Sophos Cloud Optix
We all get emails we don’t want, and cleaning them up can be as easy as clicking ‘unsubscribe’ at the bottom of the email.
However, some of those handy little links can cause more trouble than they solve.
You may end up giving the sender a lot of information about you, or even an opportunity to infect you with malware.
Of course, not everyone who sends you mail is a spammer and if you know that a sender is trustworthy it’s safe to unsubscribe.
Unfortunately phishing attacks rely on the fact that it’s very, very easy to fake who and where an email has come from so it’s all but impossible to be 100% sure who has sent you an email.
Here are 5 reasons why unsubscribing can be a bad idea, whether you do it by sending a reply email or opening an “unsubscribe” web link:
1. You have confirmed to the sender that your email address is both valid and in active use.
If the sender is unscrupulous then the volume of email you receive will most likely go up, not down. Worse, now that you have validated your address the spammer can sell it to his friends. So you are probably going to hear from them too.
2. By responding to the email, you have positively confirmed that you have opened and read it and may be slightly interested in the subject matter, whether it’s getting money from a foreign prince, a penny stock tip or a diet supplement.
That’s wonderful information for the mailer and his pals.
3. If your response goes back via email – perhaps the process requires you to reply with the words “unsubscribe,” or the unsubscribe link in the message opens up an email window – then not only have you confirmed that your address is active, but your return email will leak information about your email software too.
Emails contain meta information, known as email headers, and you can tell what kind of email software somebody is using (and imply something about their computer) from the contents and arrangement of the headers.
4. If your response opens up a browser window then you’re giving away even more about yourself. By visiting the spammer’s website you’re giving them information about your geographic location (calculated based on your IP address), your computer operating system and your browser.
The sender can also give you a cookie which means that if you visit any other websites they own (perhaps by clicking unsubscribe links in other emails) they’ll be able to identify you personally.
5. The most scary of all: if you visit a website owned by a spammer you’re giving them a chance to install malware on your computer, even if you don’t click anything.
These kind of attacks, known as drive-by downloads, can be tailored to use exploits the spammer knows you are vulnerable to thanks to the information you’ve shared unwittingly about your operating system and browser.
So how do you avoid unwanted email without unsubscribing?
If the message is unsolicited then mark it as spam.
Marking something as spam not only deletes the message (or puts it into your trash) it also teaches your email software about what you consider spam so that it can better detect and block nefarious messages in the future and adapt as the spammers change their tricks.
This not only helps you, but also everyone else too.
Image of envelope courtesy of Shutterstock.
Excellent advice. However, it should be added that when marking an unsolicited email message some web-based email services (Gmail, for one) offer to unsubscribe your address on your behalf, supposedly securely. Do not take up the offer! You don’t know how this is done. I mean, how it can be secure? When Gmail requests, on my behalf, a spammer “please unsubscribe this email address from your spam lists”, how can I be sure that this is secure? I mean, come on!!!
Just mark it spam (or phishing) and leave it at that.
When Gmail unsubscribes you on your behalf, it’s relying on the List-Unsubscribe header (if present). That’s basically a machine-readable unsubscribe link provided by the sender, which can contain either an email address or a link or both.
#1 and #2 still apply no matter how you unsubscribe, so you’ll still want to reserve it only for cases when you know who the sender really is.
#3, 4, and 5 are mitigated if the request is sent directly from your provider. Your browser or mail software isn’t involved, and you don’t have to worry about leaking your software/os info, or drive-by downloads. However, these are still risks if the auto-unsubscribe is handled by an email client on your own computer, or if it’s handled by presenting a link for you to click on (in which case it’s identical to clicking on a link in the message).
Additionally, the webmail provider can put some logic into deciding whether or not to present the option. Sticking with the example of Gmail, for instance, their help page on the topic says “Gmail won’t display Unsubscribe for lists that are known to be owned by spammers.” A provider could put more thought into it and, for instance, only show the option for senders that they trust to honor the request.
Well I never, I do hope Google read this. I’ve been putting spam in my gmail spam folder for years, but it still keeps coming. Other systems may learn but not it seems Gmail. I still do it, but it is the triumph of hope over experience …
Look up email filters. You can put something in spam by matching a string in the subject/body/email address. It is pretty easy to set it up. Google mail does learn to put spam in your spam folder if it is coming from the same source.
That only filters messages with the same header. Sadly spammers send out junk that is constantly changing so this will not help. The filters were never intended for this purpose so not designed to ‘catch’ spam, so loads will still get through and not be assigned to spam or trash.
just filter mail by word “unsubscribe” and set it to skip inbox. boom.
Spam, phishing, unsubscribe.
I think you are pushing people to mark stuff as SPAM that isn’t necessarily SPAM here. Would it not be best to open a ticket with the company through their website and request an unsubscribe?
Marking emails as SPAM can have an impact on that companies credibility and cause future email to go directly to SPAM. So in some cases companies are sending perfect legitimate mailers that users have opted into and are then being penalized for this.
Coming from a customer service background, in my experience I’ve found this impacts badly on users ability to then receive customer service emails from the same mail server/company.
In answer to your first question, I present this blog. As it states, if you know who it’s coming from (and you subscribed), then you have a choice of binning it locally (filtering out future mailings) which doesn’t affect anything but your personal inbox, or clicking the unsubscribe link.
However, if you never subscribed to it in the first place, it doesn’t really matter if the sender considers it SPAM or not. It’s unsolicited email, and that’s what spam filters are designed to filter out.
Personally, what I tend to do is send a personal email to a contact at the company that I already have, asking them to unsubscribe me. If I don’t already have a contact at the company, then I question their trustworthiness, as someone at a company with no prior relationship who is sending me an email with an unsubscribe link (as opposed to a direct person-to-person email) is violating a few local unsolicited email laws in the first place — I probably don’t want to receive future emails from such a company.
One other suggestion for companies who are sending out unsolicited or “forgotten prior relationship” emails: only send personal (not listmail) emails from your corporate domain. Set up a secondary domain or contract an Email Service Provider to send out customer service notifications and other not-directly-solicited messages from the company, so that in the chance that some blacklisting service does blacklist these messages, your corporate email service can continue to function while you sort things out.
Spoken like a true spammer.
If the mail is unsolicited and I don’t want it, why should I accept mail from some customer service person? I didn’t ask for it and it is my choice to put it in spam. Don’t try to make people think that they should not spam anything that they want Matt!
Labeling as spam does not always work, especially with Outlook. I tried going direct to my mail server but they have no option for labeling email as spam.
I’m torn on this one. As one who markets via email to consumers, I’d much rather have them unsubscribe and opt-out of communications than mark my email as spam. It hurts my relationship with ESP’s (Email Service Providers) and can blacklist me as a merchant. There is a difference between opting out of subscriptions that people no longer want to receive and actual spam. There isn’t one bucket fits all.
The question one should ask is “was this email sent unsolicited?” If the answer is yes, then it IS spam, and the spammer SHOULD be cut off and flagged as a spammer.
If one doesn’t like that, then one should not send the email. The exception is sending to real customers (i.e. customers with whom you have a prior business relationship.
It’s no different from paper junk mail, except that there’s more of it and it is thus more annoying. Some businesses see spam as “free advertising”. But, there IS a cost, and that cost is goodwill towards non-customers. Most people will put up with a little inconvenience out of politeness. But, give them a lot and they will revolt.
People forget they’ve signed up for things. This is not the fault of the marketing company, or their client. Don’t use the “SPAM” link unless you are very sure you never agreed to receive emails from the company. It certainly should not be the default response for every unwanted email.
I agree with Loretta. I am involved with a non-profit, and people will report one of our family of newsletters as spam. The Web manager of that newsletter will forward the spam notice sent to him, and our protocol is to immediately remove the address from all of our email lists. We don’t want to take the chance of any of our domains being blacklisted. We also have a policy of not signing up anyone unless they themselves signup on one of our Web sites, or use a signup sheet at a conference, etc. So, these are legitimate subscribers who signed up and confirmed their subscriptions, and will report one of our newsletters as spam. Not good.
If you are using a service/website with vulnerabilities (like WordPress), your subscription service can be used by DDoS attackers automatically subscribing an email they are attacking. So people reporting your emails as spam may have been signed up by someone else.
In general I just mark stuff as “Junk” if I no long wish to receive it. Most of the “unsubscribe” links contain way too much incomprehensible stuff, leading me to believe that I’m giving them way more information than I want to (at best), or I’m clinking on a link that will get me into big trouble (at worst).
Marking stuff as junk that you deliberately opted in to, depending on the mail client or service you use, can get the legitimate sender on trouble whichnisnt fair.
The unsubscribe link has to identify, at a minimum, your email address but will usually do it in the form of a code that identifies who you are to the newsletter service provider so that they can unsubscribe you. Other than that, it will usually also include a code to identify the newsletter and particular issue that caused the unsubscribe. There is nothing harmful about this. In fact, as the link can only be inserted by the newsletter provider themselves, it can only represent information about you that you’ve already given them that is already stored on their systems.
Assuming you are using an email client that is not 10 years old (i.e. it does not allow arbitrary execution of scripts which is most modern clients) there is no way an unsubscribe link can reveal anything new about you or your computer. The web server that processes the link can find out from you anything that any ordinary website can, such as IP address, approx. location and info from cookies previously set by that website when you last visited it (or 3rd party sites if you don’t restrict 3rd party cookies in your browser) but that is no more than any other website can do.
Your solution that marking something as spam will teach one’s email software is wishful thinking. Yes, that’s how things OUGHT to work, but my Microsoft Entourage and my Comcast browser interface do not do this. I have ranted at Comcast and they have some stupid rationale for it not doing this, and forced me to create filters, which is a pain in the ass. So much for logic.
Sounds like a bad spam filter rather than bad advice.
Spammers change the messages they send constantly so creating hard and fast rules to filter emails doesn’t work very well.
Spam filters use techniques like Bayesian Filtering to learn what a given user considers to be spam. You teach then by labelling spam as spam and by correcting it when it labels legitimate emails as spam.
A product like SpamAssassin requires you to train the filter with between 1,000 – 5,000 spam messages and 1,000 – 5,000 legitimate messages.
So you have to put the effort in to teaching it with ~2,000 messages (of course you don’t have to do that all in one go, but to begin with the more you train it the better it gets.)
Having been trained spam filters can make good guesses about whether or not a new email is a spam or not, even if it’s a message it’s not seen before and in my experience they catch a lot more than they don’t.
I use the filter on Yahoo mail, I filter every cuss word known to me and all the sexual come on’s I can think of, then all the Spammer opening lines I can think of. It really cuts down on my junk. The few that get through then go to the unsubscribe folder. All my friends know that when they communicate with me to clean it up as if they are talking to their grand mother or preacher, or I will just never see it.
Don’t you think it’s a bit draconian to mark all unwanted emails as spam, even those that you originally signed up for but are now just tired of? That sends a signal to other servers that the sender is a spammer and can get their emails blocked unnecessarily (and unfairly).
I agree that the fact that an email is unwanted does not, ipso facto, make it spam – neither legally (in most juridictions) nor (as you suggest) necessarily morally.
Unsolicited email is almost always unwanted, but not all unwanted email is unsolicited.
So I guess reporting it to your service provider as spam would be unfair, but telling your own server or email client to treat is as spam is surely perfectly OK?
SPAM is “unsolicited email”. “Marketing” email is still unsolicited; aka SPAM.
Strictly speaking, the definition varies by country.
(Also, you aren’t supposed to write “spam” in the context of email all in caps. Hormel Foods doesn’t like it. Legalistically, SPAM should be used to refer unambiguously to the pressed meat “spiced ham” product that comes in those rectangular tins.)
Unsolicited Email is SPAM. Hormel’s Food product is SPAM™.
Old news here… by ten years or so. The CAN-SPAM act was done in 2003. It was known then that even a opt-out could and would be taken advantage of by shady solicitors and phishers/scammers. That the opt-out would not curb spam or data-mining. An opt-in would have been better. But, as usual, law makers are generally incompetent. The act really didn’t do anything to “can” spam.
According to https://www.ftccomplaintassistant.gov/GettingStarted#crnt
“You can forward unwanted email(s) to the FTC at spam@uce.gov.”
I once had a mail browser with a “Bounce” option, which purported to mark a spam email as undeliverable and bounce it back to the sender. I was never convinced that it worked properly. Is there no means of deceiving a spammer into thinking that one’s email address does not exist?
Good advice, but I would add one caveat–if you mark as “spam” an email newsletter that you DID at one subscribe to, but no longer wish to receive, this will often count against the organization sending the email. Our organization sends out emails via an email service, and while we do not spam, and are scrupulous about sending email ONLY to people who have explicitly subscribed to our mailing list, we will get blacklisted if we get too many reports of spamming. So if you know that an email you receive is legitimate, and you have no desire to do damage to that organization, stick with the “unsubscribe” link.
Hello, I don’t totally agree with this post.
Since I “cleverly” uses the opt-out links I receive 20 times less spam than before. Unfortunately I regularly falls on the same mass mailling platform.
When I say cleverly is that if the message appears correctly formatted and seems to not be a phishing facade.
But then I probably placed too much confidence in the companies behind these emails, and now rather than clicking on the link I will copy it in a secured browser.
Apparently, we are pretty much at their mercy at the expense of our time (see above). It would be nice to have a “Do not mail list”. I don’t know you? Stay out of my inbox. I stay out of yours, it is not your right or privilege to be in mine. I didn’t loath advertisers until I became convinced that someone would probably pop out of my toilet someday pushing a deal, priding themselves in creating a new sneaky inroad to my privacy in the name of good salesmanship. I find you in my inbox, be guaranteed you are on my “Do not buy list”.
Well, if somebody’s sister in law is making $85/hour from home scratching their ass all day long and they are WILLING to share their secret with a perfect stranger like me -for FREE nonetheless-, I’d be a FOOL *not* to open that email !!! You people just don’t understand.
Those emails are nothing but scams. Hard work and furthering your education is the only way to make decent money, unless you’ve found a way to leach off of the system. Disability seems to be the new welfare in the U.S. now, unfortunately.
I run outlook, but I don’t see a button that says MARK THIS EMAIL AS SPAM, so I can only unsubscribe, or simply delete the email before having a chance to see what it is. I know of some people who send me emails and I don’t like them so before opening their email, I simply ignore them.
Something I don’t get as a marketer is people writing back to me telling me not to send them emails again – there’s an unsubscribe link in every email at the bottom of what is clearly a newsletter. Just hit unsubscribe, people! It’s not so hard. In fact to unsubscribe them, I have to click that link myself.
Also it is not my choice to send them the emails, since my boss insists on subscribing every single person we come in contact with despite my resistance and warnings. I’m just a cog in the machine, not the operator, so quit taking your aggression out on me!
How come I was receiving spam list email after I had unsubscribed and wrote to him a angry, nasty comment as to why I hate his personality? Then I received his emails in my inbox again and they werent marked?
I have an older iPad and do not have the “Report as Spam” option. What should I do to report and stop unselicited emails?
When I click unsubscribe, some sites then ask for my email address….they sent me mail,,,which I don’t want…why give them my address?
This is most likely due to poorly implemented unsubscribe facility. You should not need to provide your email again to unsubscribe.
Any “business” who sends me junk mail can sure as death and taxes know it’s going into SPAM. I did not ask for advertisements via email. I loathe advertisements / commercials, on TV, Web and Radio as much as I hate terrorists and cancer. Whether or not it hurts a “Business” in the future isn’t my problem whatsoever. Don’t send strangers JUNK MAIL and expect it to not go straight to spam.
I never click an unsubscribe link and always kick the unknown into spam. Most spammers use a rotating address system so you get the same spam from an apparently different source. It might be a pain but just kick it and get on with your day.
i want to know how my work email address -NEVER given to anyone outside the organization – gets spam emails sent to AND they are addressed to ME by name and related somewhat to the position i am in with my company ( IT dept ). #1 how do they know my name? #2 how do they have spam email related to out it software or saving money with different servers blah blah blah, but only emails i have ever sent were internally. is there anyone who can answer that? i find it highly annoying but we do have protection internally that only shows me the incoming emails that have been “caught”. i look them over then delete the notification. how does this still happen in 2017?
I’ll suggest 2 possibilities:
1. Someone you have emailed got hacked and their address book/email history was sold to a spammer.
2. You used the email to register on a site that either sold their data to spammers (technically legitimately or otherwise) or they got hacked and their user database sold.
There may well be other paths, but those are the 2 obvious ones that come to mind.
As an IT guy myself it isn’t very difficult to work out what a company email naming convention is. I have used it myself to contact a CEO about his staff ignoring problems I raise and even worse repairs just being deleted by them. A lot of companies use Surname.forename@xxx.yyy or the reverse, once you know one email address it is very easy to identify the person or anyone else you want to contact, 2/3 failures then success. As far as I am concerned I know who I have subscribed to and will hit the unsubscribe link, unless it asks for my email address and then I cancel and it gets marked as spam, if the company are sloppy about the link then that is their problem not mine, I don’t know if they are the right company or not, their own link should be enough, bad luck if it isn’t.
It’s already been said to some degree here but I want to reiterate: you have an important responsibility to use report spam accurately. I hate spam as much as the next person but I also have the perspective of someone in IT that has to deal with sending emails and IP reputation/spam complaints, and for a 100% legitimate company that only sends 100% double opt-in newsletters and requested email communication, it is extremely damaging when people send false spam reports. To the point that a company can most definitely go under because of it.
The problem is that real spammers don’t care about IP reputation. They are sending from hacked machines or short-lease servers, perhaps paid for by a stolen credit card, or they just don’t care if most emails don’t get through because of their bad reputation. But legit businesses are completely above board on these items, maintaining 1 (or a few) static IPs, so all spam complaints really count against them. Now a small % of spam complaints is generally allowed without punishment, but we’re talking REALLY small, like tends of a %. So if I send our 1000 emails in a week and just 3 complain? Already getting blocked. And this affects recipients negatively. How many times have you tried to register with a company you know to be legit, but you never got the email confirmation that you need to complete registration? Dollars to donuts that is because their IP reputation is no good (well, or your spam filter is too aggressive, as most are, by necessity unfortunately) as a result of people falsely sending spam reports.
To help understand the pain that legit mailers go through every day, here’s the kind of spam reports I get regularly:
1. Welcome email when user registered
2. Notification of new content that the user explicitly requested
3. 25 spam complaints all at once from 6 months of a weekly newsletter (that was double opted in to) (yes, that counts as 25 complaints… IMO it shouldn’t but it does)
4. My favourite: password reset request email… from people I know PERSONALLY and KNOW they requested it because they also called me saying they couldn’t get in.
Now some of these can be reasonably explained, mainly because they didn’t see our emails for months as they went to spam, and when they finally see an email they have forgotten who we are. Or we send emails infrequently, with the same effect. Or badly designed mail UIs that place a spam button right next to the delete button (bonus feature: the buttons shift position depending on whether the sender is a paid partner of your ESP, so you click where you expect Delete to be and it is Spam instead). But some people, alot of the people commenting here judging by the angry, callous attitudes, just don’t care and are quick to shoot first and ask questions later. Again, I get it, I’m sick to death of spam too. But please remember to give real thought because you report spam, and actually THINK about whether you may have requested this email (and yes, that includes things like you registered for a site and they send an annual update or a policy change notice… those are reasonably implied requests… I’m not talking about a weekly special or spam-ish shit like that).
Remember, if email for legit users gets any worse, it is just going to make it harder to do anything for you too… and costs you $ if it means things like companies moving to texting instead of email… which may be even MORE annoying anyway.
I don’t disagree with any of this, other than the “responsibility” part. It is not our responsibility to be accurate in our reporting of spam. It would be nice for you if it were, but I think this falls into the category of “Sorry Dude, not my problem.” Some of us are so overwhelmed by spam that we just want to fight back any way we can, and if people like you get caught in the cross fire, then it sucks for you, but not my problem.
And I am not talking about viagra adds and Nigerian prince spam – I get 30-50 emails from “legitimate” businesses, probably because I gave my email address for something years ago. But it can severely hamper my productivity just cleaning up this mess every day, and if I am out of the office for a few days, I can barely find legitimate emails for all the junk mail in my inbox.
If they’re from legitimate companies, that you gave your email to (i.e. consented to receive communications from), the correct way to deal with it, is to use the provided “unsubscribe” feature.
Even if you don’t want their email, other people do. Abuse of the “SPAM” link, which is essentially what you’re advocating, harms legitimate businesses, and makes it harder for them to communicate with their customers.
i dont have any responsibility for random entities sendding me ads. i pay for data. they are using it up for free. nope. if its not under my co trol, i bear zero responsibility. and getting mail sent to me by entities ive never heard of isnt under my control apparently.
You have no idea what you are talking about. I have been putting unwanted, unsolicited emails in my spam folder for years. It has absolutely no effect. Try passing yourself off as an expert on another webpage!
Do spam or unsolicited emails come as information email? Using your wife’s initial and the word ho attached with the username? My husband had bunches of unsolicited emails and also a bunch of conformation emails. All with his info already listed?
…why not just ‘block sender’
I would love to be able to return to sender the spam from Wal-Mart, Amazon, Loblaws, Pay Pal etc and be able to send them times 1000, so that the crooks sending them out are inundated with their own fake mail.
“Most scary”? I think you mean “scariest”.
I don’t think this article really knows how mass email works. For the most part, emailers don’t want to waste their time and money (it costs mailers money to send out their emails) emailing people on the off chance that one day they might actually make some money back from mailing that person. Mailers don’t share your information with their friends when they see you unsubscribe because…oooooo, look, it’s a real person…however, email lists are sold to mailers on a regular basis so, if your name is on a list, and it is sold as a raw list to a bunch of people, all of those people are going to email you. So, let’s just face it, we all just have to hit the unsubscribe button whenever we aren’t interested in the cool stuff that might be in those emails. And, as long as we have an email address, we’re going to have to continue to hit that unsubscribe button because our email address is probably going to be scraped by one or several people who do this, or your email address is on a list at a place that has been compromised and once that list is out there, it’s out there forever. Really, just hit the unsubscribe because legit mailers DON’T WANT YOU ON THEIR LIST!! Oh, and by the way, did you notice that this site collects your email address too? Watch for an increase in email volume.
To be clear, this site invites you to provide your email address if you wish to receive a newsletter email that tells you when a new story is published. That is the only thing we use those email addresses for.
Fun fact: according to the CAN-SPAM act, any unsolicited emails must have a functional unsubscribe link. If the link doesn’t work, it’s a violation.
Not that spammers care, anyway. 99% of spam these days is at the very least bait-and-switch (ad claims to be from one company, links actually go somewhere else), if not outright scams. They’re untouchable due to how they spoof email addresses and they would be in some serious hot water anyway if actually caught, a CAN-SPAM fine would be peanuts in comparison.