What I am writing about is theoretical only - it would be illegal in the UK (computer misuse act 1990) and probably illegal in most countries.

I have tested this by simulating unsubscribes to my own newsletters, or accounts with newsletters I have signed up to.

It transpires that it is possible to launch an attack against many newsletter mailing lists to force unsubscribes without the permission of the readers.

Apart from sheer malice, there is potential for companies who play “dirty tricks” to use this exploit to attack their competitors mailing lists.

If you run a mailing list, and your competitor also ran one, ensuring that your readers only get your mailing list in future would increase your click rate and sales conversions directly, while also reducing the same at your competitor.

Methodology:

It is surprisingly easy as it happens.

Many (not all) mailing lists have a simple unsubscribe link in their mailing lists, usually in the form of…

http://www.domain.com/mailing/unsub.php?email=myname@mydomain.com

By firing off requests to that url with random email addresses, you can simulate unsubscribe requests.

Mouse over the unsubscribe links on your newsletters and see how the sender processes their requests.

Some mailing lists will take you to a page which expects you to click a link to confirm the unsubscribe, but any half decent programmer can simulate that as well.

Usage:

There seems to be two ways this exploit could be used.

a) A random attack against a mailserver - by firing off hundreds of thousands of random requests, you can get a small positive hit and slowly over time shrink an email database at a victim company. If done slowly enough, it may not even show up as an attack, just a slight rise in the unsubscribe rate.

b) A direct attack on a competitor - by firing off your own mailing list at a competitors mailing list, you ensure that your customers no longer receive messages from your competitor, improving your sales and reducing theirs.

Solution:

There are at least two solutions to this to protect your mailing list from attacks.

The best one (in my opinion) is to encode the unsubscribe url in the mailing lists with some form of hash code which has to be looked up at the server end to reverse the email address. Any attacker would have to understand exactly how the hash works to be able to simulate remote unsubscribes.

The other (used by my mailing list at the moment) is to send an email requesting that the user confirms their unsubcribe. I don’t actually like that as it is not a clean customer experience - but my mailing list software vendor told me they will consider the hash method for a future software release.

This is an example of a good unsubscribe link (I changed the variables, so it wont actually work).

http://www.feedburner.com/zb/t/emailunsub?idi=5465410%26key=A4DVemuvo6Pqfgdhco%252Bdgfh253D%253D

This is an example of a vulnerable link (the email address is bolded).
http://ui.constantcontact.com/d.jsp?p=un%26m=1015166%26ea=my.name%2540mydomain.com%26se=52555%26t=1101546542531%3C=en%26reason=F

There is a further “black hole” which I can’t really see a solution to:

Some mailing lists also allow you to reply to the sender with a key word in the subject line to unsubscribe. This would also be very easy to simulate by sending out emails which appear to come from the addresses you want to force an unsubcribe.

I expect to see an increase in the use of the email based unsubscribe as Hotmail is started to support it by removing the “this is spam” and replacing it with an “unsubscribe” button on their webmail pages where the email headers include an email address based unsubscribe function.

Alas, there seems to be no secure method of protecting against email based attacks, so we may have to simply disable that functionality. Maybe adding a variable to the email address which has to match with a database lookup would work - not sure frankly.

---

I would recomend that any person managing a mailing list checks how their unsubscribes are managed, and check for possible vulnerabilities.
Ian

Logging into my AdSense platform to check yesterdays revenues, and this is what it showed me for this morning.

Wow - an eCPM of $800

Naturally, it will correct itself over the day to the more usual $6 eCPM average, alas - but it would be lovely to maintain that eCPM for the whole day. I could retire

It looks like the Goodmail accreditation system is coming to the UK next year.

Goodmail charges senders a fee for each email, in return for bypassing spam filters and enabling images in the emails.

Precision Marketing Magazine

It was actually bloody annoying earlier this year when they offered a free trial of their service, and it wasn’t until you got about page 4 of the application form that they told you the service was only available to companies based in the USA or Canada.

Anyhow, rant over - the net result is supposed to be better click-thrus and more trust from people who receive emails that have been passed by Goodmail.

The side effect of more cash for Goodmail clients is obviously, ignored
However - dropping the cynism for a moment - there are quite a few reports which do suggest that Goodmail certified emails are getting higher clickrates from recipients, so the service may be cost effective for email senders.

A quick scan of my database suggests that I send about 10,000 emails a month to Goodmail clients, and that would cost me around £20 a month. I may give it a try when it launches to see if the click-thru rate rises by enough to cover my costs.

Regardless, the £20 is a negligable sum to spend if it ensures my brand logos etc are always loaded in the emails and are not discarded by image blocking, so the branding boost is worth it on its own.

One to keep an eye out for.

It looks like someone is playing with the pipes again, and much oddness is happening over at Google News.

My website is reguarly listed there, so reguarly indeed that I often do the following search to check which of my stories they have picked up:

Ian’s Google News websearch

Normally, that would list all my recent news articles as found by Google, along with any other news sites linking to me in the past day.

This is what roughly what I would normally expect to see:

Suddenly, it has changed - and the listing is minisule - although my site is still being spidered and appears in content based searches.

During yesterday, I did a load of screengrabs:

How the search appeared in the moring (about 5 hours after uploading a dozen news articles)

Then - weirder, a few hours later (note how the times the articles were found changes)

A bit concerned, I do a text specific search for a news article I have uploaded, and it does indeed appear:

Hmm, I log into Google Webmaster and check there for my site - and even weirder, they claim to have no news articles at all for the past week - despite what the above article specific search found.

A few hours later yet - and suddenly I am seeing what I would normally expect to see.

This morning (Friday 15th Dec) - it is back to what I noticed yesterday, listing only a few articles, even though searches which include the text I uploaded this morning do return some results.

This could be just Google tinkering, or my site is suffering some penalty of sorts (although traffic is not significantly down - yet).

I am currently banging my head against a blog which is ripping off my content, and Google do apply a “duplicate content” penalty to websites when they see identical content on two different urls. I hope I haven’t been hit by that penalty, pending lawyers doing nasty things to that scum blogger.

This could be a difficult one to test, but it would be interesting to know the answer to.

Lots of publications etc. link to my various websites, and in Google - if you type in the site name, then my site appears at the top.

So far - as expected.

However, what about when someone cites a website brandname, but does not then link to the website.

This actually happens quite a bit in news publications, where the author is (understandably) not that familiar with links and SEO.

For example - the following sentence contains one of my website names, but did not actually contain a hyperlink to my site.

Vodacom is now targeting opportunities in Algeria, Ghana, Nigeria and Angola, according to a report from Cellular News.

I would presume that the search engines will create some sort of association between the words in the sentence and the website name - which in this case happens to also be two “normal” words.

It’s whether the website itself also benefits at all - either directly by the presumption of a weblink where none exists, or by thematic assocations so that the terms “cellular news” becomes associated with the network operator, “vodacom” and then hence, searches for “vodacom” and where www.cellular-news.com has relevent content - then gets a better search results placement

Not really sure how to test for that - without some serious site building. I guess it is the sort of question that only those inside the search engines would be able to answer.

The fact that my website name is hypenated is a problem as citations without the brandname are often written as two words, Cellular News which is not instantly recognisable as a unique brandname by the search engines.

Unfortunatly, a cybersquatter is sitting on the non-hypenated version of my domain name and wont reply to advances to buy it. I hope they don’t renew when it expires in 2008, and I will finally get my hands on it - then can encourage citations using the single phrase, CellularNews which is more likely to gain from any brand associations that the search engines may be able to detect.