The HN title is misleading - it wasn’t a bug report but the Yubikey 4 replacement. The process by which it happened seems understandable: they used their existing store to process replacements (you got a coupon code for the same model as your old key) and notified all past customers when a major new standard shipped.
They should have handled that better and made it clearer under which conditions you’d get email but it’s way down the list of annoying corporate email practices.
I've experienced similar issues with sites where someone else used my e-mail address to sign-up for something, I purposefully did not follow the authorization URL, and the companies have flatly refused to delete my fraudulent accounts or remove me from their mailing lists.
One in particular tried to tell me to reset the password on the account so that I could sign in and opt-out of the mailing lists. I refused, saying that doing so would be acknowledging the account as mine and putting the onus on me to manage something I never signed up for. They refused to budge, despite numerous escalations.
If you are using a major e-mail provider, try to mark their spam as spam server-side.
For senders trusted by your mail provider, this may trigger feedback loops (automatically informing the sender that their e-mail is unwanted, and usually requiring them to act on that).
If e-mail deliverability providers (MailChimp etc.) are involved, they usually try to either educate or fire customers who misbehave, since they don't want to get their servers blacklisted entirely.
In general, marking as spam should increase the probability that future e-mails from this company (or, if they're smart to separate it, at least their marketing spam) will be correctly delivered to the spam folder or outright rejected at delivery.
I apparently have a somewhat common name, and so my Gmail account first.last@gmail.com gets a fair amount of misdirected email due to idiots with a similar address. (As best I can tell, most of them have something like first.last42@gmail.com and forget the number.)
Good companies will require verification before sending anything else. Those I can ignore and they’ll go away. For the others, I make a good faith effort to unsubscribe, but a small one. They get about ten seconds for me to find the unsubscribe link, otherwise they get reported as spam. I’ve had some which won’t let me unsubscribe unless I log in to the corresponding account, which of course I can’t do.
Just remember that this stuff is spam. You’re not abusing a tool to your advantage, you’re using it the way it’s supposed to be used. Spam doesn’t have to be knockoff viagra or whatever.
> If e-mail deliverability providers (MailChimp etc.) are involved, they usually try to either educate or fire customers who misbehave, since they don't want to get their servers blacklisted entirely.
Since "My experience with Mailchimp was decidedly not like that" seems to be attracting downvotes, I'll expand on that. Mailchimp is opt out. So when I found myself on the receiving end of some local dog botique's spam (I don't have any pets, dogs or otherwise) list that was being serviced by Mailchimp I got to go through the tedious process of opting out.
Getting off of the spam list required tracking down contact info on LinkedIn and spamming the spammers. As long as companies like Mailchimp provide opt-out instead of opt-in services, it is Mailchimp and their brethren that are the bad actors. Mailchimp and Marketo have earned a spot on my smtpd_sender_restrictions blacklist.
> If e-mail deliverability providers (MailChimp etc.) are involved, they usually try to either educate or fire customers who misbehave, since they don't want to get their servers blacklisted entirely.
My experience with Mailchimp was decidedly not like that.
I registered my own domain and switched my email over to a service that lets me generate arbitrary email aliases. When I go to a site or have to otherwise give an email address, I create a new unique alias just for that service. This lets me track where they are leaking my email to, and lets me blackhole the whole site if needed.
I've been doing a similar thing for year with the gmail feature that lets you add "+anything" to the end of your email address. If someone starts spamming myrealemail+thethingIusedforthatsite@gmail.com, it's easy to create a filter to trash it automatically.
I've tried the catchall method on a domain I control, but got way too much spam people trying random addresses.
I’ve done each of these things and they work great.
1. Go up the chain. Email the head of technology and head of marketing for the company. Tell them that what they are doing is unacceptable.
2. Look up the email service provider. Find their abuse address. Bring it up with them directly.
3. Mark as spam. I give companies one chance to get it right after I unsubscribe. If I keep getting emails I start to mark as spam. If I still get emails I escalate to #1 or #2
> If you are a registered user of a Yubico website and have supplied your email address, Yubico may occasionally send you an email to tell you about new features, solicit your feedback, or just keep you up to date with what’s going on with Yubico and our products.
If they made the author a "registered user" when he submitted his address to the replacement program, they should make it clear that's what is happening. Or they need to expand their TOS language a bit...
You cannot have ToS for a process you establish to correct a failure to perform for existing contracts, in this case for exchanging a defective product (other than what was part of the original contract).
Are you summarizing particular laws regarding defective product replacement? This is not an area with which I'm really familiar.
The way you phrase it, to me, suggests that it would be impossible (in practical terms) for a company to operate any sort of replacement program via the net, because they'd be required to collect and process personal information digitally, and they would be likely advised to not do so without defining the terms under which that information would be used.
Another comment[1] suggests YubiCo implemented this replacement program by issuing coupon codes for their store. The checkout process requires consent to their terms.
Marketing teams really need to be kept in check. I get it they're pressed for results with often limited budgets and tools, but there needs to be some basic ethics at every company. To me, this is just as bad as bundling security updates with mandatory new features....
Readit News
They should have handled that better and made it clearer under which conditions you’d get email but it’s way down the list of annoying corporate email practices.
One in particular tried to tell me to reset the password on the account so that I could sign in and opt-out of the mailing lists. I refused, saying that doing so would be acknowledging the account as mine and putting the onus on me to manage something I never signed up for. They refused to budge, despite numerous escalations.
I swear I feel more like Hank Hill every day.
For senders trusted by your mail provider, this may trigger feedback loops (automatically informing the sender that their e-mail is unwanted, and usually requiring them to act on that).
If e-mail deliverability providers (MailChimp etc.) are involved, they usually try to either educate or fire customers who misbehave, since they don't want to get their servers blacklisted entirely.
In general, marking as spam should increase the probability that future e-mails from this company (or, if they're smart to separate it, at least their marketing spam) will be correctly delivered to the spam folder or outright rejected at delivery.
Good companies will require verification before sending anything else. Those I can ignore and they’ll go away. For the others, I make a good faith effort to unsubscribe, but a small one. They get about ten seconds for me to find the unsubscribe link, otherwise they get reported as spam. I’ve had some which won’t let me unsubscribe unless I log in to the corresponding account, which of course I can’t do.
Just remember that this stuff is spam. You’re not abusing a tool to your advantage, you’re using it the way it’s supposed to be used. Spam doesn’t have to be knockoff viagra or whatever.
Since "My experience with Mailchimp was decidedly not like that" seems to be attracting downvotes, I'll expand on that. Mailchimp is opt out. So when I found myself on the receiving end of some local dog botique's spam (I don't have any pets, dogs or otherwise) list that was being serviced by Mailchimp I got to go through the tedious process of opting out.
Getting off of the spam list required tracking down contact info on LinkedIn and spamming the spammers. As long as companies like Mailchimp provide opt-out instead of opt-in services, it is Mailchimp and their brethren that are the bad actors. Mailchimp and Marketo have earned a spot on my smtpd_sender_restrictions blacklist.
My experience with Mailchimp was decidedly not like that.
It’s great.
I've tried the catchall method on a domain I control, but got way too much spam people trying random addresses.
1. Go up the chain. Email the head of technology and head of marketing for the company. Tell them that what they are doing is unacceptable.
2. Look up the email service provider. Find their abuse address. Bring it up with them directly.
3. Mark as spam. I give companies one chance to get it right after I unsubscribe. If I keep getting emails I start to mark as spam. If I still get emails I escalate to #1 or #2
Nitrokey: https://www.nitrokey.com/
* https://news.ycombinator.com/item?id=15042851
* https://news.ycombinator.com/item?id=15429831
https://medium.com/@0x0ece/googles-advanced-protection-progr...
On a related note, has anyone already tested a FIDO2 key? I'm looking to buy one, but still can't find any, including developer previews.
https://www.u2fzero.com/
Dead Comment
If they made the author a "registered user" when he submitted his address to the replacement program, they should make it clear that's what is happening. Or they need to expand their TOS language a bit...
The way you phrase it, to me, suggests that it would be impossible (in practical terms) for a company to operate any sort of replacement program via the net, because they'd be required to collect and process personal information digitally, and they would be likely advised to not do so without defining the terms under which that information would be used.
Another comment[1] suggests YubiCo implemented this replacement program by issuing coupon codes for their store. The checkout process requires consent to their terms.
[1]: https://news.ycombinator.com/item?id=17059784