Remix.run Logo
Ask HN: Is Gmail's unsubscribe feature safe?
7 points by usbsea 18 hours ago | 1 comments

Got a spam email today. It had an unsubscribe link pointing to a random Azure blob. I click "Mark as Spam" and it offers me to unsubscribe instead?

This was worring as I thought ... well the unsubscribe is a dangerous link so how will it do it.

Turns out it uses a header like X-Unsubscribe-Web. I checked what that was set to, and in this spam it was a well known online newspaper plus a bogus query string. So they probably put a plausible link (i.e. not a black list) to fool Google.

But in general X-Unsubscribe-Web could be set to something malicious, right?

And why is Google even discouraging me from reporting spam (or in this case... phishing).

Edit: I see there is now a report Phishing and that button treats me like an adult :-)

malfist 16 hours ago | parent [-]

There used to be a button "report spam and unsubscribe" but it's gone now. Can only do one of those.

It's like Google is taking the position that if they respect opt outs, they're not spam, but that is absolutely not true. Especially if I didn't sign up