Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Strategies to prevent email scanners from activating "unsubscribe" links

I'd like to provide a single-click "Unsubscribe" links in the footer of the emails my service sends.

Obviously, many spam scanners will scan emails, and will follow any links found in the emails to scan their contents for malware. A workaround I have used so far:

  • If the "Unsubscribe" page is requested via HTTP GET, it renders a simple confirmation form and a bit of JS that submits the form on page load
  • If the "Unsubscribe" page is requested via HTTP POST then we unsubscribe the user

This way, the user will usually only need a single click on the form and they will get a "You have been unsubscribed" message. If they have JS disabled, they can still manually submit the confirmation form.

Now the problem is, some scanners like Office365's ATP will open the pages, and execute JS inside them. By executing JS they submit the form and cause user to be auto-unsubscribed.

I've considered adding checks to the auto-submit JS logic:

  • don't auto-submit for specific user agents
  • don't auto-submit for specific client IP ranges
  • trigger the auto-submit on mouse move event

But these all seem like brittle methods, hacks at best, that are bound to break as email scanners change their tactics.

I'm sure this problem has bit many people before me. Are there known reasonable workarounds, aside from just giving up the single-click functionality?

PS. I have added support for RFC 8058 but users are still going to click links in the footer.

like image 321
Pēteris Caune Avatar asked Dec 11 '19 08:12

Pēteris Caune


People also ask

Why do all emails have unsubscribe link?

One such law is the US's CAN-SPAM legislation. This law, enforced by the Federal Trade Commission, states clearly that you must include a clearly obvious way for subscribers to opt out of your commercial messages: Tell recipients how to opt out of receiving future email from you.

Can an unsubscribe link be phishing?

The problem is, scammers sometimes use fake emails with a phony "unsubscribe" link at the bottom. Click on the link, and you could land on a scam website or end up with spyware, or another type of malware, on your device.

Is it safe to click unsubscribe links in emails?

Don't ever click the “unsubscribe” option in spam By clicking the unsubscribe link you are doing exactly what the spammer wants—you are showing your account is valid, that it's active, that you are giving them attention, and that they were able to convince you to click on what is potentially a dangerous link.


1 Answers

This is a topic of ongoing debate at M³AAWG (The Messaging, Malware, and Mobile Anti-Abuse Working Group). It's a mess and there are no easy solutions. It sounds like you're doing everything right, but some anti-spam systems are a little too aggressive.

The big issue is that anything you can do can also be done by an abusive marketer or spammer.

The best proposal I've heard is just to put a timer on the action. Add a captcha for users that unsubscribe within 5 minutes of delivery and remove the captcha afterwards. (Do not implement this for your RFC 8058 List-Unsubscribe-Post link.)

My next favorite proposal is to add a canary link to the message. This should be invisible to human readers. If it is followed, it reverts recent click activity from that IP and bans the IP from action triggers for a time.

I like your ideas too, just make sure that if Javascript is disabled, the user can still unsubscribe after a confirmation button click.

 

There's a part of me (warning, I'm an anti-spam researcher) that wants these false positives. Hopefully that will teach my peers that they're doing such a bad job and that these escalations will keep coming to them. From your perspective, you get to pass the buck (though you will lose a few subscribers in the process).

Spam detection systems must be careful to avoid subscription management links (at least until the bad guys start disguising their payloads as unusbscribe links).

like image 73
Adam Katz Avatar answered Oct 20 '22 17:10

Adam Katz