Unsubscribing from unsolicited email senders

Just checking can Fastmail natively SMTP reject spam at server level? Surely that approach makes more sense than it getting delivered then filtered into a ‘spam’ folder?

My understanding is that some known spam senders/connections get rejected at the server level. Additionally, Fastmail lets you customize spam score handling – you can set one threshold for “if it exceeds X, move it to the spam folder” and a second threshold for “if it exceeds Y, permanently delete it”.

My understanding from an earlier investigation is that emails considered obviously spam are rejected at the server level, although I do not know the criteria. Mail that reaches the mail server goes through spam filtering, which at Fastmail is based on a numerical score based on spammyness score, which users can adjust to their preferences by changing the maximum score acceptable. Inevitably this isn’t perfect, and new scams may slip through for a while after they come out. (I am still seeing a few spams that falsely claim you bought something at Amazon, Best Buy, or elsewhere and telling you to call a phone number to correct any mistakes. The trap is having to call the scammer’s phone number.) False positives are more positive; mostly they are legitimate mailers whose marketing departments send out too many promotions.

Yes, and sometimes that’s bad. Hover.com, which handles my email, routinely rejects 2FA emails from a range of places (the airline Southwest particularly for some reason). There’s no notification of this and no way to override it, so it often takes a long time to log in to some web sites. I’ve started using gmail for 2FA stuff and if it wasn’t such a pain I’d switch away from Hover.

There may be others, but one criterion is whether the mail came through a relay node listed on one of the big lists (Spamcop, e.g.). Every now and then my hosting provider’s relay of choice would have one of its nodes on a list. The only way I’d find out is when I’d ask one of my friends “did you get my email?” and they’d say “what email?”. I finally found a solution: use another relay whose sole business is reliable email delivery. I chose smtp2go. It has been extremely reliable, and they have a free tier for <1K emails per month. (No affiliation, just a happy user.)

2 Likes

I have the same issue and I will never again donate to a political request by email. The few candidates I actually want to support get checks from me. To cut down on the stress of dealing with multiple emails from the same person, I have started using all accounts, sorting by sender and doing blocks of deleting, usually twice a day. I make wake up with 150-200, but midday another 100 or so show up, and I’m retired! It doesn’t stop them, but I can sort out thee junk in much less time.

2 Likes

I use the Gmail web interface for all my email; I don’t use an application.

Sometimes Gmail inserts its own unsubscribe link in the header, separate from the one in the email itself. Here’s an example:




Does anyone know if clicking/tapping on Gmail’s unsubscribe link does anything different from the email’s unsubscribe link?

When I right-click on the link and copy it, this is what it looks like:

https://mail.google.com/mail/u/0/#:~:text=community@intuit.com%3E-,Unsubscribe

I presume that this link was generated from these email headers:

List-Unsubscribe: https://ttlc.intuit.com/community/unsubscribe/emailCampaigns?token=theMotherOfAllStrings
List-Unsubscribe-Post: List-Unsubscribe=One-Click


More to the point, my question is:

If I use Gmail’s unsubscribe link, is the unsubscribe process anonymized in some way? Or, does unsubscribing with the Google link also confirm my “existence”?

Thank you.

1 Like

I don’t think it can anonymize you since to unsubscribe you have to provide the email address you “signed up” with.

Dave

2 Likes

Yes. The List-Unsubscribe header is an old standard allowing mailing lists to include instructions for how to unsubscribe. It traditionally would contain mailto: URLs, describing an e-mail message requesting unsubscription.

The List-Unsubscribe-Post header is newer (RFC 8058), part of a one-click mechanism. When used, the List-Unsubscribe header will describe an HTTPS URL for unsubscription.

When you click the unsubscribe link, GMail will do what these headers indicate. It will either tell your browser to visit the HTTPS URL (and, GMail prepends its own tracking URL) or it will send an e-mail.

Here are the relevant IETF standards documents:

GMail is going to do nothing beyond what’s in these headers. If you trust the mailing list, you can trust that link. If you don’t then, you shouldn’t.

2 Likes

Thank you.

It never occurred to me that these headers would be defined in n an RFC. :man_facepalming:t2:

In general, header lines that don’t begin with “X-” are defined by an RFC. There are some exceptions, but most servers follow the rules and use the “X-” prefix for anything not defined by a standards document.

I think worries that Unsubscribe links are used to determine whether an email address is active are based on folklore and are overblown. If a spammer wants to determine if your address is live, they’ll use a tracking pixel that loads when you open the message.

It’s not inconceivable that a phishing attack would use an Unsubscribe link as a way of tricking you into revealing login credentials, but that’s a different issue. NEVER provide a password for a login via a clicked link.

I use Unsubscribe all the time, and I’ve never seen any indication that doing so affects my spam volume (which is exceedingly high).

5 Likes

The new Extra app offers to unsubscribe you in bulk, clearing a lot in one go. It comes with a set of options, emails you never read, occasionally read, hardly ever etc. Again only for Gmail.

That’s a good reminder, and a rule that even reputable sites (especially financial institutions) encourage me to violate.

On the other hand, credentials for sites where I have credentials (especially financial institutions) are almost certainly stored in a password manager, which presumably is checking the authenticity of the URL. Would you consider a password provided by a password manager to be different?

Yes, that’s absolutely correct—a password manager will not auto-fill on a site whose URL does not match what’s stored.

It’s a tension because everyone (us included!) wants to make the process easier, which is why links get sent in email. But it’s so easy to spoof email now that phishing attacks take advantage of that fact. Password managers do make a big difference.

1 Like

I made the mistake of donating to a political candidate and I’ve been getting an average of 300 emails a day, as they share your address with candidates all over the country. I tried using the unsubscribe button, but they just changed to a new from account. I finally started going thru all my deleted emails about once a week, selected all and moved the to Junk. That has helped reduce the volume.

Whenever I get something I don’t want, I have been hitting the unsubscribe button. It does seem to keep the volume down.

I’ve been with Earthlink since the mid ‘90s, when they were one of the feww ISPs who welcomed Mac users. Once I went to their broadband service, I got a bunch of email accounts as part of the deal. When they parted ways with Time Warner Cable/Spectrum, I was able to subscribe to just the email service. It allows me to block a lot of spammers, either broadly or by address. I have blocked a bunch of country domains from which I will never receive legit messages, as well as specific offenders. Unfortunately, far too many spammers use gmail accounts, and I can’t block gmail without blocking legitimate messages.

With our non-profit rescue group, I have to get into the accounts daily to get rid of and block phishing and spamming crap, like the almost daily messages from “support” about our “Cloud Storage” being full, or messages claiming to be from “cPanel” or our domain registrar (never our actual registrar), plus a positive avalanche of amazing “health” news from “CNN” or Bill Gates, or sleazes trying to sell us Google reviews or email lists or virtual assistants or a new website. Quite a few appear to be from spoofed addresses, and I’m not good enough at deciphering heaaders to get at what needs to be added to the blocked list. Some of it is too obvious to fool anyone, but I can’t assume that every volunteer who accesses the main accounts has the expertise to identify the less obvious ones. It’s really tiresome.

If they come from legitimate mailing lists, then yes, that is exactly what you should do.

But if they come from scammers, they will ignore any such requests and may use your response as proof that a human being is reading that mailbox, which could result in an increase in spam.

3 Likes

I know that’s the theory. That has not been my experience in practice.