Strategies to prevent email scanners from activating "unsubscribe" links

Asked 11/12, 2019 at 8:40 Answered 29/11, 2023 at 21:3

I'd like to provide a single-click "Unsubscribe" links in the footer of the emails my service sends.

Obviously, many spam scanners will scan emails, and will follow any links found in the emails to scan their contents for malware. A workaround I have used so far:

If the "Unsubscribe" page is requested via HTTP GET, it renders a simple confirmation form and a bit of JS that submits the form on page load
If the "Unsubscribe" page is requested via HTTP POST then we unsubscribe the user

This way, the user will usually only need a single click on the form and they will get a "You have been unsubscribed" message. If they have JS disabled, they can still manually submit the confirmation form.

Now the problem is, some scanners like Office365's ATP will open the pages, and execute JS inside them. By executing JS they submit the form and cause user to be auto-unsubscribed.

I've considered adding checks to the auto-submit JS logic:

don't auto-submit for specific user agents
don't auto-submit for specific client IP ranges
trigger the auto-submit on mouse move event

But these all seem like brittle methods, hacks at best, that are bound to break as email scanners change their tactics.

I'm sure this problem has bit many people before me. Are there known reasonable workarounds, aside from just giving up the single-click functionality?

PS. I have added support for RFC 8058 but users are still going to click links in the footer.

Shied answered 11/12, 2019 at 8:40 Comment(4)

An interesting problem, something that comes to my mind is this new Google's invisible reCAPTCHA v3, normally, it doesn't require any action from the user if it looks ok. – Houppelande 11/12, 2019 at 21:4

@Houppelande could work in the "happy case". If reCAPTCHA check fails (for example, because the page opens inside email client where there is no Google cookie), then it's very annoying for the end user. Also, data goes to Google, so you need to be comfortable with that, mention it in the privacy policy etc. – Outport 12/12, 2019 at 10:10

We have same functionality. But we use Emarsys to create emails sent to users, and in the footer there is a simple link (encoded) that does the job. Now you got me wondering, are my users getting unsubscribed by email scanners? – Christman 16/12, 2019 at 9:2

@Amiga500: I started with a one-click link that included a plain-text address. On a mailshot to 482 people, the link was "clicked" only 6 times, with all clicks within 103 seconds after starting the run. Of the 6 email addresses sent back to me, one was plaintext, one was empty, 4 were garbled. Conclusion: all my unsubscribes were auto-generated (mainly, I think, by Microsoft software). I now ask users to manually enter their address on a form. – Brainwash 24/7, 2023 at 9:52

This is a topic of ongoing debate at M³AAWG (The Messaging, Malware, and Mobile Anti-Abuse Working Group). It's a mess and there are no easy solutions. It sounds like you're doing everything right, but some anti-spam systems are a little too aggressive.

The big issue is that anything you can do can also be done by an abusive marketer or spammer.

The best proposal I've heard is just to put a timer on the action. Add a captcha for users that unsubscribe within 5 minutes of delivery and remove the captcha afterwards. (Do not implement this for your RFC 8058 List-Unsubscribe-Post link.)

My next favorite proposal is to add a canary link to the message. This should be invisible to human readers. If it is followed, it reverts recent click activity from that IP and bans the IP from action triggers for a time.

I like your ideas too, just make sure that if Javascript is disabled, the user can still unsubscribe after a confirmation button click.

There's a part of me (warning, I'm an anti-spam researcher) that wants these false positives. Hopefully that will teach my peers that they're doing such a bad job and that these escalations will keep coming to them. From your perspective, you get to pass the buck (though you will lose a few subscribers in the process).

Spam detection systems must be careful to avoid subscription management links (at least until the bad guys start disguising their payloads as unusbscribe links).

Eichmann answered 17/12, 2019 at 19:42 Comment(2)

Thank you! These are both good ideas I had not thought about. I'll try the timer approach. In my case, the "CAPTCHA" is a simple button in the middle of the screen that just needs to be clicked. For quickly opened unsubscribe links, I won't include JS to auto-click that button. This should get around Office365 ATP at least, which scans links within a minute of sending an email. The canary links would be fair bit harder to implement (undoing actions, tracking banned IPs). Plus there's a risk that spam scanners could flag emails with invisible links as spam / malware. – Outport 18/12, 2019 at 10:51

A timer would have fixed my test case (see comments to the OP's post); all unsubscribes arrived within 2 minutes. But (re)CAPTCHA is a major PITA, particularly for users who don't understand US idioms and don't appreciate squinting at tiny non-descript images (what is a 'sidewalk'? What colour is a taxi? etc). And it's no longer one-click. I just ask users to enter their address on a form now. – Brainwash 24/7, 2023 at 10:1

I just ran into this very issue as well. One approach I'm going to try is to add a checkbox to the email and only perform link action if that checkbox is checked. Another option would be to useragent (https://www.npmjs.com/package/express-useragent) and build the logic of blocking certain requests based on the information it provides.

Windham answered 29/11, 2023 at 21:3 Comment(1)

Security crawlers already forge real userAgent strings, so that won't work. For the checkbox, how do you see that getting implemented without JS? As an HTML form? I'm pretty sure that'll get trapped as phishing more often than you'd like. – Eichmann 9/1, 2024 at 20:55

Recommended topics

Hot tags