I can no longer recommend MailChimp

Newsletter firm goes bananas.

Mailchimp

Do you have a problem with spam?

I do, but perhaps not the one that you imagine.

You see, the anti-spam system I have in place does do a pretty good job of siphoning away offers to purchase fake doctorates, malware posing as attached invoices, and emails in Cantonese or Russian that are trying to sell me... well, I don't know what they're trying to see me as I don't speak those languages.

But what's more difficult to filter out are the legitimate newsletters that bombard my inbox.

Newsletters that I never signed-up for.

When you've been doing what I do as long as I have there are inevitably some folks who end up not liking you. Some of them might be online criminals, others may be folks who are upset about something I said on Twitter.

And a small number of these people might think it's worth their effort to sign up my publicly-available email addresses to hundreds, no... thousands of legitimate newsletters and mailing lists that I have no interest in.

I'm not the only one who has suffered from these kind of "email bomb" attacks - which are the equivalent of a denial-of-service attack on your inbox.

The only saving grace is that the better-managed newsletters ask you to confirm that you really really want to receive emails from them. They do this by sending a single email - normally with a clickable confirmation link - to the email address entered on their subscription form.

If you don't respond to the confirmation email, you don't get any follow-up emails. That's how things are supposed to work. And it's called double opt-in.

But when it comes to the benefits of double opt-in, don't just take my word for it.

Here's what MailChimp, a service that I and millions of others around the world use to send out email newsletters, was saying until quite recently:

Double opt in benefits

Double opt-in adds a layer of confirmation to your signup process before adding new subscribed contacts to your list, and it has three main benefits compared to single opt-in.

  • Protection against spambots, email scams, and fake subscribers, which could increase your monthly benefit rates.
  • Assurance of valid email addresses, confirmation that your subscribed contacts want to hear from you, and an archived record of the subscriber's consent.
  • Higher campaign open rates, and lower bounce and unsubscribe rates.

All very sensible. And a good example of why, in the past, I have recommended MailChimp to organisations and individuals wishing to send out legitimate email newsletters.

Only problem is... after years of protecting internet users from unwanted newsletter subscriptions, MailChimp has had a change of heart.

Last week it quietly (I only found out by logging into my account, I never - ironically - received an email advisory from them) revealed that it would be switching its customers' mailing lists to "single opt-in" rather than "double opt-in".

Mailchimp change

What does that mean? It means that subscribers won't have to confirm that they really really want to receive a newsletter. Which means that any toerag can enter your email address for a newsletter run on MailChimp's systems that you don't want and the onus will be on you to unsubscribe.

And MailChimp has, of course, removed the wording on its website about why double opt-in is a good thing that reduces unwanted emails and means that MailChimp users benefit from lower billing rates.

And how come MailChimp decided to change customers' settings, and only gave them until October 31st to choose to stay with double opt-in going forward. Seven days notice is a ridiculously short amount of time, for a number of reasons - including that many of us have already got processes in place that tell subscribers to await a confirmation email, and explain how we require confirmed opt-in to avoid spam sign-ups.

You won't be surprised to hear that many folks were less than impressed with MailChimp's decision.

All of this adds up to one conclusion: MailChimp has gone bananas.

Evidence that MailChimp has simply not thought through this switch to the ghastly single opt-in model becomes ever more clear when you consider that double opt-in is necessary in the European Union as a proof of consent under GDPR and expressly required in Germany.

As MailChimp acknowledges in their latest pronouncement on their issue, they were completely clueless about the implications of what they were doing.

Well, they don't quite say that. But it does appear that they've realised that what they tried to do might have ummm.. some legal implications:

"We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements. We heard you, and we’re sorry that we caused confusion. Customers located in the EU will receive an email from us today to let them know how we’ve changed the plan."

"Please know we are committed to helping our customers get ready for the GDPR. Double opt-in provides additional proof of consent, and we suggest you continue using double opt-in if your business will be subject to the GDPR."

(By the way MailChimp, I still haven't received the first email - let alone the one you promise here)

So, MailChimp is turning around for lists run by European firms at least - we'll stay as double opt-in by default.

Not that this necessarily avoids the GDPR issue however. As Marcus Bointon explained on Twitter:

That means that American businesses using MailChimp, for instance, need double opt-in if they wish to send newsletters to European citizens. Back to the drawing board MailChimp!

And you know what? MailChimp hasn't resolve my problem just by not switching my mailing list to single opt-in. Most MailChimp mailing lists are being switched to single opt-in, which means they will be used for email bombs, and their owners will end up paying MailChimp more money each month for all of those extra unapproved subscribers.

I complained publicly and privately, and was disappointed with MailChimp's response.

As someone who has used and recommended MailChimp for *years* I feel massively let down by them.

Changing the settings for my own mailing list (which of course, I did) isn't actually a solution. Sure, it stops toerags using my newsletter as an email bomb but it doesn't stop many more MailChimp-run mailing lists switching to a system that will increase the amount of unwanted emails flying around the internet.

I can no longer recommend MailChimp. And with no other options available to me, and a company that seems unprepared to listen to its aggrieved users, the only thing I can do is switch mailing list provider and close my account.

They've got a few weeks to see the light and then I'll be off.

To hear more about the MailChimp debacle, be sure to check out this edition of the "Smashing Security" podcast:

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.
(Visited 31,023 times, 2 visits today)

Tags:

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

22 Responses

  1. Chiny

    October 31, 2017 at 7:45 pm #

    Ah, that explains why I have started getting extra spam. I've looked at the headers and can see
    several MailChimp X-headers. Tricky to filter on those headers, if real mailing lists still use MailChimp.

    I did try:
    X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=etcetc
    but that URL was useless; surprise, surprise.

  2. Andy

    October 31, 2017 at 8:40 pm #

    They also have a pretty bad security problem at the moment with accounts getting hacked and used to send phishing emails. They're refusing to acknowledge or address the issue.

  3. Marcus

    October 31, 2017 at 10:56 pm #

    The way to solve this is to set up a filter that bounces all that junk from Mailchimp right onto their CEO's inbox. I guarantee all mailing lists will default back to double opt-in within a day or two.

  4. Dave Lane (@lightweight)

    November 1, 2017 at 1:15 am #

    We've moved to Mautic. It's open source, so you can either use a commercially hosted version at mautic.net, or if you prefer (we do) host your own. Here's how we do it: oer.nz/mautichowto

  5. SG

    November 1, 2017 at 2:17 am #

    Thanks for this interesting post.
    I moved away from MailChimp a while ago when they discontinued their transactional email service (mandrill) and add it as a MailChimp add-on
    I didn't like it so I looked around and been using Sendy since then. It's a self hosted newsletter app based on Amazon ses, it's been great so far
    Maybe it'll suit you

  6. David L

    November 1, 2017 at 9:56 am #

    How to reach financial ruin in one easy step,…..
    Cause harm to your user base! It's a sinking ship, their desperate move cry's "Money Troubles" and most people will flee the "Sinking Ship".

    Many of these tech start-ups try to grow way too fast, lack the proper management skills, and experience, hence, failure after the investment capital is gone.

    • eric in reply to David L.

      November 1, 2017 at 6:29 pm #

      Puzzling thing here is that prior to this Mailchimp were the poster-children for sensible growth.

  7. Mailchimp CS/L

    November 1, 2017 at 9:58 am #

    Actually, GDPR applies to any company that handles data regarding persons who are in the European Union, regardless of citizenship, regardless of where the company is incorporated, etc.

    Please don't spread fake news.

    See article 3 below:

    Article 3

    Territorial scope

    1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
    2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    (a)
    the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
    (b)
    the monitoring of their behaviour as far as their behaviour takes place within the Union.
    3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

    • eric in reply to Mailchimp CS/L.

      November 1, 2017 at 6:32 pm #

      Bointon's tweet says this: " #GDPR applies to subscriber location, not account owners"

      Which appears to be consistent with what you're saying.

  8. Stuart Rock

    November 1, 2017 at 9:59 am #

    Very interesting article, Graham. Thank you.

    Of course it begs the simple question: which mailing list provider will you be moving to?

    • Graham Cluley in reply to Stuart Rock.

      November 2, 2017 at 12:28 pm #

      Well, if you sign-up for my newsletter you'll find out soon enough. ;)

      But bear in mind that my requirements may be quite different from those of a business regularly using email to keep in touch with its customers. It's not going to be a "one size fits all" solution would be my guess.

  9. KL

    November 1, 2017 at 2:41 pm #

    Let's sign up mailchimp for some newsletters!

  10. Jason

    November 1, 2017 at 3:15 pm #

    I have switched over to AWeber a few months ago from MC and seeing this just solidifies why I won't go back. Plus I like the one on one attention I get from AWeber's support reps.

    Drew on the AWeber team is super helpful. If anyone else is looking to switch I would definitely recommend working with him!
    https://www.aweber.com/drew.htm?id=475441

  11. The Shark

    November 2, 2017 at 2:28 am #

    Mail Chimp bros are the most self righteous dudes in Atlanta.

  12. Andy

    November 2, 2017 at 10:54 am #

    Hi Graham,

    Mail Chimp sent our company a notification of the change and then they back-peddled a couple of days later with this…
    ————

    Last week, we sent you an email announcing that MailChimp is adding single opt-in as an option and making it the default setting in new and existing lists.

    However, because your primary contact address is in the EU, your existing forms will remain double opt-in. You can change your lists to single opt-in on the Signup Preferences page at any time. After November 3, you'll also be able to make that change in each list's settings.

    We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements. We heard you, and we’re sorry that we caused confusion.

    Please know that we’re committed to helping our customers get ready for the GDPR. Double opt-in provides additional proof of consent, and we suggest you continue using double opt-in if your business will be subject to the GDPR.

    For more information on why MailChimp is making changes to our opt-in choices, read our blog post.

    Please reply to this email if you have any questions.

    • Graham Cluley in reply to Andy.

      November 2, 2017 at 12:26 pm #

      That is, sadly, evidence of another fail by MailChimp.

      GDPR cares little about where your company is based in the world, but rather where your users/customers are located

      In this case, the relevant information will be where email subscribers are located – not where companies creating MailChimp accounts are located.

      This is likely to bite both MailChimp and MailChimp customers in the bottom (as well as us poor email users, of course)

      • James Manfield in reply to Graham Cluley.

        November 4, 2017 at 2:55 pm #

        But how enforceable is GDRP, really, against companies with no nexus in the EU other than having customers there?

  13. Antoine

    November 2, 2017 at 12:28 pm #

    That's a great article, and a shame for MailChimp. I'm in Canada, so I use Cyberimpact, which is built to follow the C-28 law (Anti-Spam Legislation). I don't know if it follows the GDPR exactly, but it probably does a good part of that.

  14. Tony Sagar

    November 6, 2017 at 3:30 am #

    Don’t be fooled this is a rant masquerading as a legitimate article.

    I have no problem with mail champ‘s new policy. As long as every single email has an opt out for the end-user it takes more not more than a few seconds.

    Let me give you a perfect example and this has nothing to do with MailChimp. Many times I’ve made purchases from many websites but have not signed up for their newsletter or flyers. Just the simple fact making a purchase …I get these promotional flyers. I have the option to opt out at any time. I’m not offended… since I already showed interest in that particular company or product it’s legitimate that I might interested in additional offers or information despite the fact I did not opt in.

    What really offends me is any spam email where I do not have this opt out feature.

    • Graham Cluley in reply to Tony Sagar.

      November 6, 2017 at 3:19 pm #

      You've clearly never been mail-bombed.

      What you describe doesn't scale to the scenario I describe: when you've suddenly been added to 10,000+ mailing lists which only had single opt-in.

    • Matt King in reply to Tony Sagar.

      November 7, 2017 at 9:12 am #

      The problem with this is that a lot of spam emails use the unsubscribe option to confirm that your email is in fact legit and active. Your email is now more valuable and added to even more lists.

  15. Beth

    November 9, 2017 at 1:24 pm #

    Double opt-in isn't a requirement but automatically updating everyone's preferences to single opt-in doesn't seem fair. We've informed all our current and new clients of the double opt-in options and give them the choice of what they want to do – though we do highly recommend it as best practice at mmunic mail. An extra level of consent is recorded and it ensures the data going into the lists is good quality. I wonder if they'll release further reasoning for this decision?

Leave a Reply