the subject of how to deal with email mistakes, check out our white paper on the subject: Oops! – Handling and resolving email marketing mistakes.

Go to Goolara website

1. If you’re not using dynamic content, you’re missing a real opportunity to improve your email engagement results. Jordie van Rijn explains how and why in his article, Making the most out of Dynamic Email Marketing. For more on Goolara Symphonie’s powerful dynamic content visits, visit our dynamic content page.

CAPTCHA and Release

Leave a reply

captchas drive me crazy
[Note: This is the second in a two-part series on subscription bombing and how to defuse it. Last time, we looked at the techniques used to create recent attacks. The time we look at the technique Spamhaus recommends as the best way to avoid ending up the victim of a subscription bombing: the CAPTCHA.]

As we discussed in our last blog article, the best way to prevent subscription attacks, according to spam listing companies such as Spamhaus, is to use a verification test in your email signup form. The best known of these, and the one that Spamhaus recommends by name is the CAPTCHA. CAPTCHAs can be a pain in the neck sometimes, and when they are not easy to solve they can cause people to just give up trying and leave your site. But newsletter signups that don’t require CAPTCHAs are just what subscription bombers look for. If you find yourself on the receiving end of one of these attacks, you’ll have a lot more work to do to recover your reputation score, and will, after that, have to use a CAPTCHA anyway. Having accepted, however unhappily, that CAPTCHAs are a necessity, we’ll look at different CAPTCHA technologies that are available today.

The best known form of CAPTCHA is the reCAPTCHA, version 1, which consists of a small box displaying two distorted words (usually consisting of one real word and one that is gibberish). You are asked to enter the words you see, and if your answers are incorrect, you are presented with two new words and asked to try again.

sample captcha

ReCAPTCHA was developed by a group of computer scientists at Carnegie Mellon University who recognized that CAPTCHA technology offered a great crowd-sourced way to achieve better OCR. If the OCR software couldn’t identify a word, sometimes humans could, which meant you could feed words to people that computers couldn’t recognize. That’s why in 2009, the ReCAPTCHA technology was acquired by Google for their Books project, and was used by the New York Times to digitized their archives. This seemed like a good way to block fake signups, but they didn’t factor in either advances in OCR software, or the low costs of doing business in third world countries.

Capturing CAPTCHAs

Almost as soon as they appeared, people started working on ways to crack the CAPTCHA codes. One company we found in India offers workers around 90¢ and hour to solve as many CAPTCHA codes as humanly possible. Those who can’t do it quickly or who make too many mistakes are kicked off the service. This is a time-consuming way to crack CAPTCHA codes, but by offering wages far below anything most people could live on the authors presumably make it worth the effort. Just to pour salt in the wound, anyone interested in doing this thankless work is expected to pay a fee to join.

Meanwhile, OCR software kept getting better, so it wasn’t long before someone had the bright idea of creating a bot that used OCR to identify the words in a CAPTCHA. It doesn’t always get it right. In fact, it often gets it wrong, but it doesn’t matter. Unlike a human, who is going to give up in frustration after a few tries, a bot can keep trying and trying until it gets it right. Since their advent, bots have become a major problem for word identification types of verification. To counter this, word-based CAPTCHAs became more distorted and harder to decipher for humans and bots alike. We’ve all seen the results of this battle over decipherability. We’ve all encountered CAPTCHAs so hard to identify that it takes us a few tries to get them right, and we all have better things to do with our time than enter meaningless words in an attempt to receive more email.

captcha collection

An assortment of actual CAPTCHAs collected from various sites.

To solve this problem, a new kind of ReCAPTCHA was created that relies on the natural differences between software and the human brain. This made it easier for humans to recognize the words, while keeping it hard for the bots the do the same. In recent variations, a reCAPTCHA might ask users to identify images instead of scrambled type relying on human intuition to solve. Take this example:

image captcha

At the top of CAPTCHA we are presented with an image (in this case, a cat) and asked to find all the images with matching content. This is a mixed bag. It will certainly block bots from finding a solution, but it also presents us with instructions that those of us who skew towards the Asperger‘s end of the spectrum and tend to take things too literally might also find perplexing. The picture at the top is an adult gray tabby, but the pictures below are all of kittens and only two are gray tabbies. We realize most people won’t get this granular with the data, and that’s what Google is counting on. The top picture is a cat, so humans will click on all the pictures of the same animal, even when every other aspect of the picture is different.

I’m Not a Robot

No Captcha

Two years ago, Google introduced a version of the ReCAPTCHA they call a “No CAPTCHA reCAPTCHA.” With this type of CAPTCHA, there’s no need to try and decipher heavily distorted words, or squint to make out blurry photographs of street numbers, or identify various animals. You check the box labeled “I’m not a robot” and you’re done. The No CAPTCHA reCAPTCHA uses Google’s Javascript API and a form, and appears, for now at least, to be an excellent choice for verification. Spamhaus likes it, and it produces the least amount of hassle in the signup process.

Gamifying the Process

A variation on the CAPTCHA that is designed to alleviate the annoyance of typing in meaningless words is the addition of gaming elements to the verification process. With this technique, you are asked to complete some simple task to verify that you are a human being. The task is always simple and resembles a children’s game in its approach. You might, for example, be asked to “put the carrots in the shopping cart.” The picture will show an image of an empty shopping cart with images of various groceries floating next to it. By clicking and dragging the image of the carrots to the image of the shopping cart, you verify that you are a human.

gamify

gamify2

These gamified verification techniques are effective approaches to the problem, although we haven’t seen that many instances of their use. They appear to be acceptable to Spamhaus as well. According to them, “…any mechanism that successfully keeps bots from abusing signup forms is good and absolutely necessary nowadays. Captcha is currently the best mechanism, and whatever the captcha test does (task, game, whatever) is also fine as long as bots can not easily defeat it.”

Alternatives to CAPTCHA

CAPTCHA is, by no means, the only way to verify a signup. Programmers continue to invent new ways to foil the bad guys. A couple alternatives are the Honeypot and the Social signup. Before choosing either of these, you should note that Spamhaus prefers a CAPTCHA verification that requires the user to perform a task. That’s not to say these are not effective in blocking bots, only that implementing them might not help you get off the SBL. As of right now, a CAPTCHA-type mechanism is the safest way to go.

Honeypot Verification

One of the earliest attempts to simplify the process of signing up and restrict it to real people is the use of a honeypot. The idea is simple: A form is hidden in the HTML for a page, but it isn’t visible on the page, so no human visitor to the site should ever know about it. Since bots don’t visit pages this way, but, instead, look at each page’s code for forms, they will see the form and attempt to fill it out, thus identifying them as bots and not humans. It is a wickedly clever technique for fooling the bots, although, as we’ve already discussed, bots have gotten much more sophisticated over the years and are seldom fooled by this technique anymore. It can also cause problems with browsers that have CSS turned off, and with ones such as Safari that autofill forms. It is still in use, but is often combined with a more interactive signup.

The Social Approach

facebook signup

As social sites become more and more important to people’s daily lives, we’ve seen a corresponding growth in sites that require social signups. Instead of entering words or playing games, you are offered a button that says “Sign Up With Facebook.” This approach lays everything on the line, but it also stands a significantly higher chance of losing the audience. Several studies have shown that people just don’t like using their Facebook accounts for promotional purposes, still preferring email as the main source for sales announcements. We don’t recommend using this approach except for those rare cases where your Facebook profile is your main sales mechanism.

At this time, we recommend the “No CAPTCHA reCAPTCHA” for your verification purposes. It satisfies Spamhaus’s requirements, and it makes the signup process as easy as possible for your subscribers. Of course, if history is any indication (and it usually is), it’s just a matter of time before this approach is compromised, and we’ll have to find a new way to verify newsletter signups. It is important to remember that nothing in the field of email marketing remains static. There’s no set-it-and-forget-it solution. You’ll still want to keep track of your email data to see if there are any anomalies occurring.

Go to Goolara website