That 'Unsubscribe' Button Could Be a Trap, Researchers Warn (msn.com) 60
Researchers are cautioning users against clicking unsubscribe links embedded in email bodies, citing new data showing such actions can expose recipients to malicious websites and confirm active email addresses to attackers. DNSFilter found that one in every 644 clicks on unsubscribe links leads users to potentially malicious websites.
"You've left the safe, structured environment of your email client and entered the open web," TK Keanini, DNSFilter's chief technology officer, told WSJ. The risks range from confirming to bad actors that an email address belongs to an active user to redirecting victims to fake websites designed to steal login credentials or install malware. Clicking such links "can make you a bigger target in the future," said Michael Bargury, CTO of security company Zenity.
"You've left the safe, structured environment of your email client and entered the open web," TK Keanini, DNSFilter's chief technology officer, told WSJ. The risks range from confirming to bad actors that an email address belongs to an active user to redirecting victims to fake websites designed to steal login credentials or install malware. Clicking such links "can make you a bigger target in the future," said Michael Bargury, CTO of security company Zenity.
So (Score:2)
Don't click on anything
except the close button
Oh wait, that might even be a trap
Re:So [Captain obvious is calling] (Score:2)
My reaction to the story was "Tell us something we didn't know." News is supposed to have some element of novelty in it. You know, novelty as in new.
However, I think the phishing scams disguised as fake upgrades are more annoying, and probably more dangerous, since the sucker is primed to expect something to get installed. As regards this story I thought there might be an element of novelty in it. Perhaps a new scammer's pitch to enter your credit card number to validate the unsubscribe request? Something a
Re: (Score:2)
Yeah, this isn't anything new. It's a link with a UUID embedded in it and confirms that the email address is a real one and an active one. Unsubscribing using their link is a bad idea and has been a bad idea for *decades*. Just mark it as spam and move on. The potential for the link to contain malware is nothing new.
I'm not sure that I agree with sending them to the new prison in El Salvador. That place is inhumane. As much as I hate spammers, I do think we need to treat criminals with a degree of humanity.
Re: (Score:2)
Indeed, news at 11...
Re: (Score:2)
This.
Spammers have been doing this for, what, at least 25 years now? Because that is how long I've been teaching people to never click any links or unsubscribe buttons in spam messages. Those "unsubscribe" clicks are of course especially valuable to spammers - they not only confirm that your email address is valid and active but that you also actually read the spam you receive. Would you expect them to honor your "unsubscribe" request? The more fool you.
Other sneaky methods regularly used to identify active
Re:So (Score:5, Funny)
For some reason, your post made me think of the following exchange from The IT Crowd.
Moss: My mum always says, you should never open the door.
Jen: What do you mean?
Moss: An unopened door is a happy door. So we never answer ours when someone knocks.
Jen: What, so you all just sit there?
Moss: Yes.
Jen: So the doorbell goes and you all just sit there until the person goes away?
Moss: Yes.
Jen: What if it's important? What if it's good news?
Moss: This is London, Jen. It's not someone with cake! Unless that cake is made of dog poo and knives!
Re: (Score:2)
I noticed that when Formerly-known-as-tweets are embedded on another web site, they put the 'X' logo in the upper right corner now.
scammers gonna scam.
Not only that... (Score:3)
But you have now proven the validity of that e-mail address which raises the worth of that address by some degree.
I have always trained our users to utilize the mail client block filter for spam or other unwanted list subscriptions.
Re:Not only that... (Score:5, Insightful)
If you put me on your list without asking, why should I trust you to take me off the list?
Block, always block.
Re: Not only that... (Score:2)
Or, if you have the skills, hack the spammer, unsubscribe yourself and burn their digital spamming infrastructure.
Re: (Score:2)
Exactly.
If I just did business with a company, and as a result they send me promotional emails, I'll click unsubscribe, because I know why I'm on their list, and that they're likely to actually take me off the list.
But when spam is from a completely unsolicited source, I do not interact with the email, at all.
Re: Not only that... (Score:2)
Only interaction is to tag it as junk mail so it's not cluttering the mailbox. Thunderbird is really good at that. Gmail has that, I'm not sure how good it is. Outlook used to be junk, and probably is still.
Re: (Score:2)
As you suspected, Outlook's spam detection sucks. It identifies many false positives and false negatives.
As for GMail, I've never seen another spam filter as good as GMail's. It almost never gets it wrong. Every once in a while, GMail will have a spate of misidentifications for a day or so, and I know they've tweaked the filters, but then it goes back to being about 99% right.
My one gripe about GMail's spam filter, is that it slavishly observes the DMARK and DKIM sender settings. If this test fails, it mark
Re: (Score:2)
There is an even better solution thanks to modern password managers.
Create a unique email address for each person or company you provide with your email address
The moment you want to unsubscribe.. Turn off the destination email address entirely, and all messages will bounce with a 550 error.
This also helps with annoying data brokers selling lists with your address AND database access to certain tools where you type in a phone number or name and address, and the database spits out what email address
Re: Not only that... (Score:2)
Proton Pass to the rescue.
Re: (Score:2)
I use yopmail.com for a lot of truly throwaway stuff. I bookmark the account in my browser.
Be aware: the site itself is riddled with ads, which are easily blocked. But the way it works is you don't have to give it any information about yourself, not your name, not your phone number, nor an email. You get a URL to check your inbox, it's all wide open of course, anyone with the URL can ready your email. It's good for those sites that insist on an email address to access features. Once you get that first "veri
Re: (Score:2)
Re: (Score:2)
This is what I do, it's a major reason I run my own email server but thankfully the '+' hack built into many modern MTAs gives you an approximation of the same thing... sort of.
The problem with that approximation is that you have to either add rules each time you add a new email address to your email service (ie "OK, add bypass rule allowing emails to victim+megacorpllc@example.com through") or you can act reactively and add rules to block incoming emails from known spammers ("OK, add block rule for anythin
Re: (Score:2)
They already do. I live in South-America and have my own mail server. I can send mails to anyone without problems, unless these persons/companies choose to let Microsoft or Google manage their mail service. In those cases mail simply disappears in that particular "Bermuda triangle". No word, no error, no notification of any kind, just gone.
My mail server has a good reputation, according to mxtoolbox [mxtoolbox.com]. But I expect that the mail servers from Google and Microsoft simply do not accept anything from anyone in th
Re: Not only that... (Score:2)
The only ones I ever hit unsubscribe on are emails from politicians, and the link never works, just returning an error. Fortunately they excluded themselves from the CAN-SPAM act, so they don't need it to work anyways. You can block them, but they inevitably get a new domain at some point. So you just keep getting emails about them trying to create outrage over some issue you don't care about in some state or city that you've never been to.
Re: (Score:1)
Not only that, but also...
Don’t let your email system automatically load external reference links (images, icons, etc.). Auto-loading images validates your email address just by receiving the email and not even reading it. If your email system auto-loads external references, they are fetched using individually crafted URLs send in the email you receive and the sender, by checking their own HTML-access logs, knows your email was fetched and is currently active.
Some devious sites say 'Unsubscribe', but (Score:1)
the unsubscribe button is a trap whose fine print says, 'does not unsubscribe, but take you to a sponsor site' probably full of spyware cookies, that are difficult to delete.
So, beware; I just use Goggle tool, Report spam/unsubscribe Option.
Re: (Score:2)
If someone really has to Unsubscribe, DO IT IN A PRIVATE SESSION (aka Porn Mode).
Re: (Score:3)
Private sessions don't help you AT ALL when it comes to unsubscribe links. The link itself encodes your contact information, you'll be unmasking yourself even in private or "guest" mode.
Google has settled multiple lawsuits, admitting that "Incognito mode" wasn't really private. https://www.expressvpn.com/blo... [expressvpn.com]
Re: (Score:2)
There's no fine print, they just lie outright.
And DON'T click Google's unsubscribe button, it's not better. All it does it helpfully follow the link in the email. Just mark as spam and block.
Re: (Score:2)
I find it simply incredible (Score:5, Informative)
Re:I find it simply incredible (Score:4, Informative)
This was known 25 years ago.
Re: (Score:3)
Indeed, i haven't dared to click an unsubscribe link in years unless i'm extremely sure it's from a reliable organization....
Re: (Score:1)
The author is a freelancer with a degree in Anthropology.
Re: (Score:2)
Misfiled (Score:3)
This story should from the "no-shit-sherlock" dept.
Re: Misfiled (Score:2)
no-click-on-shit-sherlock
Re: (Score:2)
This story should from the "no-shit-sherlock" dept.
I came for this post and did not leave unsatisfied.
No kidding (Score:2)
I once tried the experiment of unsubscribing to every unwanted email. Each time I did so, I got more unwanted email. Eventually it was expanding exponentially and I had to close out that email address.
From which I concluded that :"unsubscribe" really means "please add me as a target of spam".
Hello? Anyone there? (Score:2)
We've already known for decades that the real purpose of the unsubscribe button is to let the spammer know that there's an active user at the end of the line so that they can start sending more spam.
Wow (Score:2)
DNSFilter found that one in every 644 clicks on unsubscribe links leads users to potentially malicious websites.
I'm stunned that the percentage is so low!
Re: (Score:2)
ONLY 1 in 644? (Score:1)
Are you sure it's not 1 in 6.44?
Re: (Score:2)
Those were the ones that actually installed malware. The other 643 still confirmed that your email address is a live one.
Most spam is just trying to sell you stuff, not necessarily infect your computer with spyware.
Re: (Score:2)
If you use gmail (Score:2)
This isn't advice for slashdotters, all of you will have your own approaches, many quite sophisticated. But, if you have family or friends who use gmail and want a simple suggestion that they can easily understand and follow, and from which they'll get results that are about as good (and maybe better), tell them to click the "report spam" button instead of using the unsubscribe link. If Google believes the unsubscription flow to be legitimate, gmail will prompt with a popup that asks if they want to unsub
Re: (Score:2)
Google's vetting of unsubscribe links is woeful. There are *many* true spammers that get through their scrutiny. I advise people never to unsubscribe, even with Google's helpful button. You're still telling the spammer that they have a live email address. (My definition of "true spammer" is someone who sends you email, who has no legitimate reason to know your email.)
No shit (Score:2)
Don't click on any links within a spam email.
At best is simply notifies them that the email is live. At worst, who knows?
If your mail app doesn't support marking these as spam, get a better app.
'Get Updates' pop-up (Score:2)
A number of sites have pop-ups to 'get updates', presumably through the browser. (No email entered.)
I'm curious how this isn't exploited? Where the 'No Thanks' button isn't reversed, or both actually subscribe you?
I'll often avoid clicking on it altogether if I can...would prefer if there was an 'X' to close the pop-up. But those should be shut down completely by browsers too.
OMFG! (Score:2)
What year is it?!
This "new" has been known for over a decade!
to me it goes beyond that (Score:1)
Always check the hyperlink (Score:2)
And you'll be fine. If it's coming from a different domain and you don't trust it, don't click on it.
Re: (Score:2)
Simpler rule: just don't click that link. Ever.
If the sender has no reason to know your email address, they are already being dishonest by pretending to know your email address, instead of just generating plausible combinations. Even if the domain name matches, do not click. If you know the company or have an account with them, go to the site directly instead.
I look at it this way... (Score:2)
IMO, the unsubscribe buttons is a doorway to get more spam. Though you might cancel the current email subscription, by clicking on unsubscribe, it shows that it is a monitored/active email account. Which means, it is valuable enough to sell or share with other spammers.
Only if I subscribed to it! (Score:2)
If I recognize it that I signed up for, then I will unsubscribe. If not, then delete, report, and/or block.
Games... (Score:2)
I've run my own email server for better part of 25 years... Mostly because of past professional experience, I didn't want to lose the skill. A couple thoughts:
- All the links are booby-trapped. Seriously... Just expect it. /etc/aliases. Create hundreds, if not thousands of them. Think in terms of zeroing in on a date, ala "Billy06162025" so you might have a chance of figuring out who sold you. And Gen X... Definitely use a burner account when you sign up for s
- Create and use "burner" email addresses in
How is this news?!? ... (Score:2)
... And wuttthefuk is there to research? This "phenomenon" has been common knowledge for decades, since the 90ies for sure, for anyone dealing with email spam. The mx admins even have a technical term for it: backscatter.
Isn't it cute when the kids today "discover" the internet? Like calling 2015 "the early days of the web" (no joke). LOL.