My favorite is my alma mater, the University of Washington. They break their communications into categories, and opting out of everything opts out of each category at the backend. For years, I've opted out of "everything" every few months, because any time they add a category, they default me into it and I get an email.
I unsubscribe from mailing lists 20x more often than I knowingly subscribe to them.
It should be illegal to sign someone up to a mailing list without explicit consent. If I create an account with my email, or provide it as a part of a checkout process, you should not have the ability to sign me up to a mailing list without me explicitly opting in via a dedicated checkbox or button (and it should initialize as un-checked of course).
Breaking the mailing lists into 30 different categories is w/e, but auto opting people in to new categories should also be illegal. Such a scummy dark pattern
I used to run a mailing list for my blog. I've gotten some pretty hostile responses to people who were adamant they never subscribed to my mailing list.
I have no idea how this happened; I just coded a simple form with a basic Turing test ("please enter the number 9 here" works well enough for small sites). Did they forget they subscribe? Did someone else use their email? Did someone typo the email address? Bots? No way for me to know.
Just assume every form on the Internet is being constantly filled with leaked or stolen data.
I am pretty sure they (the pissed of recipients) have never even visited your site. Their emails had been submitted by persistent fraud groups hammering every possible input 24/7 for their scam and spam ops. I observe such behavior on our apps and sites, even those that you would assume no one is even aware of.
Cloudflare’s Turnstile will help you block 90% of such threats, and the final solution is to double-confirm the subscription - this way you can be pretty sure subscribers are there willingly and have not been put in by crooks.
Nowadays, I would even ditch the email input and force “Subscribe with Google/Apple/xyz” via Oauth to completely mitigate this broken unauthorized newsletter subscription flow.
This is why double opt-in is best practice. They enter their email address, and you send them an email with a link they have to click to confirm sign-up. It makes it impossible for somebody to sign somebody else up.
Even with the best of intentions, somebody with the email address jim@example.com might inadvertently enter kim@example.com. You don’t want to lose Jim and you don’t want to spam Kim. So the outcome of entering an email address in a form should always be “now check your email to confirm”.
Report them to spamhaus and get their mail servers added to spam blacklists. It's a great source of motivation for negligent mailers to get their **** together.
My general approach is: if I recognize that it is something I signed up for, I usually use the unsubscribe link (either in the email client or the email footer). If I get another email from them after about a week, I mark that as spam.
Same idea with text messages. If I know why I’m getting it, I use the “reply STOP” feature.
If I don’t recognize the sender of an email or text, I mark it as spam or junk. Apple Messages has a nice “delete and report as junk” feature for unwanted text messages.
Agreed. Gmail has a handy "block and report as spam", but if there's a "unsubscribe" link it will often ask if you are SURE you don't want to just unsubscribe.
A nice feature because I've seen all too many times over the decades people report spam on messages from lists I'm quite confident they signed up for.
If only "delete and report as spam" actually worked. For years I've gotten spam text messages and the report as spam doesn't seem to work. Maybe it's different with other carriers.
> A good rule of thumb is knowing that no legitimate business will request your username and password after clicking their email’s unsubscription button.
Just FAANG and fintech.
Pretty lousy rule of thumb.
I've seen legitimate businesses outside those areas use that as a dark pattern. Basically you go to unsubscribe from the mailing list and they throw another hurdle at you, hoping you'll give up.
The one-click policy is actually about sending the list-unsubscribe header so the email client can render an opt-out button.
An unsubscribe link in the body of an email can have a confirm step.
In fact if you are serving a B2B audience it is essential that you do, since an increasing number of security services like Barracuda, Fortra, etc. auto-click every link in the email body to check for phishing. If you have one-click unsubscribe links in your email body, those people will be constantly unsubscribed without their knowledge.
To stay CAN-SPAM compliant, the sender MUST NOT require anything else but an email and a single visit to a webpage. A confirmation page is OK but requiring an auth or any other information or steps is simply illegal.
As a rule of thumb, one-click List-Unsubscribe with List-Unsubscribe-Post headers and a plain opt-out page (with confirmation if you risk such security solutions clicking on them, applicable only in B2B as you say) for the unsubscribe link in the email body.
These links should ideally be personalized (i.e. encode recipient’s email/account ID) so the opt-out page would not even require users to put their emails.
And please keep List-Unsubscribe via mailto as well, some clients may not support HTTPS POST.
One of the B2B newsletters I used to help manage costs $25k per year to subscribe to. When email security systems started auto-clicking, we fielded a bunch of angry phone calls before we figured it out.
I know there’s a vocal contingent here on HN that hates all email, but the reality is that email is heavily used for things that people want.
I just learned about the list-unsubscribe header in this article. Is this what allows Gmail to provide its own "Unsubscribe" button on certain emails next to the Subject line?? I've seen this button on certain emails and never knew how they decide when to implement it, or what it does.
That’s indeed what it is. It sends an automatic email to the List-Unsubscribe address, which if implemented correctly per the spec/regulations, authorises an immediate unsubscribe. More secure too because your email address is confirmed by SPF/DKIM. Nobody else with a copy of the email can unsubscribe you via List-Unsubscribe, like how just anyone can click the unsubscribe footer link if you forward it.
This is less true than it used to be. Email inbox providers return a hard bounce if the email does not exist. Most load images by default, which returns a positive signal.
Same thing with SMS: if the number can’t receive SMS, the system returns an error.
If you’re not sure, using the client-provided unsubscribe link (usually up near the “from” address or subject line) is better than the one in the footer. Inbox providers like Gmail, Microsoft, Yahoo etc log these clicks and use them to adjust their filters.
FWIW I use unsubscribe all the time and it’s quite effective, i don’t get the sort of garbage you describe. The only unwanted emails I get are after signing up for a new service and they start sending me marketing emails (which I almost certainly didn’t consent to so I’d say that’s spam, but at least I know where it’s from and these are the ones I unsubscribe from)
Edit: maybe it’s just that gmail spam filters work well?
Using "unsubscribe" on real businesses is perfectly fine, even if they added you to their mailing list using some sort of dark pattern. It almost always works and rarely has negative effects.
Using it on "enlarge your penis now" type spam isn't, to say nothing of outright phishing of course.
The format of "unsubscribe" links has gotten more elaborate over the years. I used to write shell scripts using wget to unsubscribe vast numbers of randomly generated "email addresses". That's typically not reasonable to do these days because either the unsubscribe links are obviously broken or the format of the GET or POST is not clear.
email aliases are the only real protection I've ever found.
Fastmail offers almost unlimited aliases, and throwaway addresses.
Others are starting to do it.
I doubt gmail will ever offer aliases or similar protections.
It's sad because all the new "private emails" like Tuta only offer a very limited number of aliases. Legit throwaway addresses offer a good compromise between privacy and security.
> try to count how many times you clicked “Delete” on junk or unwanted inbox messages
I don't understand that sentence in the article though. I click on "report spam" every time because that's what it is, even if it's a legitimate business that I used in the past. They use dark patterns to make you subscribe, but it's not honest, therefore -> spam.
“Spam” as a neologism doesn’t have a widely agreed upon shared definition. The most apt would seem to be “email I don’t want”. But that’s not too helpful when third party gatekeepers are trying to mass assign status to an email. The same email could be unwanted by one person and very gratefully received by the next.
This type of pattern is very easy to scrub if you had a list of email addresses.
I have an anecdotal evidence inside my own inbox that this behavior is happening. You aren’t buying security from anything but the lazy and ignorant spammers.
I don't use email anymore, but the last few years I did was only possible because I owned a domain name and had a catch-all set up.
You can then immediately isolate any bad actors, and don't have to rely upon a `+` sign (easily filtered) to "differentiate" email addresses. More-commonly-used logins can then be preliminarily filtered to separate internal email accounts (e.g. known-junk can be sent to rarely-accessed account; family contacts can be sent to notifications).
Can't you use youraddress.servicename@gmail.com? I thought gmail strips whatever comes after the dot. (I don't have a google account, so I could be wrong or maybe it was a different character, but I remember reading about it a couple times on here.)
You can have aliases on Gmail if you use Google Workspace (for custom domains), but there's a limit and no support for wildcards. Wish they had those, because then it's very easy to find out who sold your data
Fastmail adds a header to every email with any sort of unsubscribe link. I send those to their own folder (except ones I add to contacts). My main inbox is basically 100% things I expect to see there at this point. I view the mailing list stuff less regularly and unsubscribe anything I don’t want there. If it keeps coming (or if the unsubscribe process requires more faff than doing it through my mail client) I delete it and mark as spam. In 30 years I don’t think I’ve ever felt more in control of my email.
I've always felt this way, any indication that you are there and receiving the email is just a system somewhere a long the line opting you into something else. My general rule for some time now is to report it as spam, and block the domain. Never respond, never acknowledge. Same with telephones, if I don't recognize the number I just don't answer.
DNSFilter estimates that 1 in every 644 email unsubscribe links is liable to send a user to possibly malicious sites. And while that might seem like a low percentage at first glance, try to count how many times you clicked “Delete” on junk or unwanted inbox messages in the last week alone.
Not many, these days. Google does a good job of separating out the actual spam. The vast majority doesn't even go to the spam folder; they just delete it. Dunno what criteria they use but I'd bet most of it is really really obviously bad.
I see some legal commercial email, and if I did in fact do some kind of business with them, I hit unsubscribe and they stop. No harm, no foul.
I see some legal commercial email in my spam folder. I never want it, but I unsubscribe, and again, no harm no foul. My spam folder is down to about one per day. (Plus untold thousands that I never see at all.)
It's surely not perfect and perhaps once or twice a year something genuinely dangerous gets into my inbox. Given the wild wild West that email was until recently I take that calmly. Email was rapidly approaching unusable a decade ago.
Just another reason to report literally anything from a business that you don't desire as spam. Auto-checking that "send me spam emails" box should hurt their spam score enough to make them stop doing it.
smtp has no unsubscribe primitive. it's not part of the protocol. every unsubscribe feature is layered on top by clients, usually based on list-unsubscribe headers or heuristics. that means spammers can inject fake ones that look legitimate. consistency in client behavior makes this worse. once the format is known, it's easy to spoof. clients auto-surface these links assuming good intent, but the underlying transport has no way to verify any of it
It should be illegal to sign someone up to a mailing list without explicit consent. If I create an account with my email, or provide it as a part of a checkout process, you should not have the ability to sign me up to a mailing list without me explicitly opting in via a dedicated checkbox or button (and it should initialize as un-checked of course).
Breaking the mailing lists into 30 different categories is w/e, but auto opting people in to new categories should also be illegal. Such a scummy dark pattern
I have no idea how this happened; I just coded a simple form with a basic Turing test ("please enter the number 9 here" works well enough for small sites). Did they forget they subscribe? Did someone else use their email? Did someone typo the email address? Bots? No way for me to know.
I am pretty sure they (the pissed of recipients) have never even visited your site. Their emails had been submitted by persistent fraud groups hammering every possible input 24/7 for their scam and spam ops. I observe such behavior on our apps and sites, even those that you would assume no one is even aware of.
Cloudflare’s Turnstile will help you block 90% of such threats, and the final solution is to double-confirm the subscription - this way you can be pretty sure subscribers are there willingly and have not been put in by crooks.
Nowadays, I would even ditch the email input and force “Subscribe with Google/Apple/xyz” via Oauth to completely mitigate this broken unauthorized newsletter subscription flow.
Even with the best of intentions, somebody with the email address jim@example.com might inadvertently enter kim@example.com. You don’t want to lose Jim and you don’t want to spam Kim. So the outcome of entering an email address in a form should always be “now check your email to confirm”.
Same idea with text messages. If I know why I’m getting it, I use the “reply STOP” feature.
If I don’t recognize the sender of an email or text, I mark it as spam or junk. Apple Messages has a nice “delete and report as junk” feature for unwanted text messages.
A nice feature because I've seen all too many times over the decades people report spam on messages from lists I'm quite confident they signed up for.
Just FAANG and fintech. Pretty lousy rule of thumb.
https://www.valimail.com/blog/one-click-unsubscribe/
An unsubscribe link in the body of an email can have a confirm step.
In fact if you are serving a B2B audience it is essential that you do, since an increasing number of security services like Barracuda, Fortra, etc. auto-click every link in the email body to check for phishing. If you have one-click unsubscribe links in your email body, those people will be constantly unsubscribed without their knowledge.
As a rule of thumb, one-click List-Unsubscribe with List-Unsubscribe-Post headers and a plain opt-out page (with confirmation if you risk such security solutions clicking on them, applicable only in B2B as you say) for the unsubscribe link in the email body.
These links should ideally be personalized (i.e. encode recipient’s email/account ID) so the opt-out page would not even require users to put their emails.
And please keep List-Unsubscribe via mailto as well, some clients may not support HTTPS POST.
I know there’s a vocal contingent here on HN that hates all email, but the reality is that email is heavily used for things that people want.
When I see them spamming me from a dedicated email address I don't even click unsubscribe anymore.
I.e., they didn't know if the spam ever reached an actual inbox until you followed the unsubscribe link.
Same thing with SMS: if the number can’t receive SMS, the system returns an error.
If you’re not sure, using the client-provided unsubscribe link (usually up near the “from” address or subject line) is better than the one in the footer. Inbox providers like Gmail, Microsoft, Yahoo etc log these clicks and use them to adjust their filters.
Edit: maybe it’s just that gmail spam filters work well?
Using it on "enlarge your penis now" type spam isn't, to say nothing of outright phishing of course.
...why?
I doubt gmail will ever offer aliases or similar protections.
> try to count how many times you clicked “Delete” on junk or unwanted inbox messages
I don't understand that sentence in the article though. I click on "report spam" every time because that's what it is, even if it's a legitimate business that I used in the past. They use dark patterns to make you subscribe, but it's not honest, therefore -> spam.
I would guess that that's pretty rare, as not many people know about this trick.
I have an anecdotal evidence inside my own inbox that this behavior is happening. You aren’t buying security from anything but the lazy and ignorant spammers.
You can then immediately isolate any bad actors, and don't have to rely upon a `+` sign (easily filtered) to "differentiate" email addresses. More-commonly-used logins can then be preliminarily filtered to separate internal email accounts (e.g. known-junk can be sent to rarely-accessed account; family contacts can be sent to notifications).
It's easy to generate random new @duck.com aliases for the primary.
I have a browser plugin (mobile and desktop) that recognizes email form fields and offers to generate a new random @duck.com alias for the field.
When an alias starts to receive spam, I disable it.
It ignores periods so you could also use your.address@gmail.com or y.ouraddress@gmail.com or whatever.
Some sides block plus addressing but that's what I use a lot of the time.
Gmail ignores dot characters. y.o.u.r.e.m.a.i.l@gmail.com is equivalent to youremail@gmail.com
yourname+servicename@gmail.com
From my experience, many (bad) websites consider "+" an invalid character and prevent you from using the address in this form.
Smart spammers can just strip the service name since it works the same for all Gmail users.
Really need dedicated addresses like Fastmail's Masked Addresses.
Not many, these days. Google does a good job of separating out the actual spam. The vast majority doesn't even go to the spam folder; they just delete it. Dunno what criteria they use but I'd bet most of it is really really obviously bad.
I see some legal commercial email, and if I did in fact do some kind of business with them, I hit unsubscribe and they stop. No harm, no foul.
I see some legal commercial email in my spam folder. I never want it, but I unsubscribe, and again, no harm no foul. My spam folder is down to about one per day. (Plus untold thousands that I never see at all.)
It's surely not perfect and perhaps once or twice a year something genuinely dangerous gets into my inbox. Given the wild wild West that email was until recently I take that calmly. Email was rapidly approaching unusable a decade ago.
"DNSFilter estimates that 1 in every 644 email unsubscribe links is liable to send a user to possibly malicious sites."
/s