How Not to Unsubscribe

Is it safe to use an 'unsubscribe' link to stop getting e-mail from a particular sender? Or will clicking the link just get you more spam? Datamation's Executive Tech columnist has some surprising answers.
Is it safe to use an "unsubscribe" link to stop getting e-mail from a particular sender? Or will clicking the link just get you more spam?

One firm's executives have studied this question extensively — and the answer they found is very likely to surprise you.

To Unsubscribe Or Not To Unsubscribe

I've often decried as an urban myth the idea that clicking an unsubscribe link would get you more spam. For example, I wrote this on March 21, 2003: "Legitimate e-mail newsletters do honor unsubscribe requests, but most spammers don't honor them or use them in any manner, if their unsubscribe links even work."

My reporting on this subject was based on controlled studies of spam, such as an April 2002 report by International Netforce. This intergovernmental group is a joint effort of several U.S. states, the Federal Trade Commission, and four Canadian agencies to sue Internet scammers of all kinds.

The task force tested the unsubscribe mechanisms that were touted in a sample of the 10 million unsolicited e-mail messages that the FTC has amassed in its huge spam database. What did they find? The "vast majority" of the unsubscribe links in these spam messages didn't work in any way, shape or form.

Now I have fresh information on the slimy, deceptive use of unsubscribe links. I've found a small, high-tech firm that's conducted new, in-depth tests. Out of the tens of thousands of messages the researchers examined, a tiny minority of the unsubscribe pages actually are collecting e-mail addresses and then sending spam to the victims they've snared.

Fortunately, you can almost completely avoid such despicable links. Here's how.

A Dime A Day Keeps The Spam Away

Lashback LLC is the name of the firm that's conducting this research. This self-financed startup employs eight people and supports more than 10,000 subscribers. The company sells a service named — what else? — Lashback for $29.95 per year, a little under 10 cents a day.

Lashback Users Click The Button. The company's downloadable software integrates itself into Microsoft's Outlook and Outlook Express e-mail programs. Once the applet is installed, the user sees a Lashback button that promises a safe way to unsubscribe from any e-mail list, whether it's spam or not.

Spam I Am. Clicking the button sends the unwanted message to the user's Spam folder, where it will sooner or later be deleted. (The software can alternately be configured to send such messages directly to the Trash folder.) At the same time, the message is zipped to Lashback headquarters for analysis.

Who's Naughty And Nice. Lashback's computers then invent a new, unique e-mail address and submit it to any "unsubscribe" form that the e-mail may link to. An innocent e-mail response — such as "You are confirmed to be unsubscribed," or no response at all — is considered a good sign. But if anything else is spewed to Lashback's unique address, the site is put on the company's list of "Abused Unsubscribe Links."

Blocking The Spammers. When an unsubscribe mechanism proves to be genuine, Lashback (after a decent interval) submits the user's real e-mail address and the user therefore gets off the list. Fine. If the mechanism was just a way for a spammer to collect e-mail addresses and send more spam, however, Lashback diverts all such messages in the future directly to the user's Spam folder, where the user will probably never have to deal with them again.

If It Looks Like Spam... Lashback's method of diverting spam is unique among all the approaches I've seen. Because spammers are constantly changing their "from" address and other identifying characteristics, Lashback doesn't rely solely on these indicators. Instead, the company records the names of Web sites that advertise in messages that have bogus unsubscribe mechanisms. All spam is ultimately trying to sell you something or make you visit some Web site or another. It doesn't take long for Lashback to figure out which sites those are, according to Brandon Phillips, the company's president.

Keep Your Company Off The Abuse List

Recognizing certain Web sites as "sure signs" of spam is an approach that has gigantic implications for both legitimate companies and shady ones.

Are You Sure Your Mechanisms Work? A July 2004 study by Arial Software, an e-mail software publisher, found that an astonishing 51% of e-mail newsletters from otherwise legitimate companies failed to include an unsubscribe link anywhere within their messages. Arial quietly subscribed to newsletters from 1,057 well-known business organizations, including most of the Fortune 500, and then examined the resulting e-mails to reach this depressing conclusion.

Guilt By Association. If your company's Web site is hyperlinked within one of these blue-chip newsletters that doesn't have a working unsubscribe mechanism, future e-mails that also link to you may be filtered out as "spam."

I think the lesson is crystal clear. If you care whether e-mails that mention your company's Web site get delivered, make sure any online publication you're associated with has an unsubscribe link, and one that really works.

How To Avoid Those Bogus Unsubscribe Links

At this writing, Lashback has tested 27,719 separate unsubscribe links that were included in various e-mails the company has processed. The resulting statistics appear prominently on the firm's home page: only 484 (1.7%) are "abused links" that will send you more spam if you enter your e-mail address. Another 2,712 (9.8%) are "dishonored" links, which appear to function but don't actually accomplish anything, good or bad.

Your task as a computer user is to avoid the 1% of unsubscribe links that are in fact operated by spawn of the Devil.

Outing The "Abused Unsubscribe Links" Index

You can steer clear of these sites by using the list of "Abused Unsubscribe Links" that Lashback has built up through its testing methodology. Because this grand experiment has had a lower priority than marketing the company's primary revenue source (its $29.95 service), the abuse list has never before been publicized. There's no link to the list on the company's home page and, according to the search engine, not a single other site on the entire Internet links to it, either. You're reading it here first.

The list resides at On that page, click the "View List" hyperlink and you'll see the entire Hall of Shame.

Lashback CTO Eric Castelli says his company has been monitoring some of the operations on the list since January 2004. A figure entitled "Violations To-Date" is shown for each link. This number represents the sum total of all the unsolicited e-mails that Lashback's unique addresses have received since August after using each site's unsubscribe form.

This payload can be weighty. The top offender on the list has reportedly sent Lashback more than 1,400 messages in August and September alone.

E-mail administrators in legitimate companies should download Lashback's list periodically and then block user access to the unsubscribe forms on the allegedly spam-happy Web pages. Once that blocking policy is in effect, users can follow a very simple set of rules:

Do unsubscribe from any ordinary, authentic e-mail newsletter that you may once have subscribed to but now no longer want;

Don't bother unsubscribing from spam messages, just delete them, because in almost every case the unsub link won't work — there's simply no good way to get off a spam list; and

If you can't tell whether the message in front of you is a respectable e-mail newsletter or spam, go ahead and click its unsub link. Your company's blockade of the 1% that are bogus will protect you from making an error.

I'll have more next week on the entire unsubscribe mess and what Lashback and other companies are doing about it.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.