The Social Network That Cried “Wolf!”
Tue, Jun 12, 2012 by Andrew Conway
If you’re reading this blog, then you’re probably aware that last week 6.5 million Linkedin passwords were compromised. On Friday the Cloudmark Research team saw a huge increase in user spam reports relating to resetting Linkedin passwords. These were not because spammers were trying to take advantage of the publicity around the Linkedin fail; those emails are stopped by our regular filters and never make to the users. No, this was a real email from Linkedin telling people whose password had been compromised how to protect their account. Over four percent of the people receiving this email, thought it was spam and sent it straight to the bit bucket. If Linkedin sends out 6.5 million emails, then a quarter of a million people are congratulating themselves on avoiding spam, and still have a compromised Linkedin password.
The Linkedin email did all the right things to be to be regarded as genuine. It was DKIM signed, it addressed the recipient by name, and it did not contain any links, just a request to type a Linkedin URL at the command line. Even so, it was taken for spam. Part of the problem is that people are used to getting email that they don’t want from Linkedin and rather than unsubscribe, some of them just mark it as spam and hope that it will go away.
We are only taking data from DKIM signed messages here, so this chart does not contain spoofed phishing emails. As you an see, the compromised email account did particularly badly, but Linkedin in general does worse that other social networks. What are they doing wrong?
When you are sign up for a Linkedin account, you are not asked what your email notification preferences are. You are just given these defaults without being told:
If you want to turn these off, it isn’t exactly obvious where to go. No, it’s not under Profile or Contacts or In Box or More or even Upgrade Your Account – you have to click on the little arrow next to your name at the top right of the page and go to Settings on the drop down menu. Good luck finding that before your first cup of coffee.
When you do get an email from Linkedin, it may contain an Unsubscribe link (good) in tiny print at the bottom of the message (bad), it may contain an Adjust your message settings link (OK) in tiny print at the bottom of the message (blah) or it may not contain any opt out link at all (c’mon Linkedin, that’s not good enough). Best practice would be to allow email opt out at sign up time, and to make unsubscribing obvious, consistent and accessible both from both emails and web site.
Linkedin is like the little boy who cried, “Wolf.” By sending too much mail that people are not really interested in, they are getting ignored when they have something important to say.