I want a button that says "ghost this mailing list" when I click it, their mail server gets a standard message like "user no longer exists at this address", or "user reached quota", whatever makes me get pruned from their database instead of having my email address validated and the "last_seen" column updated.
I've done something like this [0], postfix sends a nice rejection message the next time they try to connect. Ironically I've had people email me that rejecting their spam is filling up their inbox with error messages.
Less technical folks would likely complain about it, as it tends to resemble the spam that was sent from their spoofed domain (I.e. “re: fake pills” subject lines as the rejection message hits their inbox).
In my case this isn't it. What happens is during the connection process the server on the other side first announces what email its sending from, at that point my server responds with a reject message and closes the connection. I don't think my server even sees the subject or body. My server doesn't send a email, but instead that email is generated by the sending server to let the user know the message was rejected.
This error message is often delivered to a catchall account, they are often configured with small mailboxes, that box fills up, throws alerts and ticks off a sysadmin somewhere. I only do this in cases where it's easier to SSH into my box and configure it than unsubscribe, and never to random address spam as that is wack-a-mole and futile.
I think the sending servers may also be misconfigured to get around greylisting. As sometimes they will try repeatedly to deliver to me. My server dutifully rejects each attempt and the messages pile up on the other side.
I like your approach and it looks like its usability can be greatly improved by having an admin panel to easily taint a given alias rather than ssh to the mailserver and modify sender_access manually.
are you certain your "mailbox full" automated message hasn't been met with a "your rejected messages are filling my inbox"... that also happens to be an automated message :)
This is pretty much what Apple did with Sign in with Apple. You can sign up with a private relay email and Apple will forward any communications from that company to your real personal email account. If you get annoying emails, you can simply dispose the private relay email and boom they can't communicate with you anymore.
By that logic so can google with gmail: of course they can, but that’s why we have to put some level of basic trust in our email providers. If you don’t want an MITM, you’re basically stuck with PGP or hosting your own email service.
Lavabit used to not be able to do that, and Protonmail can't either still... (To be fair, Lavabit _could have_ made changes so they could do that, but the owner refused when law enforcement asked him to do that fpr Snowden's email, and risked very real threats of jail instead. I don't think Protonmail have been tested lie that yet, but they have at least incorporated outside of US jurisdiction,which changes their risk in some important ways...)
You can kind of do this with Fastmail and Aliases, but it's a more manual process.
You can really easily create aliases for specific sites or just a general spam@ alias on your own domain. Then if it gets abused you can mark all mail directed to that alias to bounce.
I migrated from Gmail to Fastmail 2 years ago, and I agree with this. With Fastmail, I now have the wildcard address for a domain ([a-z0-9]{7}@example.com), whereby I create a new randomly generated email address for each company/site/contact. I set up rules to direct emails sent from expected addresses (sometimes by base domain regex rather than a single address) to whitelist emails to show up in my main Inbox folder. eg. My HackerNews email might be qvae82d@example.com, whitelisted to accept emails from *@ycombinator.com to my main Inbox.
The thing is you don't want to completely blackhole/delete messages received at a valid randomly-generated address, but which were sent by an unexpected sender. For that, I have a separate "Suspicious" child of my main "Inbox". The main exception I've seen that falls under "Suspicious" is that Amazon shares your account's email address with their shippers; so you'll receive a Fedex delivery notification at your Amazon address, which falls under "Suspicious" because the sender address doesn't originate from Amazon.
What I find mildly strange is that, in the 2 years since I've migrated from Gmail to a super-organized and rules-based organization with Fastmail, I have literally not received a single spam email. I credit this to having migrated my GitHub account to use their privacy wrapper, so none of my commits have a personal email attached to them. I thus suspect that most developers who receive spam have had their email crawled from commits to public Git repositories.
Of course, there is a caveat: I do not expect to be able to maintain this kind of scheme into old age. There's no way, at 60-70-80-90 years of age, that I will still be mentally capable of managing a wildcard domain. So while it works for now... at some point I will need to simplify back to a single email address. Sigh... fml in advance. :(
> There's no way, at 60-70-80-90 years of age, that I will still be mentally capable of managing a wildcard domain.
Do you think this will get technically harder and you'll no longer be familiar with the "new" process? Or are you more worried about your mental capabilities in general when you're that age?
Most of us will wind up with some form of mental or physical degradation… that may mean Alzheimer's, or Parkinson's, or psychiatric conditions, or horrific cancer (eg. prostate, breast, uterine, COPD/emphysema, etc.) that weakens us for months or years at end-of-life. The fact is, there are so many things that can go wrong regarding health in one's mid-to-late years, that expecting to manage a complex identity/password system is unrealistic.
I did this a while ago for myself; it looks like the setting can be found here[1], labelled as a checkbox "Keep my email addresses private". Note that (I think, not sure if it gets overridden if you check the box), you also need to set your "user.email" git config to use the noreply email they provide. Personally, I'd never committed to an external 3rd-party repository, and I crushed/re-imported (erasing history) my own repositories using the new noreply email. This is because I know no external users were depending on my old repositories. I suspect that if you've already pushed commits to a 3rd-party repo, it's too late (the email address is part of the commit and cannot be revoked without a history-changing rebase). In my case, I deleted my repos and re-imported, history be damned.
Ah thanks - yeah I've already pushed with my new aliased email for git (I recently switched to Fastmail and set up a less extreme alias configuration :) ).
Could this be automated, e.g. by a browser extension or a small app setting up an alias and an ding a site-specific rule to your FM account? I am thinking about a one-click sort of thing, a DYI alternative to Sign In with Apple.
It unfortunately would probably only do the opposite as this validation occurs during the SMTP transaction when the message is delivered to the server.
Going back after and saying you don't exist is like answering the phone and going "nobody is home".
Edit: I suppose this ghost setting could be used for future delivery attempts though. Perhaps this is what you meant originally.
I work for an email service provider. While we usually get a response from the inbox provider that an inbox does not exist, we totally get async bounces all the time. Some providers accept the mail and realize later that they cannot deliver it.
While true, email accounts can and are deleted or closed. Transient addresses on your own domain are usually the best (so you can nuke them when polluted, hat tip to Apple for pushing blind emails into the mainstream with "Sign in with Apple"), but sending fake bounce backs by sender while binning anything incoming from them is a close second (Gmail and Fastmail both support filtering messages directly to Trash, but no fake bounce back messages; could probably do it with an SMTP proxy, again if you use your own domain).
I have another step between 1 and 2: send a mail to the abuse contact of their AS. You can do it either manually, or with a tool like https://www.spamcop.net/ . Sometimes it works (but rarely).
I am often subscribed to lists I never personally consented to. That can happen for benign reasons such as someone mistaking my email address for theirs, or more nefarious reasons.
For that reason I have no need to be “nice” to entities who send me unsolicited email. I avoid clicking any link on email I didn’t request as - just like answering the phone confirms that a live person is home - clicking “unsubscribe” just means the email address is valid and has a human behind it.
We have to stop pretending like there are humans behind our communication. If I had to guess, 99% of my email volume is generated by a machine of some sort.
reminds me of a time someone with my very uncommon last name and same first initial had signed up for skipthedishes.com with my [first initial] [last name]@gmail.com and started ordering takeout from various places local to them, halfway across the country. the website doesn't send a validation email when creating an account. this went on for months, getting a food order confirmation email with no charges on my credit card. finally I got so annoyed that I reset the password, logged in and found their cell number. I sent a polite text message describing what happened, assured that the website obscured credit card details properly and that they should change the password from [generic password].
Did you ever find out why that person signed up with an email that didn't belong to them? Did they intend to use a real email and for some reason didn't? Or did they want to use a dummy email that they didn't own?
Not exactly what you mentioned, but if you host your own mail server you can use bogofilter-milter.pl[1] when it detects that mail is a spam it rejects it with a configurable message.
I love the idea of the Gmail unsubscribe button, but unfortunately I can't bring myself to use it.
The issue is that there are good-faith and bad-faith unsubscribe links. Clicking the unsubscribe button can thus either have a good outcome (less junk mail) or a bad outcome I ardently want to avoid (letting a spammer know my address is active).
I'm sure Google knows this and does some verification and detection to try to prevent that bad outcome, but as an end user, I don't have much visibility into how well that works. It's a hard problem, but Google is smart, so it's possible they've solved it, but I don't really know whether they actually have.
So in practice, I always read over the email in question carefully to try to judge for myself whether it's safe to click the unsubscribe link at the bottom. It's annoying, but the effort seems worth it.
AFAIK, Gmail doesn’t show it for all senders (2009):
> This only works for some senders right now. We’re actively encouraging senders to support auto-unsubscribe — we think 100% should. We won’t provide the unsubscribe option on messages from spammers: we can’t trust that they’ll actually unsubscribe you, and they might even send you more spam. So you’ll only see the unsubscribe option for senders that we’re pretty sure are not spammers and will actually honor your unsubscribe request.
PSA that there was a sort of "email 2.0" spec called "Internet Mail 2000" (which gives you an idea of how long ago this was, heh) by djb, that would have partly eliminated all this crap. The idea is that you can pay the cost of read receipts (which are kind of a superset of what you are concerned about) to structurally disadvantage spamming so much (by forcing it to tether itself to DNS) that it ceases to be a viable marketing model; spam that is big enough to generate revenue is also either big enough to be caught or spread out enough among new domain registrations that the cost easily swallows the revenue. The struggle is that nobody likes read receipts, so one is stuck trying to define some sort of "halfway between" system to try and invalidate the read receipts, "sometimes you have to store the message until the person wants to read it, but sometimes Gmail will download it before the person reads it, so this signal is unreliable for whether it was actually read."
Isn't that similar to the idea behind hashcash [1]? I don't know -- was hashcash used anywhere? Or were the ideas there leveraged in stuff like DKIM/SPF?
Hashcash is a different idea with the same goal of making certain email behaviors financially infeasible by tying emails to a more limited resource. The limited resource in IM2000 is -- well, that's complicated, I would say internet domains but someone else might say something like network availability. But in Hashcash it is clearly processor cycles.
Hashcash is "used anywhere" in the sense that it's the idea behind bitcoin. There's a duality here where the very introduction of limited scalable resources which makes a cryptocurrency possible, also can be used in a different way to make spam impossible.
In that duality it is actually kind of interesting to think about IM2000. One would imagine a cryptocurrency based on something like "proof of network bandwidth shared" or something, which would be really hard to theoretically formalize. But if you could get a secure definition then that fundamental idea becomes rather explosive. Like I imagine a sort of viral peer-to-peer filesharing network kind of like BitTorrent which would end up as a sort of alternative to the World Wide Web; whereas there are huge clusters of bitcoin miners right now trying to chug out more proofs-of-work, in that situation you would have large numbers of proxy hosts trying to mirror more and more files online.
Right now it would be possible to do some really nasty things to bitcoin by designing software which stores arbitrary files in the spare bits in the ledger. If that software becomes really widespread then inevitably someone uses it to upload MP3s or, worse, illegal pornography and those things get ossified into the Bitcoin ledger and you cannot remove public access to that content without taking down the entire blockchain; probably what happens in practice is that the sharing software itself gets demonized as "only pirates/perverts use that sharing software." But one is immediately confronted with concerns about "hey if I download the blockchain am I technically performing an illegal action" to which the legal answer is probably "yes" at that point. The law doesn't usually care about whether you need sophisticated software to decode that crap.
If you had a cryptocurrency that was based on "I hosted and transmitted data, but I don't know what that data was" then I think you would have a sort of robustness to the network, maybe, where the offending data is not in the ledger. With that said, probably it gets a similar stigma as "only pirates/perverts use that, all the rest of us use the web."
I mean in his defense, DJB has some serious chops that others have lacked, including writing what was at one point the most popular DNS server for anyone who cared about security as well as the first MTA which cared about security while transmitting email, and now two of the more popular stream ciphers, one of which underlies the current fastest secure hash function.
IM2000 probably would have succeeded if it had gotten the attention from him to go past a random idea into a well-specified protocol with a canonical implementation. Standards work is hard!
>or a bad outcome I ardently want to avoid (letting a spammer know my address is active).
Honest question- why does this really matter? Or at least matter to any degree where you would rather have more junk mail than potentially stop spam/undesired emails.
If a spammer sends out 1000 emails and gets 100 bouncebacks.. then they keep on sending to the other 900. You are one of those 900 and you click unsubscribe.. sure, they can detect that your email is active. But are they really going to stop sending to otherwise? It's not like people are constantly changing email addresses these days.. if I were a spammer and I had a valid list, I would basically assume that's a valid email if I don't get a bounceback.
So I just don't get how detecting that someone attempted to unusbscribe is that much of a 'tell'.
A number of years ago there was even a story about someone going undercover at a spamming operation and one key takeaway was that - at least at that place - the boss was very clear internally about actually removing people who tried to unsubscribe.
I cannot vouch for the story but it looked as legit as the average HN story back then so it might be true (or not).
I can believe that- otherwise why would you try to continue to scam/spam someone over email who is clearly trying to unsubscribe.. meaning they realize it's spam/scam.
The goal is to find people who don't know any better..
Last I worked on email delivery, every major email provider but Gmail runs a program for automatically letting emailers know when the spam button is pressed. Gmail is fairly unique in that they require the user to consent to it.
Not to mention the unsubscribe doesn’t make it clear if it’s removing from this list only or it’s indicating to the upstream server the email address forbids contact. I would presume the former, but I would strongly prefer to be able to choose at unsubscribe time, or failing that assume I forbid contact.
I try to do that, but a lot of legitimate services send me mails because someone else trying to sign up with my email and they don't do verification right. Part of the problem is having a very simple Gmail address, but also another part of the problem is that companies think that since someone tried to validate my email as theirs now they can spam it.
Yeah, it drives me insane, once someone used my email to sign-up on eBay and started buying sex toys. Can't believe eBay didn't do email verification. I was at work and started getting emails like congratulations, your dildo is on its way, with pictures.
I got emails about the death of my mother because a guy had my email address printed on his cards by mistake. She was pretty much alive and living with me. It would scare the hell out of me if it happened again now that we are further apart.
That's too bad, as I've found the unsubscribe links generally work and mean that I stop getting emails. It means my spam folder is usually actual spam/phishing emails instead of stuff that I simply find annoying.
Huh, my spam folder is also full of what I consider actual spam, not just phishing and devious stuff. I consider what amounts to the email equivalent of junk mail to be spam.
To rephrase: my spam folder only has stuff that I can't unsubscribe from because it was genuinely unsolicited. I rarely, if ever, get unsolicited marketing because I untick the "send me promo shit" checkboxes. Otherwise, I assume it was my mistake in giving them my email in the first place.
If I get an email from an email I don't want legitimate company, I unsubscribe and never have to worry about getting non-transactional email from them anymore. I _do_ still get transactional emails from them, because I didn't misclassify them as unsolicited.
2) If I did signed up I make the effort of going through their unsubscribe procedure.
3.1) If I still get e-mails after (2), I file a request for my personal data under the GDPR (EU citizen here).
3.2) Once I got that, I use the GDPR to delete all of the data associated with my account / e-mail address.
4) If I still get e-mails after (3), it goes to SPAM.
With step 3, I hope that I can make them notice their bad behaviour. My goal is to drive up the costs of that behaviour (so they get incentivised to change it). Also, I'm generally interested in the personal data that a service has associated with me.
That would be the way to go, indeed. It didn't happen yet. I'm not sure if I'd take it to the privacy authority, since that would involve much more work, I think.
You might be surprised. I worked for an organisation that got ~1000 requests a year up until recently, each request involved going into every system manually, taking screenshots, tagging files etc. Quite often a good few hours per request and on a few memorable occasions, several days work for a single request. It definitely does cost many larger companies, but to varying degrees.
If I get spam mails on lists I never signed up for, I either hunt down the X-Abuse header and report there (if they use a reputable bulk mailing service), otherwise I just paste the entire email on members.spamcop.net
> If they use a reputable bulk mailing service instead of using their first-party domain then they are indistinguishable from a phishing attack.
With most bulk mailing services, the message will come from the "first-party domain". They will have configured that service as a legitimate sender for the domain via SPF/DKIM DNS records.
> With most bulk mailing services, the message will come from the "first-party domain". They will have configured that service as a legitimate sender for the domain via SPF/DKIM DNS records.
It's not just the from:marketing@firstparty.com that I'm talking about. If the unsubscribe link does not also go to firstparty.com, then it's still indistinguishable from phishing.
My naive suggestion. "Hard" unsubscribe button that tosses all future emails from this list in the trash and mails the sender a note that the address has unsubscribed from this list and all future emails will be ignored.
Gmail has over a billion active users. Mailing lists will probably adapt to whatever crumbs Google leaves on the doorstep.
It’s really amusing to me that the top comments on this posts seem to be HN users complaining about spam and if this button is useful or not.
I had to dive into this a bit for something and work and it’s just fascinating how much effort has been spent in trying to combat spam, build a reputation based system for emails etc. And this article does an amazing job of explaining list-unsubscribe...although the RFC is pretty easy to read too!
Pet peeve: unsubscribe links that take me to a page asking for my personal information (usually my email address). I'll usually close those pages and report the email as spam.
If you know my email address, then put a token in the unsubscribe link so you can retrieve my address on your end, rather than making me retype it. If you don't know my email address -- maybe you are sending to a list, not to me -- then I consider you spam because you don't actually have the direct ability to remove me.
This would certainly be convenient, however if your mailing lists contains a lot of old people then they forward your emails to their friends. Their friends who are annoyed by this then unsubscribe the original recipient without noticing that the email was forwarded by their friend.
This is a real problem for us - not a made up scenario. So we remove the auto-filled email on the unsubscribe form.
A way to mitigate this issue is to ask for a confirmation before marking the email address as unsubscribed, showing the retrieved email address in a large font as to prevent someone who received a forwarded email from mistakenly unsubscribing someone else.
I’ll add another pet peeve to the list: unsubscribe links that remove you from only 1 of N number of lists they have. You click unsubscribe but a few days later you’re still getting mail because you got removed from “news” emails but this one is a “promotional” email.
I recently unsubscribed from all but one (the account tips) of the Firefox newsletters, because they were sending too much stuff I wasn't really interested in. The next day I get a new Email from them.
Subject: "Was it something we said? crying emoji".
Body: "If you want to go... we won't stop you. [...]"
Footer: "You're receiving this email because [...] subscribed to Firefox Account Tips.
Yeah, thanks for the ~~tip~~ spam.
Felt like going through one of those dark pattern flows that Spotify or Amazon have when you try to unsubscribe from their paid plans, trying to guilt you into reconsidering.
That's pretty ironic coming from a company whose main value proposition is "we aren't assholes like other tech companies are." That and the annoying crap you have to disable when you install Firefox to get a blank new tab page.
The simplest way is to click the gear on the new tab page and uncheck items you don't want. If you uncheck everything you will still have the gear icon present. If you want to hide that then your are in userChrome.css territory.
The domain would only be relevant if the domain was a specific opt-out domain. If it was just https://company.com/unsubscribe, DNS would only reveal company.com. The path (/unsubscribe) will be encrypted.
Yeah I find it really annoying also. But surprisingly, they don’t do that just to add friction to unsubscribe. There is a real problem that it solves.
Legitimate mailing lists have problems with people forwarding emails, when the recipients of the forwarded emails click the unsubscribe button, they will unsubscribe the original recipient who didn’t want to be unsubscribed.
So why do they forward those emails to someone in the first place? Especially to those who don’t want them? You’re pretty much suggesting that “helping others spamming people isn’t spamming”
Whether or not an individual forwarding an email to another individual is technically "spamming" is moot; most spam is company-to-individual/automated-system-to-individual.
As to why they forward it in the first place: how would I, an individual, know whether or not my mom will want to use the 20% coupon code for a cosmetics store I just received, but don't want to use? I'd ask her. I can ask her via an unsolicited phone call or email. Am I a spammer if I do that?
Similarly, if my mom clicks the "unsubscribe" link on what I forwarded, mistakenly thinking that it was sent to her directly by $costmetics_company, that sucks for me if I ever want to use their coupons.
An even more annoying situation is when someone in charge of procurement for a business forwards a "shipping confirmation" email to an employee as a means of indicating that the employee's requested purchase is on its way. If that employee makes a mistake (e.g. they have a lot of commercial email in their inbox and click the wrong one/are sleepy/whatever) and clicks "unsubscribe" on that shipping confirmation, the procurement person won't get any future confirmations for any orders for anyone.
There are mitigations to this (the shipper could use transactional emails without unsubscribe links, the procurement person could do something less lazy than just forwarding the email wholesale), but in the real world those often don't happen. So autofilled unsubscribe then causes problems for random upstream people, not the forwarded recipient.
That is a problem with the implementation that is simply fixable by removing the unsubscribe headers from the forwarded emails. Or marking unsubscribe links in a way that makes the forwarder remove them automatically.
Someone on the other hand was trying to wave away the whole idea of one-click unsubscribe due to this which seems to me more like lobbying towards adding another step requiring one to put their email in in order to unsubscribe (or put it another way - decreasing the unsubscribes).
So auto filled unsubscribe needs to exist. I never want to go back to the universe where that is not regulated and easy-to-use. Also in the UK there’s still loads of physical paper spam and I would hate if that was also the case for e-mails.
Annoying for sure, but one benefit of this approach is due to forwarding. For the moment, let's assume you have a newsletter you enjoy. If you forward an instance of that newsletter to your friend, and they aren't expecting it, they might hit unsubscribe. With one click, they'll prevent you from receiving future newsletters.
I think the better approach is simply showing the "Intended for johndoe@example.com" next to Unsubscribe, but I could see why they ask for your email.
as per RFC-2369 and use the same mailto link inside the mail body. This is convenient, conventional and solves the problem you describe, while also allowing users to add feedback as they see fit in the body.
I don't see why you have to involve the web at all, but I can tell you that if I have to go through a bunch of bullshit when I want to unsubscribe I'll just mark it as spam instead. However appreciated and anticipated your newsletter is, you have to consider that most newsletter subscriptions are probably either accidental (failed to uncheck some box when signing up for something entirely different) or straight up unsolicited, and people like me will basically purge all their subscriptions without discrimination regularly as the crap builds up.
> I don't see why you have to involve the web at all
Because List-Unsubscribe is very new and not supported by all email clients or ISPs (inbox service providers). Since adoption is so spotty, most ESPs (email service providers) start from a baseline of a web unsubscribe system and (maybe) supplement that with List-Unsubscribe as well.
RFC2369 from 1998 is "very new"? Funny. I guess it's either a matter of perspective.
Adoption of it doesn't matter insofar that you can use the same link in the body as a fallback, which was part of my suggestion.
"ESPs" don't care because cumbersome and convoluted multi-step unsubscribe is a selling point for the majority of people who use such systems. They have moved from simple mail based unsubscribe which was the norm for years.
FWIW, this solution isn't as easy to implement as you'd think. I've seen unsubscribe pages harvested for email addresses when they show the full address and used urls/tokens that weren't sufficiently secure. In the case I'm thinking of, the home-rolled algo that generated the unique links was bugged enough that you could reverse it, and I was surprised that someone actually took the time to do so.
Marriott Bonvoy Assist
@MBonvoyAssist
9 Apr
Replying to
@zachalberico
Sorry for any confusion. Select the box next to each desired communication option or deselect to stop communications
Now I think I understand what they are saying, but it’s not a great explanation either. A new sentence before the ‘or’ would have been helpful.
I run a newsletter where both subscribe and unsubscribe do double-opt-in (i.e., both subscribing and unsubscribing send you an email with a confirmation URL with a token - each newsletter has an unsubscribe link but that link doesn't include the token). Maybe this is a mistake? Is the norm that anyone can unsubscribe anyone else from newsletters?
Use the same link in the body of your mail for your unsubscribe link.
It's convenient, standardized and removes the need for further confirmation because you know who sent the mail.
That said, I don't see what the big deal is. If you forward a newsletter issue in its entirety to someone else, they hate it and feel confused enough about receiving it to click the unsubscribe link, maybe the sender deserves being unsubscribed. The absolute most you should do at this point IMO is to notify them that they were unsubscribed.
That's super presumptive/rude. Also not how interactions between people work, at all. The potential consequences of a mistaken forward-unsubscribe are also often quite large: https://news.ycombinator.com/item?id=23360619
> List-Unsubscribe is not widely enough adopted to be the only means of unsubscription (yet)
I am not suggesting List-Unsubscribe as the only means of unsubscription. Read my post again. It also is widely adopted. gmail.com, Mail (OSX, iOS) and outlook.com together probably represent the majority of clients now and all support List-Unsubscribe.
> That's super presumptive/rude. Also not how interactions between people work, at all. The potential consequences of a mistaken forward-unsubscribe are also often quite large
Maybe my view on the matter is colored by the fact that my friends and family don't send a bunch of useless marketing to me, and I have the decency not to send them any. Still, my suggestion solves the problem if you have it without involving a convoluted process to cancel a subscription. I absolutely could not care less about the dire consequences of not receiving a steady stream of cosmetics coupons, but whatever floats your boat, email-based unsubscribe works.
The term "double-opt-in" is spammer propaganda. It falsely implies that getting your email added to a spammer's mailing list, regardless of how it happened, is "opting in".
That term is super widely used in spam-prevention, commercial email sending, transactional email sending, and inbox provider industries.
You can disagree with the phrasing if you want, but that doesn't make it propaganda--not any more than the Orwellian naming of the "No Child Left Behind" act makes the law itself propaganda.
It absolutely is propaganda. If a single verification of consent is "double opt in", then zero verification must logically be "single opt in". The evil option is reframed as good, and the neutral option is reframed as extra good. Anybody who uses it is either ignorant or a spam sympathizer.
OK, fine, maybe I shouldn't use the term. Pretend I said, "I run a mailing list where I want to make absolutely sure that nobody is receiving mail without their active and informed consent and that nobody is unsubscribed without their active consent either." I think my question still stands?
Multiple times the gmail unsubscribe button has removed me as moderator from mailing lists I moderate!
I tend to use the checkboxes to mark groups of emails as spam, then also chosen "unsubscribe me" without checking where they came from (since I don't want to open them).
When it happens to be spam sent to a mailing list, this feature unsubscribes you from the mailing list. When it's a Google group you moderate, good bye moderator status! Oops! (Filed a bug internally about this, no status updates so far.)
I don't think that's a bug. It sounds like you are asking to be unsubscribed from a mailing list, and they're honoring that request. It's on you to make sure you're doing that for the proper emails.
I'm always fearful of clicking unsubscribe. It's a way of telling the spammer "hey, this email is really used by a real human, spam the hell out of me"
Unsubscribe isn’t for spam. It’s for when your stupid bank sends stupid marketing emails to you, but they’re your bank and you can’t just block them, so you politely ask them to stop. There’s laws (the CAN-SPAM act) that say they have to honor your unsubscribe request and stop sending you non-transactional emails (with a few other exceptions.) Ditto the dealership you bought your car from, that online shop you used that one time, etc.
I typically report companies that violate this (Chase, I’m looking at you with your “transactional” emails that are just thinly veiled ads) to the FCC (there’s an online report form) but I don’t know how much it helps.
You use unsubscribe for anyone with which you have some sort of prior relationship. Anything else is spam, report it and move on.
I have been subscribed to so many marketing "newsletters" without my express consent, either by a deliberately confusing registration processes that successfully tried to sidecar the newsletter upon registration using some combination of checkboxes, or straight up silently added out of nowhere just because we had a business transaction once. This is spam as far as I'm concerned since it's unsolicited marketing, but often still honors List-Unsubscribe standards.
Sometimes it's understandable that someone wants to simply filter these mails as spam than go through whatever convoluted process they have in mind for unsubscribe. It's easier and discourages the practice of signing people up to random newsletters.
Any remotely legitimate mailing list will respect unsubscribe requests, lest they run afoul of the CAN-SPAM act and/or start getting blacklisted.
Years ago I worked at a large email service provider for bulk mailings on behalf of large customers and we took unsubscribes very seriously.
And for the really truly spam/scam emails, the unsub link is the least of your concerns since delivery and tracking pixels confirm the address is real and being used. The true spam usually doesn't even have an unsub link. In those cases mark as spam and hope that your email provider starts flagging them as spam before it ever makes it to your inbox in the future.
I'm an aggressive unsubscriber and 99% of the time it works. Very little junk flows into my inbox these days.
Unless you use an iPhone, then there is no way to shut off images in gmail. Seems a bit strange that they'd not have that feature, when gmail was the first big provider to disable images by default.
That is inaccurate. I have disabled image loading in Gmail and this is reflected in the web interface, the Gmail Android app, the Apple Mail app, and very likely in all other mail clients. Just to be clear, you do not need an iPhone to shut off images in gmail.
I mean in the gmail app for iphone. Gmail images are off when I use a desktop, they're off when I use the andriod app, but I was surprised to see images in email when using the gmail iphone app.
Last time I went searching, I found google documentation that said there are no image options for the iphone app.
The feature is present for some time now on both major platforms, both in the Gmail app and the built-in Mail app, on (some) 3rd party mail clients, and in the web interface.
This is why I usually hit the Report Spam button. Sometimes I'll receive a legit looking email that I plausibly signed up for but don't remember - I could follow the unsubscribe link/hit unsubscribe and be a good citizen, but at that point the safer thing to do is to not interact with the mail and let Gmail know I don't want this anymore.
I'd rather receive the mail and let Gmail put it into a blackhole than try to solve the problem upstream myself and have the small possibility that I either miss a newsletter and get spam anyway, or tip off some system that my email address is "real".
I'm fairly sure that spammers are sending legitimate-lookingailing list type spam to do exactly this. Appear like misdirected mail to catch email addresses.
I don't know about Gmail, but I once accidentally hit unsubscribe on a Yandex mail account I use solely for getting mails from mailing lists and it unsubscribed me immediately, no questions asked, and without any way to undo. I tried removing the sender from the unsubscribed mailing lists, removing and adding the subscription on the mailing list side half a dozen times, but nothing worked.
> If you use Gmail or frequently send mailing list emails
Now that's your problem right there. _Don't_ use Gmail. You're not just giving up your own privacy, you're hurting the privacy of everyone who corresponds with you. There are plenty of non-US free email providers, and many/most of them are at the very least much better than Google in this respect.
Also _use a mail client_, not your browser. Thunderbird, KMail, evolution - even (ugh) Outlook.
This comment isn't constructive or substantively related to the article it's on. But on the subject of privacy:
I'd rather have my data in the hands of Google -- a company with strong compliance and the world's best non-government infosec outfit -- than in the hands of any of the other companies listed.
"Strong compliance" - to what? It strongly complies with the government's expectation of access to all of your data.
"best non-government infosec outfit" - but that outfit is not securing your information _from_ Google, the US government or Google's business parties; it secures it from other individuals and unaffiliated organizations.
I'd rather have my data in Google's hands, where I basically know who can access it and when (US government with a warrant or NSL, Google employee with a specific business need, no foreign governments, no hackers) than in the hands of some company that for all I know exposes their production DB to the public internet with default username and password enabled.
I guess there's always E2E encryption, but I'd like to be able to recover my emails if I lose my password.
We've had "Add List-Unsubscribe Header" on Trello for a long time, but for some reason I had it in my mind that there was a ~60 character limit.
I appreciate the post because after revisiting it, I think that info was gathered from a few-years-old blog discussing a specific limit in (maybe?) Gmail, but it sounds like it can be broken down into multiple lines.
I don't think there are "multiple lines", just that you can have quite large HTTP headers and this one happens to contain a comma followed by a space, which the text view is using to word-wrap.
The worst are emails that require a login or other input information on their unsubscribe page, or ones where the mobile unsubscribe page does not work. I report these as spam just so they are punished for the dark pattern, but I think these might also be violations of the CAN SPAM act.
I try to be reasonable here. If it's something from a business I transacted with in the past or recognize the name, I will unsubscribe. I don't consider it spam. And I don't want to hurt their reputation.
I do keep track of if I already unsubscribed from a related list. Sometimes "unsubscribe from all" is completely ignored. Which really angers me.
If it's a random, clearly bought newsletter list from a related list, it depends on my mood. Likely spam.
Other notorious example: business A founder also founds (unrelated) business B. They just email their entire A client base with zero association to A. Big peeve of mine.
-- Edits (some more ramblings) --
My personal favorite: the "I want to receive marketing email" checkbox that rechecks if you have an unrelated issue with your transaction. Say, invalid CC details.
Still, even with these boxes, I think my standard is just: "I did business with them, I will get at least 1 marketing email. I'm ok with that. I will unsubscribe and not hear from them again." Anything past that is unacceptable.
To be clear: that's not how I think it should be. It's just how businesses, even small, genuine mom and pop shops, have been taught to operate. It's cultural.
It reminds me a lot of tipping in the US. I'm vehemently anti-tipping "culture" because a standard 20% is the opposite of rewarding for performance. But I still tip at a baseline of 18%+.
It's too ingrained. And I'm not going to protest by not tipping and try to change it.
I think we've come too far unless changed by law or restaurant management. Same goes for marketing emails.
I try to be a little more reasonable here. If it's a business that required me to sign up to do business with them and didn't allow me to opt out of their marketing emails then I have no problem whatsoever clicking the Spam button. And, if their marketing emails go to a third party domain -- such as a bulk emailer -- then it goes into the Phishing bucket regardless of whether or not I opted out of their marketing emails.
So much of my “spam” is from services I definitely signed up for because I have a legit use for, Or product I’m glad to pay a fair price for, but they never even asked if I wanted to get emails from them during signup/checkout-the emails just start coming in.
I suspect it's because it works for enough people that it pays off.
Every now and then I forget how annoying it was last time, and I think it would be nice to donate money to some sort of charity, and then they proceed to spam me for the following year. A couple years later I forget about he experience, and the cycle begins again.
I experienced this after donating money and volunteering a few days to support a local public defense charity for people who can’t afford legal representation, but then I started getting emails from other charities. I once decided to let this ride and see how far that email address would go (signed up using a gmail account with a “+charity_name”).
In the span of two years the following happened:
* Original Charity I actually donated money to started emailing me
* then a second local charity I did NOT donate money to
* then I began getting messages from a local political candidate who was friendly with first charity
* soon after that Another local political candidate
* Then a statewide political action committee.
At no point in that original donation flow was I ever even asked “can we email you other communications?” I presume the “we will share your email with anyone we damn well please” was baked into whatever boilerplate privacy policy existed in the background of the site they used to collect and process donation payments. Which is a whole other problem.
Is “getting out of hand” a hyperbolic reaction to how cavalier the use of mailing lists and newsletters have become when people sign up just to use a personal finance app or donate to causes?
I donated $20 to doctors without borders four years ago (a friend wanted that in lieu of bday presents). I've since gotten close to 50 letters from them and other charities. That cost far outweighs the $20 I gave them.
Because people like the GP and the GGP click "Spam" instead of the unsubscribe link/process for these services. (I do the same if I can't unsubscribe easily.) Any service that requires me to login to unsubscribe, rather than provide a tokenized unsubscribe link in the email, can suck it.
I try to be reasonable here. If it's something from a business I transacted with in the past or recognize the name, I will unsubscribe. I don't consider it spam. And I don't want to hurt their reputation.
I'm the same way. Except for two: Staples and eBay.
Staples will send me three e-mails asking me to review a product that I ordered, but that Staples hasn't even shipped to me yet. Spam.
Recently I purchased one item from eBay using the Guest Checkout feature because I don't have an eBay account, and don't want one. Now eBay sends me e-mails all the time. In order to unsubscribe, I'm instructed to sign in to an account I don't have. Spam.
People abusing their existing platforms is a huge problem; the incentives are all wrong.
This is an extremely common annoyance of mine with Kickstarter campaigns. I back a lot of projects, and it's insane how many creators abuse the "project updates" system to promote other projects, often totally unrelated and from totally different creators. They're clearly getting paid for these promotions. I can't just "unsubscribe" from the updates because I do need to be aware of "real" updates that may require my input/action.
And many apps that rely on push-notifications for their core functionality are polluting these streams with ads. Uber basically admits this: they send ride updates by sms because they know people turn off their ad-filled push notifications.
My town is also using its covid-emergency-updates sms system to advertise local composting.
This is becoming an acceptable practice, and it seems impossible to filter the cruft.
I take a very hands on approach with these people.
They get a mail saying one more spam from them and I will ensure I never buy anything they make again, add them to blacklists and tell other people they are spammers.
They tend to go the attack/whine route about being a struggling entrepreneur, and I try to educate. Of the ones who actually engage, about 1/3 seem to come around, which I consider a pretty good rate. (I follow through with the rest. They're just shithead spammers.)
> Other notorious example: business A founder also founds (unrelated) business B.
The worst for me is if you donate to one political campaign, once, you will be on every mailing list for every single candidate in that party for every single election; in every single country, state, county, province, parish, district, or city; forever.
I know that's how politics works today, but, Jesus, the #1 thing making me not want to participate in one of the major parties is this.
> If it's something from a business I transacted with in the past or recognize the name, I will unsubscribe. I don't consider it spam.
I do consider it spam, unless the email is actually about a previous transaction. I don't equate doing a transaction with a business with permission for them to bother me about something unrelated.
> Sometimes "unsubscribe from all" is completely ignored. Which really angers me.
I have a big problem with this and never know what to do.
Person buys my course after following newsletters for a while. All good.
I put them on a followup list that helps guide them through the course and keep them on track. All good.
They get a newsletter they don’t like and unsubscribe.
Now they stop getting followup guidance emails for the course. This is a problem. Almost certain not what they wanted to happen either. But okay I honor it.
A while later I make a huge update to the course or migrate to a new platform. I need to tell every buyer that their account is moving. But some have unsubscribed from all emails.
> Now they stop getting followup guidance emails for the course.
This might be the ex-marketer coming out in me, but surely the course guidance emails could be considered transactional to the service and be honoured by a different opt-in/out policy to the newsletter?
> I need to tell every buyer that their account is moving
Again, this use case isn't marketing, and should very much be allowed as a requirement to keep people informed about the use of their data. In the same way a "change password" email is allowed to be sent.
From the sidelines, I'd think the answer is that your email platform should have that feature, or you should consider using entirely separate flows/tools for transactional emails and marketing emails. Not a lawyer, but AFAIK transactional emails are not subject to Spam rules & don't even need to have an "Unsubscribe" link. Mixing the two is just causing yourself needless pain.
Why would unsubscribing from your newsletter stop them from accessing the content? Is the content only delivered via the newsletter from which they unsubscribed?
Github notifications that you signed up for but now don't want any more aren't spam.
Marking them as spam messes with Github's deliverability to all GMail users and may prevent you from getting notifications in your inbox in the future if you decide to sign up again.
Should I be concerned with how Google treats my signal globally? Honest question. If I were Google I'd recognize that how the email is stopped before getting to a user's inbox probably won't matter to them and factor that into how the unsubscribe and mark as spam buttons work. As a user I expect my treatment of "mark as spam" on a GitHub notification to be more heavily weighted in my personal spam algorithm than the global spam algorithm.
I don't think anyone outside Google knows the exact details, but GMail clearly calculates a global reputation score for each sender that is influenced by what percentage of recipients mark its messages as spam. Then there's some additional weighting on top of that based on your personal actions.
Additionally most reputable email senders have a "feedback loop" set up with Google, Hotmail, and Yahoo where clicking that Report Spam button actually passes your email address back to the sender's email system. For example if you click Report Spam on one of our email newsletters in GMail, we will flag your record in our database and not send you any more messages even if you specifically sign up for a newsletter in the future. (Please don't test this.)
When you ark it as spam it helps train google's spam fighting that mail like that is spam.
Now if it's unsolicited stuff -- SPAM -- no problem. But if it's a list you once signed up for and now no longer want, you're telling google -- for everyone -- that mail like that is spam. Even people who signed up for it (like you did) and still want it. That's unfair to the company and unfair to all those other people too.
But someone randomly blasting you with crap as is the usual case (and I includes that company you once did business with and who signed you up without your permission): that's what the spam button is for.
Personal preference, but I feel like unsubscribing or hitting spam is you sending your sentiment back to the sender in two different ways.
If you unsubscribe you're saying that you're no longer interested in the list, you see the merit but don't want to receive it any more for whatever reason.
If you hit spam you're saying this email should never have come to me, or I don't want to expend the effort to stop it from coming to me.
If the sender makes unsubscribing as easy as hitting spam (by making sure the Gmail unsub button works for example) then they make it more likely for their recipients to send the appropriate feedback - ie not hit the spam button.
Spam doesn't remove you from the senders email list.
While many senders will remove people who hit spam on their emails but not all do it. After a while, emails could be getting past the spam filter again.
Unsubscribing is usually more effective at stopping unwanted emails from any semi legitimate company as they are required by law to honor it.
If you want double protection, you can always do both.
Especially since in many instances, you don't actually want a dialogue with the spammer. I don't want to 'unsubscribe' myself given that I didn't 'subscribe' myself in the first place. Also, why would I let the spammer know that I read the email and my email is active?
In this case, you're doing the right thing: you didn't ask for it, it's spam. Presumably, you classifying it as spam helps the spam filter learn and apply that knowledge to others' inboxes, too.
They still come to me when I hit spam, and the unsubscribe button doesn't always work either. I still find myself using the distributors unsubscribe button most of the time.
For the mailing list owner, that's a risk that comes with sending out spam. If I have no prior relationship with a company, then I have no reason not to mark an email as spam. If I have a prior relationship with a company, but they are sending out unrequested emails, then I should mark it as spam. For example, if an email address is provided for package delivery updates, but is then used for unrequested periodic advertisements, that is spam.
In that case, I do have an obligation to unsubscribe rather than reporting the email as spam. I view the "report spam" button as a form of punishment, meant to disincentivize bad behavior. Misuse of email addresses should come with the risk of having all emails marked as spam. Losing interest in a mailing list that previously interested me is an expected result over time, and would not be appropriate to report as spam.
Yes, but GP was asking about consequences of clicking the spam button vs just unsubscribing. Sure if you start getting unsolicited emails, by all means click that Spam button. However, if you're just tired of getting delivery updates just unsubscribe.
I generally click "unsubscribe" in the email, then if I have to do more than click a big, obvious confirmation button on that page I close the tab and flag it as spam.
Fun fact: at least in the US, the CAN-SPAM law is actually pretty specific about how unsubscribe pages work. If it requires more than typing your email address and clicking a button then it is probably not compliant.
Why are they even allowed to make you type your email address? I used different email addresses for everything I sign up for so I have to go back to the email to see what I used. Very inconvenient.
This is why I'm glad I use an email service with a personalized spam filter. Gmail's spam filter too heavily assumes one person's spam is everyone's spam.
Whereas mine is pretty reliably never sending false positives to my spam folder. Fastmail wins again.
> exponentially worse than the physical mail system used to be
Really? Ignoring the "Spam" folder (which I never check), I get way less junk email than snail mail. And the snail mail is reliably 95% unsolicited garbage.
To be fair, Fastmail lets you set rules to route stuff to Junk, whereas USPS actively facilitates routing garbage to your mailbox [0].
You must be older because I've found my parents get a lot of junk mail. My wife and I get very little junk mail though we also rarely provide our physical address.
I get tons of email, a lot of it being spam. I've had my email address for well over a decade.
This. We order lots of stuff online, and I'd guess our info has been resold to 3rd parties many times. I provide a PO box whenever possible, but if something is being shipped...
What about a mailing list you signed up for and enjoyed at first, but lost interest after one year? Was that email always spam? Is it spam now?
Not all messages that get put into the spam folder are actually spam. There’s a wide variety of emails that aren’t spam, but also aren’t necessarily wanted anymore either. Those are the ones this article is focusing on. Make it easy for your readers to unsubscribe so they don’t call you spam.
here's the deal. if I give you an email for a transaction, that doesn't mean I want your future marketing. That is spam and that is how I mark it. If you want to keep sending me marketing, then ask permission.
I just mark as spam. Too many unsubscribe links want me to type in my email address, ain't nobody got time for that.
If it's a newsletter I actually signed up for, I respect that and will unsubscribe, but the majority is unsolicited spam where a company feels is OK because I happened to have bought a product they can now email me 8 times a day.
At work we have about 200K mailing list we target after some segmentation is done,so it's about a few thousand people for any give campaign. We had some settings wrong,which meant thst no reply wasn't enabled.People would rather respond to an email and ask to unsubscribe or rant about it but rarely click unsubscribe button.
> People would rather respond to an email and ask to unsubscribe or rant about it but rarely click unsubscribe button
It's a bit ironic to complain about getting unwanted emails from a bunch of users when they're literally just replies to unwanted emails that you sent them
[0]https://blog.tinned-software.net/permanently-reject-a-specif...
Wow
Less technical folks would likely complain about it, as it tends to resemble the spam that was sent from their spoofed domain (I.e. “re: fake pills” subject lines as the rejection message hits their inbox).
This error message is often delivered to a catchall account, they are often configured with small mailboxes, that box fills up, throws alerts and ticks off a sysadmin somewhere. I only do this in cases where it's easier to SSH into my box and configure it than unsubscribe, and never to random address spam as that is wack-a-mole and futile.
I think the sending servers may also be misconfigured to get around greylisting. As sometimes they will try repeatedly to deliver to me. My server dutifully rejects each attempt and the messages pile up on the other side.
https://en.wikipedia.org/wiki/Lavabit
You can really easily create aliases for specific sites or just a general spam@ alias on your own domain. Then if it gets abused you can mark all mail directed to that alias to bounce.
You could later re-enable it if you wanted to.
The thing is you don't want to completely blackhole/delete messages received at a valid randomly-generated address, but which were sent by an unexpected sender. For that, I have a separate "Suspicious" child of my main "Inbox". The main exception I've seen that falls under "Suspicious" is that Amazon shares your account's email address with their shippers; so you'll receive a Fedex delivery notification at your Amazon address, which falls under "Suspicious" because the sender address doesn't originate from Amazon.
What I find mildly strange is that, in the 2 years since I've migrated from Gmail to a super-organized and rules-based organization with Fastmail, I have literally not received a single spam email. I credit this to having migrated my GitHub account to use their privacy wrapper, so none of my commits have a personal email attached to them. I thus suspect that most developers who receive spam have had their email crawled from commits to public Git repositories.
Of course, there is a caveat: I do not expect to be able to maintain this kind of scheme into old age. There's no way, at 60-70-80-90 years of age, that I will still be mentally capable of managing a wildcard domain. So while it works for now... at some point I will need to simplify back to a single email address. Sigh... fml in advance. :(
Do you think this will get technically harder and you'll no longer be familiar with the "new" process? Or are you more worried about your mental capabilities in general when you're that age?
I’ve gotten some spam, but so far it’s only come in to aliases I haven’t made (like info@) which I think I can block in the fastmail settings.
[1] https://help.github.com/en/github/setting-up-and-managing-yo...
Basically, it allows you to create email aliases without having to whitelist.
Setup yourname@yourdomain.com and reject everything else arriving there.
Accept anything at @i.yourdomain.com
I have an inbox, everything yourname@yourdomain.com arrives there.
Then I have an "other" mailbox where all the @i.yourdomain.com emails arrive.
If there is a really annoying website that doesn't respect my wishes I create a filter for the offending email to ban any mail to my spam folder.
Going back after and saying you don't exist is like answering the phone and going "nobody is home".
Edit: I suppose this ghost setting could be used for future delivery attempts though. Perhaps this is what you meant originally.
If I get another message from them, Step 2 is to setup a mail rule to put everything from their company into the Junk folder.
If the sender just added me to their list without consent? Straight to spam.
Delaying step two requires book keeping.
Immediately blocking is low effort with effect.
In few cases, where senders seem to be "proper" companies I do a GDPR request. Sometimes they provide valuable information about address brokers etc.
Translates nicely to interpersonal communication
For that reason I have no need to be “nice” to entities who send me unsolicited email. I avoid clicking any link on email I didn’t request as - just like answering the phone confirms that a live person is home - clicking “unsubscribe” just means the email address is valid and has a human behind it.
We have to stop pretending like there are humans behind our communication. If I had to guess, 99% of my email volume is generated by a machine of some sort.
[1] https://stuff.mit.edu/~jik/software/bogofilter-milter/
The issue is that there are good-faith and bad-faith unsubscribe links. Clicking the unsubscribe button can thus either have a good outcome (less junk mail) or a bad outcome I ardently want to avoid (letting a spammer know my address is active).
I'm sure Google knows this and does some verification and detection to try to prevent that bad outcome, but as an end user, I don't have much visibility into how well that works. It's a hard problem, but Google is smart, so it's possible they've solved it, but I don't really know whether they actually have.
So in practice, I always read over the email in question carefully to try to judge for myself whether it's safe to click the unsubscribe link at the bottom. It's annoying, but the effort seems worth it.
> This only works for some senders right now. We’re actively encouraging senders to support auto-unsubscribe — we think 100% should. We won’t provide the unsubscribe option on messages from spammers: we can’t trust that they’ll actually unsubscribe you, and they might even send you more spam. So you’ll only see the unsubscribe option for senders that we’re pretty sure are not spammers and will actually honor your unsubscribe request.
https://gmail.googleblog.com/2009/07/unsubscribing-made-easy...
[1] https://en.wikipedia.org/wiki/Hashcash
Hashcash is "used anywhere" in the sense that it's the idea behind bitcoin. There's a duality here where the very introduction of limited scalable resources which makes a cryptocurrency possible, also can be used in a different way to make spam impossible.
In that duality it is actually kind of interesting to think about IM2000. One would imagine a cryptocurrency based on something like "proof of network bandwidth shared" or something, which would be really hard to theoretically formalize. But if you could get a secure definition then that fundamental idea becomes rather explosive. Like I imagine a sort of viral peer-to-peer filesharing network kind of like BitTorrent which would end up as a sort of alternative to the World Wide Web; whereas there are huge clusters of bitcoin miners right now trying to chug out more proofs-of-work, in that situation you would have large numbers of proxy hosts trying to mirror more and more files online.
Right now it would be possible to do some really nasty things to bitcoin by designing software which stores arbitrary files in the spare bits in the ledger. If that software becomes really widespread then inevitably someone uses it to upload MP3s or, worse, illegal pornography and those things get ossified into the Bitcoin ledger and you cannot remove public access to that content without taking down the entire blockchain; probably what happens in practice is that the sharing software itself gets demonized as "only pirates/perverts use that sharing software." But one is immediately confronted with concerns about "hey if I download the blockchain am I technically performing an illegal action" to which the legal answer is probably "yes" at that point. The law doesn't usually care about whether you need sophisticated software to decode that crap.
If you had a cryptocurrency that was based on "I hosted and transmitted data, but I don't know what that data was" then I think you would have a sort of robustness to the network, maybe, where the offending data is not in the ledger. With that said, probably it gets a similar stigma as "only pirates/perverts use that, all the rest of us use the web."
Sounds like they were advocating a solution to spam [1]. I wonder why it didn't work...
[1] https://craphound.com/spamsolutions.txt
IM2000 probably would have succeeded if it had gotten the attention from him to go past a random idea into a well-specified protocol with a canonical implementation. Standards work is hard!
Honest question- why does this really matter? Or at least matter to any degree where you would rather have more junk mail than potentially stop spam/undesired emails.
If a spammer sends out 1000 emails and gets 100 bouncebacks.. then they keep on sending to the other 900. You are one of those 900 and you click unsubscribe.. sure, they can detect that your email is active. But are they really going to stop sending to otherwise? It's not like people are constantly changing email addresses these days.. if I were a spammer and I had a valid list, I would basically assume that's a valid email if I don't get a bounceback.
So I just don't get how detecting that someone attempted to unusbscribe is that much of a 'tell'.
I cannot vouch for the story but it looked as legit as the average HN story back then so it might be true (or not).
The goal is to find people who don't know any better..
Wouldn't someone who is like "this is spam, get me off the list" be way LESS likely to be a good scam target?
1) if I never signed up goes immediately to SPAM
2) if I did signed up I make the effort of going through their unsubscribe procedure
3) if I still get emails after (2) goes to SPAM
Profit!
https://www.ftc.gov/tips-advice/business-center/guidance/can...
Each violation of the CAN SPAM act can be met with huuuuuuuuge fines.
If I get an email from an email I don't want legitimate company, I unsubscribe and never have to worry about getting non-transactional email from them anymore. I _do_ still get transactional emails from them, because I didn't misclassify them as unsolicited.
1) If I never signed up goes immediately to SPAM.
2) If I did signed up I make the effort of going through their unsubscribe procedure.
3.1) If I still get e-mails after (2), I file a request for my personal data under the GDPR (EU citizen here).
3.2) Once I got that, I use the GDPR to delete all of the data associated with my account / e-mail address.
4) If I still get e-mails after (3), it goes to SPAM.
With step 3, I hope that I can make them notice their bad behaviour. My goal is to drive up the costs of that behaviour (so they get incentivised to change it). Also, I'm generally interested in the personal data that a service has associated with me.
It costs them nothing to process your request - you're wasting far more of your time crafting the request than of theirs.
Note that I'm also doing this because I'm interested in the data, so its much less waste of time.
* Message body contains "unsubscribe" -> Skip inbox, archive
* Message body contains "webinar" -> Skip inbox, mark as spam
If they use a reputable bulk mailing service instead of using their first-party domain then they are indistinguishable from a phishing attack.
With most bulk mailing services, the message will come from the "first-party domain". They will have configured that service as a legitimate sender for the domain via SPF/DKIM DNS records.
It's not just the from:marketing@firstparty.com that I'm talking about. If the unsubscribe link does not also go to firstparty.com, then it's still indistinguishable from phishing.
Tell that to the links in the email that go to the reputable service's click aggregation service.
Gmail has over a billion active users. Mailing lists will probably adapt to whatever crumbs Google leaves on the doorstep.
I had to dive into this a bit for something and work and it’s just fascinating how much effort has been spent in trying to combat spam, build a reputation based system for emails etc. And this article does an amazing job of explaining list-unsubscribe...although the RFC is pretty easy to read too!
If you know my email address, then put a token in the unsubscribe link so you can retrieve my address on your end, rather than making me retype it. If you don't know my email address -- maybe you are sending to a list, not to me -- then I consider you spam because you don't actually have the direct ability to remove me.
This is a real problem for us - not a made up scenario. So we remove the auto-filled email on the unsubscribe form.
Subject: "Was it something we said? crying emoji". Body: "If you want to go... we won't stop you. [...]" Footer: "You're receiving this email because [...] subscribed to Firefox Account Tips.
Yeah, thanks for the ~~tip~~ spam.
Felt like going through one of those dark pattern flows that Spotify or Amazon have when you try to unsubscribe from their paid plans, trying to guilt you into reconsidering.
(Still better than Google, though.)
Legitimate mailing lists have problems with people forwarding emails, when the recipients of the forwarded emails click the unsubscribe button, they will unsubscribe the original recipient who didn’t want to be unsubscribed.
As to why they forward it in the first place: how would I, an individual, know whether or not my mom will want to use the 20% coupon code for a cosmetics store I just received, but don't want to use? I'd ask her. I can ask her via an unsolicited phone call or email. Am I a spammer if I do that?
Similarly, if my mom clicks the "unsubscribe" link on what I forwarded, mistakenly thinking that it was sent to her directly by $costmetics_company, that sucks for me if I ever want to use their coupons.
An even more annoying situation is when someone in charge of procurement for a business forwards a "shipping confirmation" email to an employee as a means of indicating that the employee's requested purchase is on its way. If that employee makes a mistake (e.g. they have a lot of commercial email in their inbox and click the wrong one/are sleepy/whatever) and clicks "unsubscribe" on that shipping confirmation, the procurement person won't get any future confirmations for any orders for anyone.
There are mitigations to this (the shipper could use transactional emails without unsubscribe links, the procurement person could do something less lazy than just forwarding the email wholesale), but in the real world those often don't happen. So autofilled unsubscribe then causes problems for random upstream people, not the forwarded recipient.
Someone on the other hand was trying to wave away the whole idea of one-click unsubscribe due to this which seems to me more like lobbying towards adding another step requiring one to put their email in in order to unsubscribe (or put it another way - decreasing the unsubscribes).
So auto filled unsubscribe needs to exist. I never want to go back to the universe where that is not regulated and easy-to-use. Also in the UK there’s still loads of physical paper spam and I would hate if that was also the case for e-mails.
I think the better approach is simply showing the "Intended for johndoe@example.com" next to Unsubscribe, but I could see why they ask for your email.
I don't see why you have to involve the web at all, but I can tell you that if I have to go through a bunch of bullshit when I want to unsubscribe I'll just mark it as spam instead. However appreciated and anticipated your newsletter is, you have to consider that most newsletter subscriptions are probably either accidental (failed to uncheck some box when signing up for something entirely different) or straight up unsolicited, and people like me will basically purge all their subscriptions without discrimination regularly as the crap builds up.
Because List-Unsubscribe is very new and not supported by all email clients or ISPs (inbox service providers). Since adoption is so spotty, most ESPs (email service providers) start from a baseline of a web unsubscribe system and (maybe) supplement that with List-Unsubscribe as well.
This situation will likely improve over time.
Adoption of it doesn't matter insofar that you can use the same link in the body as a fallback, which was part of my suggestion.
"ESPs" don't care because cumbersome and convoluted multi-step unsubscribe is a selling point for the majority of people who use such systems. They have moved from simple mail based unsubscribe which was the norm for years.
https://twitter.com/mohd_irteza/status/1227772431605149696?s...
https://twitter.com/zachalberico/status/1247951473876422656?...
It's basically impossible to know if you've done the right thing.
> Sorry for any confusion. Select the box next to each desired communication option or deselect to stop communications.
So... if I uncheck the “unsubscribe” button that stops communications?!?
Yeah - very confusing though.
Marriott Bonvoy Assist @MBonvoyAssist 9 Apr Replying to @zachalberico Sorry for any confusion. Select the box next to each desired communication option or deselect to stop communications
Now I think I understand what they are saying, but it’s not a great explanation either. A new sentence before the ‘or’ would have been helpful.
I run a newsletter where both subscribe and unsubscribe do double-opt-in (i.e., both subscribing and unsubscribing send you an email with a confirmation URL with a token - each newsletter has an unsubscribe link but that link doesn't include the token). Maybe this is a mistake? Is the norm that anyone can unsubscribe anyone else from newsletters?
Just use mailto links in List-Unsubscribe.
Use the same link in the body of your mail for your unsubscribe link.It's convenient, standardized and removes the need for further confirmation because you know who sent the mail.
That said, I don't see what the big deal is. If you forward a newsletter issue in its entirety to someone else, they hate it and feel confused enough about receiving it to click the unsubscribe link, maybe the sender deserves being unsubscribed. The absolute most you should do at this point IMO is to notify them that they were unsubscribed.
> Just use mailto links in List-Unsubscribe.
List-Unsubscribe is not widely enough adopted to be the only means of unsubscription (yet): https://news.ycombinator.com/item?id=23360654
> maybe the sender deserves being unsubscribed
That's super presumptive/rude. Also not how interactions between people work, at all. The potential consequences of a mistaken forward-unsubscribe are also often quite large: https://news.ycombinator.com/item?id=23360619
I am not suggesting List-Unsubscribe as the only means of unsubscription. Read my post again. It also is widely adopted. gmail.com, Mail (OSX, iOS) and outlook.com together probably represent the majority of clients now and all support List-Unsubscribe.
> That's super presumptive/rude. Also not how interactions between people work, at all. The potential consequences of a mistaken forward-unsubscribe are also often quite large
Maybe my view on the matter is colored by the fact that my friends and family don't send a bunch of useless marketing to me, and I have the decency not to send them any. Still, my suggestion solves the problem if you have it without involving a convoluted process to cancel a subscription. I absolutely could not care less about the dire consequences of not receiving a steady stream of cosmetics coupons, but whatever floats your boat, email-based unsubscribe works.
https://www.telemedicus.info/urteile/Wettbewerbsrecht/Werbun...
That term is super widely used in spam-prevention, commercial email sending, transactional email sending, and inbox provider industries.
You can disagree with the phrasing if you want, but that doesn't make it propaganda--not any more than the Orwellian naming of the "No Child Left Behind" act makes the law itself propaganda.
I tend to use the checkboxes to mark groups of emails as spam, then also chosen "unsubscribe me" without checking where they came from (since I don't want to open them).
When it happens to be spam sent to a mailing list, this feature unsubscribes you from the mailing list. When it's a Google group you moderate, good bye moderator status! Oops! (Filed a bug internally about this, no status updates so far.)
> without checking where they came from
I typically report companies that violate this (Chase, I’m looking at you with your “transactional” emails that are just thinly veiled ads) to the FCC (there’s an online report form) but I don’t know how much it helps.
You use unsubscribe for anyone with which you have some sort of prior relationship. Anything else is spam, report it and move on.
Sometimes it's understandable that someone wants to simply filter these mails as spam than go through whatever convoluted process they have in mind for unsubscribe. It's easier and discourages the practice of signing people up to random newsletters.
Years ago I worked at a large email service provider for bulk mailings on behalf of large customers and we took unsubscribes very seriously.
And for the really truly spam/scam emails, the unsub link is the least of your concerns since delivery and tracking pixels confirm the address is real and being used. The true spam usually doesn't even have an unsub link. In those cases mark as spam and hope that your email provider starts flagging them as spam before it ever makes it to your inbox in the future.
I'm an aggressive unsubscriber and 99% of the time it works. Very little junk flows into my inbox these days.
Does it work in Gmail? Since it doesn't load images until I athorize: https://i.imgur.com/RZ93VIU.png
Although note that IIUC the gmail default is now loading remote content. (Although they do load it via a proxy so that your IP isn't shared).
Last time I went searching, I found google documentation that said there are no image options for the iphone app.
I use Thunderbird, which doesn't load that stuff.
I'd rather receive the mail and let Gmail put it into a blackhole than try to solve the problem upstream myself and have the small possibility that I either miss a newsletter and get spam anyway, or tip off some system that my email address is "real".
Unsubscribe is your best bet as honoring opt-outs are protected by the CAN-SPAM act.
https://i.imgur.com/RZ93VIU.png
https://www.ftc.gov/tips-advice/business-center/guidance/can...
There's and RFC for List-Unsubscribe headers.
Now that's your problem right there. _Don't_ use Gmail. You're not just giving up your own privacy, you're hurting the privacy of everyone who corresponds with you. There are plenty of non-US free email providers, and many/most of them are at the very least much better than Google in this respect.
Also _use a mail client_, not your browser. Thunderbird, KMail, evolution - even (ugh) Outlook.
I'd rather have my data in the hands of Google -- a company with strong compliance and the world's best non-government infosec outfit -- than in the hands of any of the other companies listed.
"best non-government infosec outfit" - but that outfit is not securing your information _from_ Google, the US government or Google's business parties; it secures it from other individuals and unaffiliated organizations.
I guess there's always E2E encryption, but I'd like to be able to recover my emails if I lose my password.
I appreciate the post because after revisiting it, I think that info was gathered from a few-years-old blog discussing a specific limit in (maybe?) Gmail, but it sounds like it can be broken down into multiple lines.
See e.g. https://web.archive.org/web/20180605011201/https://www.list-... for a better example.
Gmail needs to handle that in a much better way to ensure they end up in spam for everyone else.
I'm not hitting unsubscribe if I didn't subscribe in the first place because it sends a signal to the sender that I don't want them to get.
I do keep track of if I already unsubscribed from a related list. Sometimes "unsubscribe from all" is completely ignored. Which really angers me.
If it's a random, clearly bought newsletter list from a related list, it depends on my mood. Likely spam.
Other notorious example: business A founder also founds (unrelated) business B. They just email their entire A client base with zero association to A. Big peeve of mine.
-- Edits (some more ramblings) --
My personal favorite: the "I want to receive marketing email" checkbox that rechecks if you have an unrelated issue with your transaction. Say, invalid CC details.
Still, even with these boxes, I think my standard is just: "I did business with them, I will get at least 1 marketing email. I'm ok with that. I will unsubscribe and not hear from them again." Anything past that is unacceptable.
To be clear: that's not how I think it should be. It's just how businesses, even small, genuine mom and pop shops, have been taught to operate. It's cultural. It reminds me a lot of tipping in the US. I'm vehemently anti-tipping "culture" because a standard 20% is the opposite of rewarding for performance. But I still tip at a baseline of 18%+.
It's too ingrained. And I'm not going to protest by not tipping and try to change it.
I think we've come too far unless changed by law or restaurant management. Same goes for marketing emails.
I try to be a little more reasonable here. If it's a business that required me to sign up to do business with them and didn't allow me to opt out of their marketing emails then I have no problem whatsoever clicking the Spam button. And, if their marketing emails go to a third party domain -- such as a bulk emailer -- then it goes into the Phishing bucket regardless of whether or not I opted out of their marketing emails.
What’s the deal with this?
Every now and then I forget how annoying it was last time, and I think it would be nice to donate money to some sort of charity, and then they proceed to spam me for the following year. A couple years later I forget about he experience, and the cycle begins again.
In the span of two years the following happened:
* Original Charity I actually donated money to started emailing me
* then a second local charity I did NOT donate money to
* then I began getting messages from a local political candidate who was friendly with first charity
* soon after that Another local political candidate
* Then a statewide political action committee.
At no point in that original donation flow was I ever even asked “can we email you other communications?” I presume the “we will share your email with anyone we damn well please” was baked into whatever boilerplate privacy policy existed in the background of the site they used to collect and process donation payments. Which is a whole other problem.
Is “getting out of hand” a hyperbolic reaction to how cavalier the use of mailing lists and newsletters have become when people sign up just to use a personal finance app or donate to causes?
If the unsubscribe link goes to a third party site, it's literally indistinguishable from a phishing attempt.
I'm the same way. Except for two: Staples and eBay.
Staples will send me three e-mails asking me to review a product that I ordered, but that Staples hasn't even shipped to me yet. Spam.
Recently I purchased one item from eBay using the Guest Checkout feature because I don't have an eBay account, and don't want one. Now eBay sends me e-mails all the time. In order to unsubscribe, I'm instructed to sign in to an account I don't have. Spam.
This is an extremely common annoyance of mine with Kickstarter campaigns. I back a lot of projects, and it's insane how many creators abuse the "project updates" system to promote other projects, often totally unrelated and from totally different creators. They're clearly getting paid for these promotions. I can't just "unsubscribe" from the updates because I do need to be aware of "real" updates that may require my input/action.
And many apps that rely on push-notifications for their core functionality are polluting these streams with ads. Uber basically admits this: they send ride updates by sms because they know people turn off their ad-filled push notifications.
My town is also using its covid-emergency-updates sms system to advertise local composting.
This is becoming an acceptable practice, and it seems impossible to filter the cruft.
They get a mail saying one more spam from them and I will ensure I never buy anything they make again, add them to blacklists and tell other people they are spammers.
They tend to go the attack/whine route about being a struggling entrepreneur, and I try to educate. Of the ones who actually engage, about 1/3 seem to come around, which I consider a pretty good rate. (I follow through with the rest. They're just shithead spammers.)
The worst for me is if you donate to one political campaign, once, you will be on every mailing list for every single candidate in that party for every single election; in every single country, state, county, province, parish, district, or city; forever.
I know that's how politics works today, but, Jesus, the #1 thing making me not want to participate in one of the major parties is this.
I do consider it spam, unless the email is actually about a previous transaction. I don't equate doing a transaction with a business with permission for them to bother me about something unrelated.
I have a big problem with this and never know what to do.
Person buys my course after following newsletters for a while. All good.
I put them on a followup list that helps guide them through the course and keep them on track. All good.
They get a newsletter they don’t like and unsubscribe.
Now they stop getting followup guidance emails for the course. This is a problem. Almost certain not what they wanted to happen either. But okay I honor it.
A while later I make a huge update to the course or migrate to a new platform. I need to tell every buyer that their account is moving. But some have unsubscribed from all emails.
Do I add them back or not?
This might be the ex-marketer coming out in me, but surely the course guidance emails could be considered transactional to the service and be honoured by a different opt-in/out policy to the newsletter?
> I need to tell every buyer that their account is moving
Again, this use case isn't marketing, and should very much be allowed as a requirement to keep people informed about the use of their data. In the same way a "change password" email is allowed to be sent.
That’s the tricky part that most “ew email is spam” folk forget. The definition of “all” can be super nuanced and most people don’t think about it.
It does. But the user clicked "No I want to unsubscribe all"
- Unsub from this marketing topic.
- Unsub from all marketing mails. You will continue to receive paid course content; to terminate see [account deletion request page].
On the account deletion page, make it clear that they'll lose out on further paid content, don't come back crying, blah blah.
Do you really want to open yourself up to being banned by your new platform, or facing a lawsuit over pennies in revenue?
Imagine being grumpy at a Starbucks barista once and now you can’t get Starbucks again ever anywhere.
Or a better example: You opted out of email now you can’t reset your password. Sorry can’t email you the link.
They unsub'd all meaning "no more emails ever" as you said. How do I tell them the stuff moved if they don't want to be contacted ever again ever?
Marking them as spam messes with Github's deliverability to all GMail users and may prevent you from getting notifications in your inbox in the future if you decide to sign up again.
Additionally most reputable email senders have a "feedback loop" set up with Google, Hotmail, and Yahoo where clicking that Report Spam button actually passes your email address back to the sender's email system. For example if you click Report Spam on one of our email newsletters in GMail, we will flag your record in our database and not send you any more messages even if you specifically sign up for a newsletter in the future. (Please don't test this.)
Now if it's unsolicited stuff -- SPAM -- no problem. But if it's a list you once signed up for and now no longer want, you're telling google -- for everyone -- that mail like that is spam. Even people who signed up for it (like you did) and still want it. That's unfair to the company and unfair to all those other people too.
But someone randomly blasting you with crap as is the usual case (and I includes that company you once did business with and who signed you up without your permission): that's what the spam button is for.
If you unsubscribe you're saying that you're no longer interested in the list, you see the merit but don't want to receive it any more for whatever reason.
If you hit spam you're saying this email should never have come to me, or I don't want to expend the effort to stop it from coming to me.
If the sender makes unsubscribing as easy as hitting spam (by making sure the Gmail unsub button works for example) then they make it more likely for their recipients to send the appropriate feedback - ie not hit the spam button.
If people start unsubscribing by hitting spam, then those users who still want to receive the mailing may have to search for it in their spam boxes.
While many senders will remove people who hit spam on their emails but not all do it. After a while, emails could be getting past the spam filter again.
Unsubscribing is usually more effective at stopping unwanted emails from any semi legitimate company as they are required by law to honor it.
If you want double protection, you can always do both.
Whereas mine is pretty reliably never sending false positives to my spam folder. Fastmail wins again.
The engagement and conversion rate on email is so low that the volume continually increases to convert further.
Really? Ignoring the "Spam" folder (which I never check), I get way less junk email than snail mail. And the snail mail is reliably 95% unsolicited garbage.
To be fair, Fastmail lets you set rules to route stuff to Junk, whereas USPS actively facilitates routing garbage to your mailbox [0].
[0] https://www.usps.com/business/advertise-with-mail.htm
I get tons of email, a lot of it being spam. I've had my email address for well over a decade.
> rarely provide our physical address
This. We order lots of stuff online, and I'd guess our info has been resold to 3rd parties many times. I provide a PO box whenever possible, but if something is being shipped...
Not all messages that get put into the spam folder are actually spam. There’s a wide variety of emails that aren’t spam, but also aren’t necessarily wanted anymore either. Those are the ones this article is focusing on. Make it easy for your readers to unsubscribe so they don’t call you spam.
What it does is show an Unsubscribe button above the email, which loads the unsubscribe URL into a small web panel below it.
You can also contact the company directly and ask to be removed from their list.
Then I started clicking "block this address" from another drop-down - never got any new mail. Much recommended approach.
I think the author missed adding a hyperlink in the summary at "You can check the source of an email to do this - here's a guide on how to do that. "
Occasionally, I'll sign up for something new, and get spam and then I have to do it all over again.
we need Rules on gmail... filters do the labelin work but they dont actually move the mails
is that not what you meant?
If it's a newsletter I actually signed up for, I respect that and will unsubscribe, but the majority is unsolicited spam where a company feels is OK because I happened to have bought a product they can now email me 8 times a day.
It's a bit ironic to complain about getting unwanted emails from a bunch of users when they're literally just replies to unwanted emails that you sent them