5 things you should know about email unsubscribe links before you click

library
crime | hacking | security

We all get emails we don’t want, and cleaning them up can be as easy as clicking ‘unsubscribe’ at the bottom of the email.

However, some of those handy little links can cause more trouble than they solve.

You may end up giving the sender a lot of information about you, or even an opportunity to infect you with malware.

Of course, not everyone who sends you mail is a spammer and if you know that a sender is trustworthy it’s safe to unsubscribe.

Unfortunately phishing attacks rely on the fact that it’s very, very easy to fake who and where an email has come from so it’s all but impossible to be 100% sure who has sent you an email.

Here are 5 reasons why unsubscribing can be a bad idea, whether you do it by sending a reply email or opening an “unsubscribe” web link:

1. You have confirmed to the sender that your email address is both valid and in active use.

If the sender is unscrupulous then the volume of email you receive will most likely go up, not down. Worse, now that you have validated your address the spammer can sell it to his friends. So you are probably going to hear from them too.

2. By responding to the email, you have positively confirmed that you have opened and read it and may be slightly interested in the subject matter, whether it’s getting money from a foreign prince, a penny stock tip or a diet supplement.

That’s wonderful information for the mailer and his pals.

3. If your response goes back via email – perhaps the process requires you to reply with the words “unsubscribe,” or the unsubscribe link in the message opens up an email window – then not only have you confirmed that your address is active, but your return email will leak information about your email software too.

Emails contain meta information, known as email headers, and you can tell what kind of email software somebody is using (and imply something about their computer) from the contents and arrangement of the headers.

4. If your response opens up a browser window then you’re giving away even more about yourself. By visiting the spammer’s website you’re giving them information about your geographic location (calculated based on your IP address), your computer operating system and your browser.

The sender can also give you a cookie which means that if you visit any other websites they own (perhaps by clicking unsubscribe links in other emails) they’ll be able to identify you personally.

5. The most scary of all: if you visit a website owned by a spammer you’re giving them a chance to install malware on your computer, even if you don’t click anything.

These kind of attacks, known as drive-by downloads, can be tailored to use exploits the spammer knows you are vulnerable to thanks to the information you’ve shared unwittingly about your operating system and browser.

So how do you avoid unwanted email without unsubscribing?

If the message is unsolicited then mark it as spam.

Marking something as spam not only deletes the message (or puts it into your trash) it also teaches your email software about what you consider spam so that it can better detect and block nefarious messages in the future and adapt as the spammers change their tricks.