Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Email unsubscribe by reply vs clicking on link standard ? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Email unsubscribe by reply vs clicking on link standard ?
I get a number of emails at work each day for IT services. These are the ones that are most likely valid emails from vendors reaching out to try and get new business (unsolicited, but at least not spam/malware/etc...).
Almost NONE of them have the old method of reply with "unsubscribe" in the title/body (at least not advertised as a method to unsubscribe), but require me to click on a link to unsubscribe. What happened to that old industry standard AND is that something that SANS and other security organizations should consider pushing harder on the "industry" to readopt to help companies as well as private individuals have a safer method of getting rid of unwanted emails (to try and teach users not to click on the reply to unsubscribe links) ?
Sorry if this topic has been covered recently. I searched but did not find it. Hoping that maybe this topic would be able to drive an improvement. I know Technical people probably know better, but if we don't push for best practices who will ?

Easy. A lot of mass mailers are done through web frontends or even an application that the user runs on their desktop. Long gone are the days of someone doing mass BCC or mail batching. The unsubscribe link is an easy way to mark a user as unsubscribed in their database. Replying is a completely manual process that would be impossible to track properly for the sender. And with more and more reputable mass mailers under more and more scrutiny (as they should be), they want a more guaranteed way to solve issues of "but I unsubscribed!" "No you didn't." or a way to check for valid subscriptions in the first place. Darron Wyke

19 Posts
I agree it should be easy. What I was hoping for was a statement and some agreement from Sans staff that it should be a priority and industry standard that everyone pushed for to make it happen. Anonymous

I don't think it's quiet enough to unsubscribe an email by reply. Normally there is an option you need to follow. Simply click the unsubscribe option by clicking a link. That would be good enough I think. RafealHenco

12 Posts
Rafeal, you seem to be missing the point. If I (or more importantly normal computer users who may know little about security) are clicking on links to unsubscribe, there is a good chance that they will eventually click on a link to malware, virus software, ransomeware etc...
If the person who is sending the emails allows for the older method (of replying to the email with the word unsubscribe in the subject line of the email), then it is safer for the user AND the sender should still be able to process the unsubscribe automatically assuming their software supports that method. Clicking on links CAN BE dangerous, reply to an email with unsubscribe is generally safe. It would seem to me that SANS and the IT software industry in general would be promoting this (and putting pressure on email senders to support this method of unsubscribing).

Yes, I got it. I even didn't think about this. However, your point is good though. On the otherhand there is a big chance of stole important id & password. RafealHenco

12 Posts
I do not see why replying to the email with unsubscribe would require an ID or password to be used.
It is simply a matter of replying to the unwanted email ... via an email and adding the word
"unsubscribe" in the subject line of replied email. No credentials should be needed at all.


Sign Up for Free or Log In to start participating in the conversation!