Unsubscribe-email-risks

We all receive loads of unwanted email solicitations, warnings, and advertisements. The number can be overwhelming to the point of obnoxiousness. Some days it feels like an unending barrage of distracting deliveries that require a constant scrubbing of my inbox.

Beyond being frustrating, there are risks. In addition to the desired and legitimate uses of email, there are several shady and downright malicious uses. Email is a very popular method for unscrupulous marketers, cybercriminals, and online threats to conduct social engineering attacks. Spam, phishing, and fraud are common. Additionally, many attackers seeking to install malware will use email as a delivery channel. Electronic mail can be an invasive communication mechanism, so we must take care.

Unfortunately, like most people, I tend to make my own situation even worse. In my professional role, I devour a tremendous amount of industry data, news, and reports to keep my finger on the pulse of change for technology and security. This attention usually requires me to register or provide my email address before I get a “free” copy of some analysis I desire. I could just give a false email, but that would not be ethical in a business environment. It is a reasonable and expected trade that benefits both parties. I get the information I seek and some company gets a shot at trying to sell me something. Fair enough, so I suffer and give my real work email. In this tacit game, there is an escape clause. I can request to no longer be contacted with solicitations after the first email lands in my inbox. Sounds simple, but it is not always that easy.

The reality is I receive email from many more organizations than I register with. Which means someone is distributing my electronic address to many others. They in turn repeat and the tsunami surging into my inbox gains strength. I become a target of less-than-ethical marketers, cyberattackers, and a whole lot of mundane legitimate businesses just trying to reach new customers.

Some include an unsubscribe link at the bottom of the message. This link holds an appealing lure of curbing the flood of email destined for the trash folder. But be careful. Things are not always as they seem. While attempting to reduce the load in your inbox, you might actually increase the amount of spam you receive, and in the worst case you could be infecting your system with malware by clicking that link. Choose wisely!

Recommendations for unsubscribing from email

Rule #1: If it is a legitimate company, use the unsubscribe option. Make sure the link points to a domain associated with the purported sender. Legit companies or their marketing vendor proxy will usually honor the request.

Rule #2: If it is a shady company, do not unsubscribe, just delete. If your mail service supports it, set up a block or spam rule to automatically delete future messages from these organizations.

If the message is seriously malicious, the “unsubscribe” link may take you to a site configured to infect or compromise your system. This is just another way bad guys get people to click on embedded email links. Don’t fall for this ruse! It may result in a malware infection or system compromise.

If the message is semimalicious, like a spam monster that will send mail to any address it can find, then clicking the “unsubscribe” link tells them this is a valid email address and that someone is reading the mail. This knowledge is valuable for them; they will sell that email address as “validated” to others and use it for future campaigns. Result: more spam.

Rule #3: Some spam and solicitations don’t offer any unsubscribe option. Just delete. Probably not a company you want to patronize anyways.

If you are in a work environment, be sure to know and follow your corporate policies regarding undesired email. Many companies have security tools that can inspect, validate, or block bad messages. They may also have solutions that leverage employees reporting of bad email to better tune such protections. Open attachments only from trusted sources.

Just remember, if you are not sure the email is legit, do not open or click anything, and NEVER open any attachments, including PDFs, Office documents, HTML files, or any executables because they can be used by attackers to deliver Trojans to infect your system with malware, ransomware, or other remote manipulation tools. Cybercriminals often pose as real companies with real products. Make your email life easier by unsubscribing with care and forethought.

Rosenquist, Matthew. “Unsubscribing From Unwanted Email Carries Risks”, McAfee Labs April 2016