LinkedIn Victims Do Not Connect With Legitimate Notifications

The company sent an important e-mail notification with special coding (DKIM) and addressed the recipient by name. It also didn’t include any links in the actual message.

The company sent an important e-mail notification with special coding (DKIM) and addressed the recipient by name. It also didn’t include any links in the actual message. And yet LinkedIn did not connect with some 250,000 of its users, who flagged the legitimate alert as spam.


Some thought it was a phish scam; others figured it was just another message in a long stream of e-mails from the popular social network for professionals.


The snafu came to light after a Cloudmark blogger discovered a spike last week in LinkedIn traffic hitting spam filters. The San Francisco-based Cloudmark makes anti-spam technology.


“Part of the problem is that people are used to getting email that they don’t want from Linkedin and rather than unsubscribe, some of them just mark it as spam and hope that it will go away,” wrote Andrew Conway.


The e-mails were sent to 6.5 million LinkedIn users whose passwords were compromised during a data breach reported June 6. The batch of SHA-1 hashed and unsalted passwords was posted on a Russian Web site for others to crack.


In his blog post, Conway graphically showed the amount of genuine mail that social network users manually (and incorrectly) report as spam. LinkedIn, in general, performed the worse with about 2 percent of its legit e-mail traffic being blocked. Its e-mail regarding the compromised passwords registered twice the volume of rejects – just over 4 percent.


Some users have reported the password reset notifications were so lacking in detail that they were convinced it was some kind of phish scam, especially coming on the heels of the breach’s reveal. Others said they received the e-mails at their current or past work e-mail address when another address was associated with the account.


Conway believes a significant factor is the difficulty in changing an account’s e-mail notification preferences.


“When you do get an email from Linkedin, it may contain an Unsubscribe link (good) in tiny print at the bottom of the message (bad), it may contain an Adjust your message settings link (OK) in tiny print at the bottom of the message (blah) or it may not contain any opt out link at all (c’mon Linkedin, that’s not good enough),” he wrote. “Best practice would be to allow email opt out at sign-up time, and to make unsubscribing obvious, consistent and accessible both from both emails and Web site.


“LinkedIn is like the little boy who cried, ‘Wolf,’ he continued. “By sending too much mail that people are not really interested in, they are getting ignored when they have something important to say.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.