8 lessons learned from Yahoo's bold move of recycling inactive email addresses

Recycling inactive email addresses was part of a much bigger plan: the Yahoo Mail relaunch

In Marissa Mayer’s portrait published in Business Insider, we learned that putting out a new version of Yahoo Mail was an absolute top priority. The new CEO even personally managed this project. The team working on this went under a lot of pressure. Sources report that what they achieved in a few months used to take them more than a year. You can tell the ex-Google managed closely the Yahoo Mail redesign, simply by looking at it.

Some members of the team were a bit upset with this micro-management: it ended up with the Lead Designer leaving for Google, while the Yahoo Mail Product Manager went to Disney. Marissa wanted to push her project at any price: the timing was more important than anything else.

All this tells a lot about the context in which the decision of recycling email addresses was taken.

Announcing that inactive accounts would be made available to other users was actually an angle to get press coverage and spark the interest of the public for the new Yahoo Mail. It worked quite well, but maybe not in the way Marissa was expecting it to be. Wired and quite a few security experts immediately backfired. Keep on reading to learn why.

Nice email usernames can be a competitive advantage but there are some downsides

Offering more choice is perceived as a plus when compared to other webmail providers. This is how the announcement was marketed: “yourname@yahoo.com Can Be Yours!" This sounds attractive, for sure.

Gmail, for example, doesn’t recycle inactive addresses and news users often have to integrate numbers in their email handle. Security prevails even if this usernames scarcity becomes problematic. So in most cases, offering more choice is relevant.

However, I’m not really sure I would like to get the johnsmith@yahoo.com or any popular similar handle. Everyday, millions of people provide fake email addresses to access a service or download something. Are you sure you want to own one of these “popular” addresses? Quite a few users reported that they eventually shut down their new email address and went back to the old one.

Recycling inactive accounts was also a way to re-engage old Yahoo Email users

Think about it: people who want a convenient username were not the only ones concerned by Yahoo’s announcement. Any person with a Yahoo account has been impacted and the message delivered to them was: “we recently launched a new interface, and by the way, if you don’t login/authenticate, you may lose access to your ID.”

Do you think this is exaggerating? Accessing your email via POP/IMAP isn’t enough - but needs actual authentication via a web platform.

From the marketing side, this seems to be an excellent way to relaunch. However, some security experts criticise this process and denounce a risk shift: “Yahoo transferred the burden of responsibility to the customer by requesting that the person log in to ensure the account remained active.“

Security: when you recycle an email address, it could end up with a creepy user report

Yahoo defines an “inactive address” by looking at the user engagement (recent authentication, email activity, etc). But how about the sender’s perspective? A true inactive email address would be also one that doesn’t receive any email from anyone.

When an email address is recycled, a lot of the senders may not be aware of this change. Newsletters, notifications, or even personal emails can be sent to an absolute stranger. As soon as some inactive addresses were recycled, users reported issues:

"I can gain access to their Pandora (or Facebook) account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding," Jenkins said. "The identity theft potential here is kind of crazy."

It is worth mentioning that Microsoft also recycles email addresses. Hotmail has had this policy for years, and they recently extended it to Live ID and Outlook.com. Their terms of services don’t clearly define this policy so they also went under a lot of criticism.

Because it is an ongoing process, there is no massive impact. But this doesn’t mean they don’t face any issues: some users also report problems.

Recycling addresses is counter intuitive for an email service, as it might attract spammers

Webmail and email providers in general always have a big challenge: limit the number of abusers. This is why you have captchas when you create an email account. Think also about Gmail. Remember back in the early days? It was an invite-only service.

One of the reasons was that they we providing much more storage capacity than their competitors: 1Go VS 2-4Mo for the others (because Gmail launched on April 1, people even thought this was a joke!). So they needed time to make sure they would be able to scale out. But this was not the only reason.

In Founders at work, Buchheit, the Gmail architect is interviewed:

Interviewer: What was the idea behind the invitation-only signup?

Buchheit: There were few different factors. (…) it controls some of the abuse, by making it harder for, let’s say a spammer to get 10 million accounts, which would be bad.”

Keeping a clean user base is strategic. From this perspective, the Yahoo move sent an odd message to potential abusers: “get recycled email addresses and you might be able to access some personal data and credentials.”

My guess is even that quite a few “reassigned” addresses could potentially be chased for phishing (name of companies or real people…).

Tough time for the senders: Old email addresses are now more dangerous than ever

Until recently, a “recycled email address” used to designate a special kind of spam trap:

"These types of addresses frequently trap legitimate senders with weak list hygiene and data quality practices. Typically, an ISP could/may turn off an abandoned/inactive email address after x period of inactivity - which produces an ‘unknown user’ bounce code. At some point, the ISP will reactivate/recycle the address, hence converting it to a spamtrap; eventually allowing the ‘trap’ address to receive messages (Source: Return Path).

Today, it also designates an old email address that was reassigned to a new user. You might think this is good news for the senders, but it’s not. The recipient will certainly click the “report as spam” button for all the emails for which he didn’t subscribe himself, which is very bad. This is one of the reasons why Yahoo added a new button: “not my email.”

If senders don’t clean their list for 30 days, they might end up emailing random people

As soon as the criticism bursted, Yahoo reacted: “We will have a 30-day period between deactivation and before we recycle these IDs for new users. During this time, we’ll send bounce-back emails alerting senders that the deactivated account no longer exists.”

This means that cleaning your lists is more important than ever. In fact for the average sender, you should (and must) remove all inactive Yahoo email addresses from all lists. But - if you regularly clean single/confirmed opt-in lists properly built, you should be fine.

Bold business driven moves can end up with the creation a new internet standard

Because this 30-day period didn’t satisfy the security experts, Yahoo worked hard to build a new standard for an email header: Require-Recipient-Valid-Since  (RRVS). It works the following way:

"If you submit a Facebook request to reset your password, for example, Facebook would add the RRVS header to the reset email, and the new header would signal to Yahoo to check the age of the account before delivering the mail. If the values don’t match, the email would bounce."

Of course, if you send these kind of emails (transactional), etc & your list(s) contain Yahoo subscribers„ you should consider using this header.