How To Know When Unsubscribing Isn’t Safe

Published on: January 31, 2006
Last Updated: January 31, 2006

How To Know When Unsubscribing Isn’t Safe

Published on: January 31, 2006
Last Updated: January 31, 2006

E-mail newsletters like mine — the ones that are sent by legitimate publishers, anyway — proudly proclaim, “You can unsubscribe at any time!”

But how do you know that for sure? What if unsubscribing from an e-mail newsletter actually prompted the publisher to sell your e-mail address to spammers, who then sent you more spam?

Now there’s an easy way to know in advance whether it’s safe to subscribe to or unsubscribe from an e-mail list. Best of all, it’s free.

And I’ll bet that the details of some innocent-looking unsubscribe forms that are not safe to use will shock you.

Unsubscribing Used To Be So Easy

Once upon a time, if an unsubscribe form on a Web site existed at all, it was pretty safe to submit your e-mail address to it. Unfortunately, spammers got sneakier and things went downhill from there:

Ah, The Good Old Days

Back in 2002, the U.S. Federal Trade Commission selected, at random, 200 spam messages that contained some kind of “unsubscribe” e-mail address or Web form.

Out of the few such addresses and Web pages that existed at all, the FTC found in a study that the “vast majority” did absolutely nothing.

The opt-out procedures were mentioned in the spam messages solely to make them look legit.

Unsubscribe Forms Start To Get Tricky

Now fast-forward to 2003. A small company named Lashback LLC starts methodically testing every unsubscribe method it can find in e-mail newsletters and Web pages.

To do this, the company’s computers make up never-before-used e-mail addresses and enter them into unsubscribe mechanisms.

If one of these unique addresses begins to receive spam (other than an initial opt-out confirmation), it means the operator of the mechanism is really a spammer or is selling the submitted addresses to spammers.

When I first wrote about this in October 2004, Lashback president and CEO Brandon Phillips told me that only 1.7 percent of the 27,719 unsubscribe mechanisms he’d tested led to spam.

Opt-out Becomes A Profit Center

The latest figures show a sharp increase in “remove me” links that deviously send you more spam.

As of January 2006, 7.5% of the tested unsubscribe mechanisms result in the submitted e-mail addresses receiving spam, according to Phillips.

Many of these sites are undoubtedly selling the names to generate revenue.

Worst of all, some sites that operate “global removal services” actually charge consumers money to be “removed from all spam lists.”

Then they sell the names to spammers! According to Spamhaus.org, a respected antispam service based in the U.K., a few of these services offer their “do-not-email lists” for free, but others charge gullible Internet users $5 to $22.

No one can get your address off spammers’ lists, so don’t fall for this. A list of sites that exhibit this behavior is maintained at Spamhaus’s Spam Unsubscribe Services page.

Lashback — Don’t Unsubscribe Without It

Finally, there is now a way ordinary people — as well as information technology professionals — can determine whether an unsubscribe form is in reality a front for spammers, before entering an e-mail address.

The same procedure that Lashback uses to catch crooked unsubscribe forms can also verify that other opt-out Web pages are free of problems.

Lashback has just made both the “devil” and “angel” lists available to the public for the first time.

The scope of Lashback’s probes is vast, so I believe most unsubscribe mechanisms in the English-speaking world are being tested.

The company currently monitors about 1.3 million different Internet Protocol addresses that send e-mail containing some type of unsubscribe wording, Phillips says.

Those messages, in turn, point to about 170,000 different opt-out mechanisms. Of those, 12,825 (7.54%) show evidence of generating spam to e-mail addresses that are submitted, Phillips calculates.

How To Use Lashback’s Unsubscribe Ratings

Lashback publicly provides two free databases that you can check for what the company calls “suppression list abuse” (turning unsub addresses over to spammers).

The first is a list of IP addresses that have a recent history of sending spam to people who’ve requested, “Remove me.

If you receive something questionable, use your e-mail program to look in the message’s header section for the sender’s IP address (e.g., 255.255.255.255). Then enter this into the box on the following Web page:

www.lashback.com/register/UnsubsafeLookup.aspx

An alternate form of this database is also made available by Lashback for online querying.

This allows IT admins to program their mail servers to check the list in real time before the server accepts e-mail from a particular IP address. For more information, see Lashback’s Unsubscribe Blacklist page.

The second database is a list of Web pages bearing unsubscribe forms that result in spam being sent to addresses that are submitted.

Before you enter your e-mail address into such a form, type the domain name of the page, such as example.com, into the box on this page: www.lashback.com/UnsubsafeSearch.aspx

After you enter a domain name, this page will usually respond that “Lashback has no record of unsubscribe abuse for this domain” (which is good) or “Lashback has recorded abuse for the following unsubscribe mechanisms” (followed by a list of sites where you should never use the “unsubscribe” form).

Lashback returns any domain names that end in the character string you type in.

If you enter example.com, for instance, the form might return reports on www.example.com, server1.example.com, mail.example.com, and other subdomains of the main Web site.

This allows you to catch untrustworthy operators, no matter which subdomain they might host an unsubscribe form on. (There’s no rule that a Web address must begin with www.)

This wild-card matching behavior can produce some provocative results. If you enter apple.com into the lookup box, Lashback reports problems with the domain names rampage.virtual-apple.com and www.ittasteslikeapple.com. 

These sites have absolutely nothing to do with Apple Computer, the maker of the iPod.

Only if you see the exact string apple.com in the results should you suspect a problem with the unsubscribe mechanism at the Apple Computer site.

This free lookup service represents a fantastic benefit to all e-mail users. Lashback, however, only began to offer the free domain-name lookup a couple of days ago.

It’s received absolutely no publicity. As of yesterday, there wasn’t even a link to the lookup form on the company’s home page yet. You’re reading about it here first.

Guess Who’s Letting Their Unsub Addresses Get Out

Lashback makes money by selling “unsubscribe monitoring” to legitimate companies that send e-mail.

For $195.95 per month and up, depending on the number of unsubscribe mechanisms that must be monitored, Lashback regularly tests its clients’ routines and reports to them on any that fail.

This kind of monitoring is more important than ever since the United States’ so-called CAN-SPAM Act in 2004 made it a crime for e-mail senders to ignore opt-out requests.

It appears to me that there are a lot of corporations that could use Lashback’s monitoring efforts.

The testing of unsubscribe mechanisms across the Internet, Phillips says, has revealed that some very big brand names allow e-mail addresses submitted to their unsubscribe forms to get into the hands of spammers.

I’ll report next week on who some of those big companies are.

Stay on top of the latest technology trends — delivered directly to your inbox, free!

Subscription Form Posts

Don't worry, we don't spam

Written by Bobby

Bobby Lawson is a seasoned technology writer with over a decade of experience in the industry. He has written extensively on topics such as cybersecurity, cloud computing, and data analytics. His articles have been featured in several prominent publications, and he is known for his ability to distill complex technical concepts into easily digestible content.