Unsubscribe Considered Harmful?

Peter Welcher
Architect, Operations Technical Advisor

I recently spent some time researching a moderately sophisticated phishing attempt initiated via physical mail. Heads up: (short version of the gotcha): bad people creating a number (30?) of online articles can make a shallow google search seem to validate a bogus phone number for a bank or credit card company. This comes complete with a clone/copy of the site’s home page, possibly with some real links. The point is to get you to log in and capture your credentials.

Between that and company security training (“spot the phish”), my overall level of suspicion (paranoia?) has continued to go up.

Lately, I seem to be getting increasingly many emails about services (help you hire, provide staffing, provide security services, provide you with cabling or whatever, random vendor of something I very much have no interest in).

WFH and/or COVID seems to have shifted sales to email spam. Even more than the Internet already had done. Also, it is probably much cheaper than physical mail, cold calls, etc.

But I’ve now become quite hesitant to click on UNSUBSCRIBE links.

How are they really any different than QR codes (of SuperBowl notoriety)? Yes, if not on a phone, you can fairly easily see what the actual URL is. But if it is some company you’ve never heard of, does that really tell you much? You (I) just want the spam email to stop!

The same applies to text message spam – but checking out an included link on your phone?? Forward via email and check the URL on a PC or Mac.

Yes, there are software tools to expand compact (bitly-style) links, filter out malware links, etc. But they can’t possibly be 100% reliable. So, what do you do?

The one safe alternative that comes to mind is to add an email filter to drop each such source email address (or the associated domain) directly into the trash. But that can take time, depending on your email reader and/or the email server. Block a sender in gmail is pretty quick but is it overly specific?

Am I missing something here? Or overly paranoid?

How long before we see mildly technical blogs or sales articles with malicious links? One saving grace there is that creating a creditable-looking bogus article might take greater skill than the “bad guys” have. Although plagiarizing from a legit source …

Luckily, I don’t think things have gotten that bad yet. But could they?


Has a good portion of the utility of URLs eroded, given trust challenges?

Disclosure statement