Confirmed Opt-In Protects Against Spamza and Other Malicious Sites

For many people, the idea that someone would use their signup form to sign up someone else’s email address just makes no sense. Well, you’re right – it doesn’t make sense. But it happens, sometimes on a grand scale

In the many discussions I’ve had about Confirmed Opt-In, and why it’s key for anyone following best email marketing practices, there’s one point I’ve found many people just don’t believe:

When you run your campaigns as single opt-in, you run the risk of people or scripts maliciously signing up other people’s email addresses to your list – meaning you’re spamming them.

Unintentionally, yes, but it’s still spamming, because that person who you’re now emailing never signed himself/herself up to your list.

For many people, the idea that someone would use their signup form to sign up someone else’s email address just makes no sense.

Well, you’re right – it doesn’t make sense.

But it happens, sometimes on a grand scale.

Spamza: How One Site Created A Lot of Spam Problems for Single Opt-In Email Campaigns

Recently, email marketers had a scare thrown into them by the website

Spamza promoted itself as a site that allowed people to “spam their enemies” by entering an email address into a web form.

Spamza then took the email addresses entered and subscribed them to hundreds of email newsletters.


Spamza is no longer online, but you can see a screenshot of their homepage below (click for full-size version).

Spamza Homepage - Click for Full Size

Scary Stuff – If You Run a Single Opt-In List

What if your email newsletter were one of the ones Spamza signed addresses up to?

Well, if you were running your campaign using Confirmed Opt-In, anyone added to the Spamza form would get your confirm email. The owners of those addresses would either delete that individual message or mark it as spam. And that would be the end of it.

If, on the other hand, you were using single opt-in, you’d have quite a problem on your hands.

  • Your list size would be artificially inflated with uninterested subscribers – lowering your click and open rates
  • Your subsequent email newsletters would get more complaints as the owners of the addresses added to your list started marking your messages as spam.
  • You could show up on URL blocklists (based on links that appear in your messages) – meaning future emails with your website in them could be blocked, even if they were sent by other people (like your affiliates) or if they were transactional messages (like payment notifications or responses to customer support tickets).
  • Perhaps worst of all, your target audience could label you as a spammer (which could lead them to persuade others not to do business with you, online or offline).

“Sure – But I Use Single Opt-In, And I Wasn’t Affected. That Stuff Just Won’t Happen To Me.”

I hope not – and I mean that sincerely. I don’t want to see any of that stuff listed above happen to you.

But is hoping that it won’t happen to you really a prudent way to run your business?

Anne Mitchell, founder of email accreditation firm ISIPP, had this to say:

[E]ven if it isn’t Spamza – in fact, even if it isn’t a targeted effort – people enter the wrong email addresses in web sign-up forms all the time. Sometimes it’s by accident (they typo their own email address and the result is someone else’s email address), but often it’s on purpose.

The fact is, malicious subscriptions are quite real, and if you’re not confirming subscribers, your email deliverability could be threatened by a script like Spamza’s.

More Coverage Of Spamza

  1. ZDNet
  2. Word To The Wise

It’s a weird, wild Internet we do business on. Better to protect yourself than to run the risk of some knucklehead taking advantage of your single opt-in signup process.

(If you’re still on the fence about confirming your subscribers, check out these common Confirmed Opt-In Myths.)


  1. Codrut Turcanu

    9/2/2008 4:31 pm

    There’s no doubt about it – double opt-in is not an option.

    I recommend double opt-in with AWEBER to all my clients. Bloggers, marketers and wannabe "work from home for free" opportunity seekers 🙂

  2. Peter Koning

    9/3/2008 12:06 am

    I can’t fathom how any serious business can expect a single optin based email marketing revenue model to survive. I’d like Aweber to create a "badge" (like HackerSafe) that we can put on our optin forms. Some sort of "certified double optin by Aweber" badge.

  3. Jonathan Bloom

    9/3/2008 8:15 am

    Peter, that’s an awesome idea! AWeber, can you put this idea into action?

  4. Chris

    9/3/2008 4:05 pm

    After reading this blog entry, one thought comes to mind… why in the world would AWeber allow *ANY* of their customers to operate a non-COI mailing list? I’m asking an honest question. Doesn’t AWeber bare some degree of responsibility (and liability) for offering a non-COI mailing list option? Please list the "benefits" that an AWeber customer gets by choosing to configure a mailing list that doesn’t have confirmation turned on for web forms. Can you list ANY benefit at all that outweighs the risks that have been outlined in numerous blog posts? Didn’t think so. The fact that AWeber even allows their customers to bypass COI with web based forms is a joke, and I think you guys know it too. So can you please stop preaching about the benefits of COI, and flip the switch once and for all that makes AWeber a 100% COI e-mail service provider?

  5. Carol Bentley

    9/3/2008 4:55 pm

    Yep! Count me in favour of that ‘badge idea’. Aweber has such a good reputation it would be good to demonstrate the ethics we follow by using your services.

  6. Gobala Krishnan

    9/5/2008 1:22 am

    I used to do single optin – more subscribers, better for the ego 🙂

    No anymore though.

  7. Justin Premick

    9/5/2008 9:07 am

    Peter, Jonathan, Carol,

    I agree – that’s a cool idea. Looking into it 🙂

  8. Chris Brisson

    9/5/2008 1:31 pm

    By having this post is actually a bad thing. Now that all aweber users have now heard about it, many will USE it.

    I would recommend taking this post down. It just brings more attention to something that none of us need more of.

    This post may do more wrong than good and in the end what is the main purpose of this post?

    Just my opinion.

  9. Gobala Krishnan

    9/6/2008 10:42 pm

    To Chris – I think having a single-optin helps in some cases and Aweber should allow it.

    I used it mainly to register customers after purchase, and remove them from the non-customer list (automation). The non-customers / subscribers have already double-optin so when they buy I just get a single optin.

    I need to remove as many customers as possible from the non-customer list to ensure I don’t send a promotion / offer to someone who just bought a product a few minutes ago.

    I think Aweber should maintain the single optin feature. Besides if im not mistake the moment an email bounces a few times or is flagged by the user as SPAM, it’s automatically removed from my list.

  10. Derrick

    9/10/2008 1:49 pm

    I agree with Gobala. If you are in direct marketing, you want a completely different followup series going out to customers and you want to remove them from your prospect list.

    In addition, you can’t force your customers to confirm by withholding their product like you can with a freebie.

    You could offer an unadvertised bonus. But there will still be a number of customers who won’t take that extra step.

    I would like to see some kind of API that you could use remotely to MOVE a prospect to a customer list automatically after a sale.

    If they’ve already given you permission to send them email, moving them to a different list would not violate their rights. It would only serve to stop additional email offers for the same product.

  11. Peter Koning

    9/10/2008 3:03 pm

    Re the single optin that’s hanging around, and moving subs from one list to another, I like the API idea. What I suggest is that the option to send an email to be used for this API.

    The my-cust-list would be single optin and ONLY allowed for moving already subscribed COI subs from one list to another.

    I also suggest that single optin ONLY be allowed for this purpose – i.e. to process subscribers who are already COI.

    So single optin forms for new subs could be phased out and aweber would only be allowing COI for ALL lists and all customers. That should improve deliverability for all of us while solving the need for an API – we could simply have an email sent by our order handling scripts to my-cust-list@aweber.

    Maybe some parsing would be needed to pick out the person’s email address, but you have parsers for that.

  12. What to Do About Low Email Delivery Rates

    6/13/2011 9:08 am

    […] Protect Against Malicious Sign Ups […]

  13. Do This! (Not That) For Better Email Delivery

    6/17/2011 8:49 am

    […] the subscriber. But if you don’t have confirmed opt in on, you run the risk of again getting bad email addresses on your list. You’ll also open yourself up to more spam complaints, and subscribers who […]

  14. Jody Heath

    4/23/2013 2:42 am

    Everyone should read Gobala’s post above. I have been wandering how to take my prospects off my presale list (once they join my team) and put them on a more of a maintenance list without requiring another double opt-in. He he explains it. Great post Gobala.

    I wish we could have access to the confirmation links, so when our op-tins can’t find the confirmation email, we could just send them the link. Or better yet, I wish we could be able to manually confirm a subscriber on case by case bases when they authorized us to.