That 'unsubscribe' button may be a scam
67 comments
·June 15, 2025boothby
wilkystyle
Exact same scenario with my alma mater, the University of Virginia. I finally just added them to spam and blocked the mailing list address.
gammarator
For UW specifically, it is possible that this can be explained by incompetence rather than malice.
Jaygles
I unsubscribe from mailing lists 20x more often than I knowingly subscribe to them.
It should be illegal to sign someone up to a mailing list without explicit consent. If I create an account with my email, or provide it as a part of a checkout process, you should not have the ability to sign me up to a mailing list without me explicitly opting in via a dedicated checkbox or button (and it should initialize as un-checked of course).
Breaking the mailing lists into 30 different categories is w/e, but auto opting people in to new categories should also be illegal. Such a scummy dark pattern
arp242
I used to run a mailing list for my blog. I've gotten some pretty hostile responses to people who were adamant they never subscribed to my mailing list.
I have no idea how this happened; I just coded a simple form with a basic Turing test ("please enter the number 9 here" works well enough for small sites). Did they forget they subscribe? Did someone else use their email? Did someone typo the email address? Bots? No way for me to know.
Ciunkos
Just assume every form on the Internet is being constantly filled with leaked or stolen data.
I am pretty sure they (the pissed of recipients) have never even visited your site. Their emails had been submitted by persistent fraud groups hammering every possible input 24/7 for their scam and spam ops. I observe such behavior on our apps and sites, even those that you would assume no one is even aware of.
Cloudflare’s Turnstile will help you block 90% of such threats, and the final solution is to double-confirm the subscription - this way you can be pretty sure subscribers are there willingly and have not been put in by crooks.
Nowadays, I would even ditch the email input and force “Subscribe with Google/Apple/xyz” via Oauth to completely mitigate this broken unauthorized newsletter subscription flow.
JimDabell
This is why double opt-in is best practice. They enter their email address, and you send them an email with a link they have to click to confirm sign-up. It makes it impossible for somebody to sign somebody else up.
Even with the best of intentions, somebody with the email address jim@example.com might inadvertently enter kim@example.com. You don’t want to lose Jim and you don’t want to spam Kim. So the outcome of entering an email address in a form should always be “now check your email to confirm”.
anonym29
Report them to spamhaus and get their mail servers added to spam blacklists. It's a great source of motivation for negligent mailers to get their **** together.
dpkirchner
They do the same thing with physical mail, sending out difficult to recycle slick mailers. I doubt they care at all.
snowwrestler
My general approach is: if I recognize that it is something I signed up for, I usually use the unsubscribe link (either in the email client or the email footer). If I get another email from them after about a week, I mark that as spam.
Same idea with text messages. If I know why I’m getting it, I use the “reply STOP” feature.
If I don’t recognize the sender of an email or text, I mark it as spam or junk. Apple Messages has a nice “delete and report as junk” feature for unwanted text messages.
linsomniac
Agreed. Gmail has a handy "block and report as spam", but if there's a "unsubscribe" link it will often ask if you are SURE you don't want to just unsubscribe.
A nice feature because I've seen all too many times over the decades people report spam on messages from lists I'm quite confident they signed up for.
venusenvy47
Gmail has at least two options to choose from: "Report as spam" and "Report as phishing". I sometimes can't decide which to use.
ndsipa_pomu
Phishing emails are pretending to be someone else (e.g. PayPal, DHL etc) to get you to put in your account details.
Molitor5901
If only "delete and report as spam" actually worked. For years I've gotten spam text messages and the report as spam doesn't seem to work. Maybe it's different with other carriers.
saintfire
> A good rule of thumb is knowing that no legitimate business will request your username and password after clicking their email’s unsubscription button.
Just FAANG and fintech. Pretty lousy rule of thumb.
athenot
I've seen legitimate businesses outside those areas use that as a dark pattern. Basically you go to unsubscribe from the mailing list and they throw another hurdle at you, hoping you'll give up.
w3ll_w3ll_w3ll
But this is against the "One click unsubscribe" policy that many mail provider have implemented, so they risk being labeled SPAM anyway.
snowwrestler
The one-click policy is actually about sending the list-unsubscribe header so the email client can render an opt-out button.
An unsubscribe link in the body of an email can have a confirm step.
In fact if you are serving a B2B audience it is essential that you do, since an increasing number of security services like Barracuda, Fortra, etc. auto-click every link in the email body to check for phishing. If you have one-click unsubscribe links in your email body, those people will be constantly unsubscribed without their knowledge.
RandomBacon
That's because anything other than "one click unsubscribe" violates the U.S. CAN-SPAM Act.
bapak
Mark as spam it is then.
When I see them spamming me from a dedicated email address I don't even click unsubscribe anymore.
CoastalCoder
I always assumed that the unsubscribe link in email/SMS spam was part of the scam.
I.e., they didn't know if the spam ever reached an actual inbox until you followed the unsubscribe link.
snowwrestler
This is less true than it used to be. Email inbox providers return a hard bounce if the email does not exist. Most load images by default, which returns a positive signal.
Same thing with SMS: if the number can’t receive SMS, the system returns an error.
If you’re not sure, using the client-provided unsubscribe link (usually up near the “from” address or subject line) is better than the one in the footer. Inbox providers like Gmail, Microsoft, Yahoo etc log these clicks and use them to adjust their filters.
hyperjeff
first thing i do on any email setup is turn off autoloading images to kill that positive signal. just doing this has cut down spam considerably.
grugagag
Yes. Once you hit unsubscribe you signal you care about that mailbox. At that point they start autosubscribing a lot of garbage to you.
williamdclt
FWIW I use unsubscribe all the time and it’s quite effective, i don’t get the sort of garbage you describe. The only unwanted emails I get are after signing up for a new service and they start sending me marketing emails (which I almost certainly didn’t consent to so I’d say that’s spam, but at least I know where it’s from and these are the ones I unsubscribe from)
Edit: maybe it’s just that gmail spam filters work well?
arp242
Using "unsubscribe" on real businesses is perfectly fine, even if they added you to their mailing list using some sort of dark pattern. It almost always works and rarely has negative effects.
Using it on "enlarge your penis now" type spam isn't, to say nothing of outright phishing of course.
bediger4000
The format of "unsubscribe" links has gotten more elaborate over the years. I used to write shell scripts using wget to unsubscribe vast numbers of randomly generated "email addresses". That's typically not reasonable to do these days because either the unsubscribe links are obviously broken or the format of the GET or POST is not clear.
BobaFloutist
> I used to write shell scripts using wget to unsubscribe vast numbers of randomly generated "email addresses".
...why?
hereme888
email aliases are the only real protection I've ever found. Fastmail offers almost unlimited aliases, and throwaway addresses. Others are starting to do it.
I doubt gmail will ever offer aliases or similar protections.
Disposal8433
It's sad because all the new "private emails" like Tuta only offer a very limited number of aliases. Legit throwaway addresses offer a good compromise between privacy and security.
> try to count how many times you clicked “Delete” on junk or unwanted inbox messages
I don't understand that sentence in the article though. I click on "report spam" every time because that's what it is, even if it's a legitimate business that I used in the past. They use dark patterns to make you subscribe, but it's not honest, therefore -> spam.
knorthfield
“Spam” as a neologism doesn’t have a widely agreed upon shared definition. The most apt would seem to be “email I don’t want”. But that’s not too helpful when third party gatekeepers are trying to mass assign status to an email. The same email could be unwanted by one person and very gratefully received by the next.
Rygian
My standard definition is "email from a sender not in my whitelist"
hiatus
Tuta lets you use a catchall. The alias limitation only applies if you want to send mail as the alias.
ryoshu
Gmail has aliases that have a + in them, e.g. foo@gmail.com -> foo+bar@gmail.com. I use them for subscriptions: foo+substack@gmail.com, etc.
Rygian
So if you provide address+suffix@gmail.com, the spammers know that address@gmail.com is a legit address.
danaris
Yes, but only if they're bothering to do that level of checking.
I would guess that that's pretty rare, as not many people know about this trick.
bitmasher9
This type of pattern is very easy to scrub if you had a list of email addresses.
I have an anecdotal evidence inside my own inbox that this behavior is happening. You aren’t buying security from anything but the lazy and ignorant spammers.
AznHisoka
Agreed. This tactic is so overused that spammers have caught on for quite awhile
ProllyInfamous
I don't use email anymore, but the last few years I did was only possible because I owned a domain name and had a catch-all set up.
You can then immediately isolate any bad actors, and don't have to rely upon a `+` sign (easily filtered) to "differentiate" email addresses. More-commonly-used logins can then be preliminarily filtered to separate internal email accounts (e.g. known-junk can be sent to rarely-accessed account; family contacts can be sent to notifications).
cobbzilla
I primarily use a @duck.com alias that forwards to my gmail account.
It's easy to generate random new @duck.com aliases for the primary.
I have a browser plugin (mobile and desktop) that recognizes email form fields and offers to generate a new random @duck.com alias for the field.
When an alias starts to receive spam, I disable it.
nahkoots
Can't you use youraddress.servicename@gmail.com? I thought gmail strips whatever comes after the dot. (I don't have a google account, so I could be wrong or maybe it was a different character, but I remember reading about it a couple times on here.)
eldridgea
I believe it strips everything after a "+" so you can use youraddress+servicename@gmail.com.
It ignores periods so you could also use your.address@gmail.com or y.ouraddress@gmail.com or whatever.
Some sides block plus addressing but that's what I use a lot of the time.
jussaying2
You're thinking of the + character. youremail+servicename@gmail.com will still be delivered to you.
Gmail ignores dot characters. y.o.u.r.e.m.a.i.l@gmail.com is equivalent to youremail@gmail.com
2bluesc
I think you mean
yourname+servicename@gmail.com
From my experience, many (bad) websites consider "+" an invalid character and prevent you from using the address in this form.
Smart spammers can just strip the service name since it works the same for all Gmail users.
Really need dedicated addresses like Fastmail's Masked Addresses.
edwardbernays
It's "+". The dot is, in fact, transparent.
GrooveSAN
After the +, not the dot
rockbruno
You can have aliases on Gmail if you use Google Workspace (for custom domains), but there's a limit and no support for wildcards. Wish they had those, because then it's very easy to find out who sold your data
thom
Fastmail adds a header to every email with any sort of unsubscribe link. I send those to their own folder (except ones I add to contacts). My main inbox is basically 100% things I expect to see there at this point. I view the mailing list stuff less regularly and unsubscribe anything I don’t want there. If it keeps coming (or if the unsubscribe process requires more faff than doing it through my mail client) I delete it and mark as spam. In 30 years I don’t think I’ve ever felt more in control of my email.
Molitor5901
I've always felt this way, any indication that you are there and receiving the email is just a system somewhere a long the line opting you into something else. My general rule for some time now is to report it as spam, and block the domain. Never respond, never acknowledge. Same with telephones, if I don't recognize the number I just don't answer.
jfengel
DNSFilter estimates that 1 in every 644 email unsubscribe links is liable to send a user to possibly malicious sites. And while that might seem like a low percentage at first glance, try to count how many times you clicked “Delete” on junk or unwanted inbox messages in the last week alone.
Not many, these days. Google does a good job of separating out the actual spam. The vast majority doesn't even go to the spam folder; they just delete it. Dunno what criteria they use but I'd bet most of it is really really obviously bad.
I see some legal commercial email, and if I did in fact do some kind of business with them, I hit unsubscribe and they stop. No harm, no foul.
I see some legal commercial email in my spam folder. I never want it, but I unsubscribe, and again, no harm no foul. My spam folder is down to about one per day. (Plus untold thousands that I never see at all.)
It's surely not perfect and perhaps once or twice a year something genuinely dangerous gets into my inbox. Given the wild wild West that email was until recently I take that calmly. Email was rapidly approaching unusable a decade ago.
Groxx
Just another reason to report literally anything from a business that you don't desire as spam. Auto-checking that "send me spam emails" box should hurt their spam score enough to make them stop doing it.
b0a04gl
smtp has no unsubscribe primitive. it's not part of the protocol. every unsubscribe feature is layered on top by clients, usually based on list-unsubscribe headers or heuristics. that means spammers can inject fake ones that look legitimate. consistency in client behavior makes this worse. once the format is known, it's easy to spoof. clients auto-surface these links assuming good intent, but the underlying transport has no way to verify any of it
xnx
"!" key to report spam in GMail. Even faster than an unsubscribe link.
Chalbroth
I always consider the unsubscribe button to be a trap when it is not accessible through Tor.
My favorite is my alma mater, the University of Washington. They break their communications into categories, and opting out of everything opts out of each category at the backend. For years, I've opted out of "everything" every few months, because any time they add a category, they default me into it and I get an email.