BLOG
Don't unsubscribe from spam!!
Having been around the email and anti-spam industry for a while, I’ve just about seen and heard it all. In fact, sometimes I’ve been around for the beginning of the myth.
One myth that seems to never actually go away is “unsubscribing just confirms you’re a real address and your address will get sold and your spam load will explode.” This is related but orthogonal to “spammers harvest addresses out of unsubscribe forms.” The reality is that both of these things used to be true. Unsubscribing would confirm your email address and increase your spam load. Spammers would harvest addresses out of unsubscribe forms.
But neither of these things have really been true for the last decade.
I have had clients over the years that are spammers. Some of the are names that you probably would recognize. Some of them are companies we could probably all agree are spammers. Some of them are buying addresses from companies that are spammers. Some of them are companies that have a good mailing program here and then hire snowshoers over there. Sometimes they come to me claiming to be real mailers “with minor delivery problems.” Sometimes they come to me saying that a blocklist has recommended they talk to me about repairing their processes. Sometimes they even actually want to fix things. Sometimes they’re just looking to say that I’ve given them a clean bill of health (which is not something I do).
What that means is that I have lots of addresses on lots of spammer lists. Not just the ones they’ve found, but ones I’ve used to test their systems. I use tagged or disposable addresses for everything. Some of my disposable accounts are only marginally connected to me as I want to see what senders really do for their subscribers rather than what they want me to think they do. The ones I add to their system I use to test their subscription process as well as their unsubscription process.
I have never encountered a situation where unsubscribing one of those addresses caused a “multiplication” (to quote one anti-spammer) of my spam load.
I’ve had cases where my clients have ignored unsubscribes. I’ve had cases where my clients have decided years later to add me to their list again. I’ve had cases where they’ve been bought out and my address has been reactivated by the new owners. I’ve had cases where months or even years of 5xx responses was ignored. I’ve seen just about every bad bit of behavior on behalf of spammers. But I’ve never actually had unsubscribing increase my spam load.
It doesn’t matter how often people demonstrate unsubscribing doesn’t result in more spam in the current email ecosystem. (Ken Magill 2013, NYTimes 2011, dayah.com 2009). It doesn’t matter that many mailers treat “this is spam” button hits the same way they handle unsubscribe requests. The myth still persists.
I’ve not seen that either and it’s good that you make that point. But what I have seen several times is an ‘unsubscribe’ link that linked to the same payload as all the other links in the email. Could have been Canadian Pharmacy stuff. Could have been malware via some exploit kit.
I’m not tracking this kind of spam and it may be a small minority. It was always the kind of email that you and me would recognize as spam from a few miles away. Not everyone is like you. Or me.
When a computer magazine asked me some readers’ questions about spam earlier this year, one of them was about unsubscribe links and whether they were safe. Somewhat reluctantly, because of what you had written before, I felt obliged to say: in case of doubt, don’t click. That is, if it isn’t something you think you ever subscribed to, it’s best to report it as spam. Even though in the vast majority of cases, the unsubscribe button is harmless.
+1, Martijn. What you say is especially true in the past couple of years because the types of user accounts that are targets for phishers have expanded greatly. I have seen phishes aimed at user accounts with large software firms such as Microsoft or Adobe, at user accounts with medium-sized companies that never would have attracted a phish two years ago, etc. If you did not expect the email (and even, in some cases, if you did), it can be dangerous to open a URL. 🙁
I don’t say this to disagree with Laura. Her point that few spammers are using unsubscribe processes to validate email addresses any more is spot on, at least in my experience. If you receive unsolicited bulk email from a legitimate ESP or know, legitimate company’s own IPs, unsubscribing is rarely dangerous.
But while most readers of this blog are capable of telling who really sent an email to them and whether a link is legitimate or dodgy, most users are not. So my feeling is that “Don’t unsubscribe from email that you did not ask to receive” is still good advice. It can protect an average user from malware or a phish that the user can’t easily distinguish from legitimate email from their bank, etc.
I’m not saying the advice is bad: I’m saying the reasons are untrue. There’s a difference between saying “you shouldn’t do this” and “you shouldn’t do this because all these things will happen to you.” If the things that “will happen” aren’t actually true, it makes everything else you say suspicious.
The problem is the reasons, not the directive.
We agree on that. We also agree on good advise for the bad reasons being counter-productive in the long run.
Interestingly, Brian Krebs said something similar at the end of a very relevant blog post today.
[…] Laura Atkins (2013, November 18), Don’t unsubscribe from spam!!. Retrieved from http://blog.wordtothewise.com/2013/11/dont-unsubscribe-from-spam/. […]
Brian Krebs seems to disagree.
[q]Avoid clicking unsubscribe links in the junk emails; for the really spammy stuff, this could get you in trouble (unless it’s an email list you signed up for previously, and then you really should unsubscribe).[/q]
http://krebsonsecurity.com/2013/11/dont-like-spam-complain-about-it/
I’m not sure Brian and I are disagreeing. There are links in really spammy stuff that could get you in trouble. What I’m saying is a lot of what anti-spammers describe as “trouble” is no longer true. That doesn’t mean you should click links just that those who tell people not to do it, need to actually join the 21st century and stop relying on 15 year old examples.