Search code examples
emailoffice365spamunsubscribe

Strategies to prevent email scanners from activating "unsubscribe" links


I'd like to provide a single-click "Unsubscribe" links in the footer of the emails my service sends.

Obviously, many spam scanners will scan emails, and will follow any links found in the emails to scan their contents for malware. A workaround I have used so far:

  • If the "Unsubscribe" page is requested via HTTP GET, it renders a simple confirmation form and a bit of JS that submits the form on page load
  • If the "Unsubscribe" page is requested via HTTP POST then we unsubscribe the user

This way, the user will usually only need a single click on the form and they will get a "You have been unsubscribed" message. If they have JS disabled, they can still manually submit the confirmation form.

Now the problem is, some scanners like Office365's ATP will open the pages, and execute JS inside them. By executing JS they submit the form and cause user to be auto-unsubscribed.

I've considered adding checks to the auto-submit JS logic:

  • don't auto-submit for specific user agents
  • don't auto-submit for specific client IP ranges
  • trigger the auto-submit on mouse move event

But these all seem like brittle methods, hacks at best, that are bound to break as email scanners change their tactics.

I'm sure this problem has bit many people before me. Are there known reasonable workarounds, aside from just giving up the single-click functionality?

PS. I have added support for RFC 8058 but users are still going to click links in the footer.


Solution

  • This is a topic of ongoing debate at M³AAWG (The Messaging, Malware, and Mobile Anti-Abuse Working Group). It's a mess and there are no easy solutions. It sounds like you're doing everything right, but some anti-spam systems are a little too aggressive.

    The big issue is that anything you can do can also be done by an abusive marketer or spammer.

    The best proposal I've heard is just to put a timer on the action. Add a captcha for users that unsubscribe within 5 minutes of delivery and remove the captcha afterwards. (Do not implement this for your RFC 8058 List-Unsubscribe-Post link.)

    My next favorite proposal is to add a canary link to the message. This should be invisible to human readers. If it is followed, it reverts recent click activity from that IP and bans the IP from action triggers for a time.

    I like your ideas too, just make sure that if Javascript is disabled, the user can still unsubscribe after a confirmation button click.

     

    There's a part of me (warning, I'm an anti-spam researcher) that wants these false positives. Hopefully that will teach my peers that they're doing such a bad job and that these escalations will keep coming to them. From your perspective, you get to pass the buck (though you will lose a few subscribers in the process).

    Spam detection systems must be careful to avoid subscription management links (at least until the bad guys start disguising their payloads as unusbscribe links).