What I am writing about is theoretical only – it would be illegal in the UK (computer misuse act 1990) and probably illegal in most countries.
I have tested this by simulating unsubscribes to my own newsletters, or accounts with newsletters I have signed up to.
It transpires that it is possible to launch an attack against many newsletter mailing lists to force unsubscribes without the permission of the readers.
Apart from sheer malice, there is potential for companies who play “dirty tricks” to use this exploit to attack their competitors mailing lists.
If you run a mailing list, and your competitor also ran one, ensuring that your readers only get your mailing list in future would increase your click rate and sales conversions directly, while also reducing the same at your competitor.
Methodology:
It is surprisingly easy as it happens.
Many (not all) mailing lists have a simple unsubscribe link in their mailing lists, usually in the form of…
http://www.domain.com/mailing/unsub.php?email=myname@mydomain.com
By firing off requests to that url with random email addresses, you can simulate unsubscribe requests.
Mouse over the unsubscribe links on your newsletters and see how the sender processes their requests.
Some mailing lists will take you to a page which expects you to click a link to confirm the unsubscribe, but any half decent programmer can simulate that as well.
Usage:
There seems to be two ways this exploit could be used.
a) A random attack against a mailserver – by firing off hundreds of thousands of random requests, you can get a small positive hit and slowly over time shrink an email database at a victim company. If done slowly enough, it may not even show up as an attack, just a slight rise in the unsubscribe rate.
b) A direct attack on a competitor – by firing off your own mailing list at a competitors mailing list, you ensure that your customers no longer receive messages from your competitor, improving your sales and reducing theirs.
Solution:
There are at least two solutions to this to protect your mailing list from attacks.
The best one (in my opinion) is to encode the unsubscribe url in the mailing lists with some form of hash code which has to be looked up at the server end to reverse the email address. Any attacker would have to understand exactly how the hash works to be able to simulate remote unsubscribes.
The other (used by my mailing list at the moment) is to send an email requesting that the user confirms their unsubcribe. I don’t actually like that as it is not a clean customer experience – but my mailing list software vendor told me they will consider the hash method for a future software release.
This is an example of a good unsubscribe link (I changed the variables, so it wont actually work).
http://www.feedburner.com/zb/t/emailunsub?idi=5465410%26key=A4DVemuvo6Pqfgdhco%252Bdgfh253D%253D
This is an example of a vulnerable link (the email address is bolded).
http://ui.constantcontact.com/d.jsp?p=un%26m=1015166%26ea=my.name%2540mydomain.com%26se=52555%26t=1101546542531%3C=en%26reason=F
There is a further “black hole” which I can’t really see a solution to:
Some mailing lists also allow you to reply to the sender with a key word in the subject line to unsubscribe. This would also be very easy to simulate by sending out emails which appear to come from the addresses you want to force an unsubcribe.
I expect to see an increase in the use of the email based unsubscribe as Hotmail is started to support it by removing the “this is spam” and replacing it with an “unsubscribe” button on their webmail pages where the email headers include an email address based unsubscribe function.
Alas, there seems to be no secure method of protecting against email based attacks, so we may have to simply disable that functionality. Maybe adding a variable to the email address which has to match with a database lookup would work – not sure frankly.
I would recomend that any person managing a mailing list checks how their unsubscribes are managed, and check for possible vulnerabilities.
