Hacker News new | comments | ask | show | jobs | submit login
Hey developers, stop forcing me to login to unsubscribe
453 points by andrewhillman on Nov 9, 2013 | hide | past | web | favorite | 133 comments
Dear Sender:

There's nothing more annoying than clicking that 'unsubscribe' link at the bottom of your email only to be asked to login first. I know it sucks when people opt-out of your transactional emails, but deal with it and let people unsubscribe with one click. If you do this you may even get some valuable feedback.

If your transactional email provider doesn't have a single-click unsubscribe option, find another service. I recommend every developer test out what a recipient sees.

Sincerely,

Users of the Internet




Edit: I missed the transactional part here. Transactional emails are excluded from CAN-SPAM. There's a test to figure out which is which: http://www.the-dma.org/press/PrimaryPurposeFactSheet.pdf

It's shitty UX regardless of whether it's a violation of law, IMO.

Original: It's a violation of CAN-SPAM law to put unsubscribe behind a login process. Asking for a password violates the requirement that no additional PII except for the email be required to process the opt-out.

From the FTC:

Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.

http://www.business.ftc.gov/documents/bus61-can-spam-act-com...


What I don't understand is that many big companies have been forcing you to login to unsubscribe for years, without penalty. Ex: American Airlines. Also FBO.GOV forces you to login, which is mildly amusing because it's the government itself.


Fox News and related entities are serious transgressors here. I've clicked unsubscribe links only to be taken to signup pages full of ads, which had nothing to do with the mailing list.


Can't you sue then in the small claims court for that?


If I can, then a class action could probably be substantiated. They deserve it - this mailing list shenanigan was among the most egregious I've ever seen.


Welcome to unenforced law.


I know this is true for mass marketing emails, but is it the same for transactional emails also?


Transactional emails are generally exempt.

Explained at http://business.ftc.gov/documents/bus61-can-spam-act-complia... and excerpt below:

A. What matters is the “primary purpose” of the message. To determine the primary purpose, remember that an email can contain three different types of information:

1. Commercial content – which advertises or promotes a commercial product or service, including content on a website operated for a commercial purpose;

2. Transactional or relationship content – which facilitates an already agreed-upon transaction or updates a customer about an ongoing transaction; and

3. Other content – which is neither commercial nor transactional or relationship.

If the message contains only commercial content, its primary purpose is commercial and it must comply with the requirements of CAM-SPAM. If it contains only transactional or relationship content, its primary purpose is transactional or relationship. In that case, it may not contain false or misleading routing information, but is otherwise exempt from most provisions of the CAN-SPAM Act.


You're right—read the thread too fast. What's more interesting to me, is how many of these so called "transactional" emails actually pass the test?

More on that here: http://www.the-dma.org/press/PrimaryPurposeFactSheet.pdf


I read the thread too fast. Transactional emails are excluded under CAN-SPAM. But there are many times that "transactional emails" going out contain marketing/commercial content. There's a test for those emails to see if they pass: http://www.the-dma.org/press/PrimaryPurposeFactSheet.pdf

Many "transactional" emails probably fail the above test. It's shitty UX to make you login to opt-out, even if it's not against the law.


> I know this is true for mass marketing emails, but is it the same for transactional emails also?

That depends -- have you ever signed up with the sender? If so, you are asking to be spammed. When a company requires a signup, they are breaking the law, therefore you must not sign up. By signing up, you make the spam legitimate.

If they send you an unsolicited e-mail, they are criminals. If they require a signup to opt out, they are criminals. But if you sign up, they aren't. That's why they want you to sign up.


That law is plainly unconstitutional. Besides which, anyone who trusts the privacy or authenticity of email is a fucking retard.


What constitutional right is being violated here?


No right is being violated. It is a breach of duty: "Congress shall make no law ... abridging the freedom of speech, or of the press".

Even ignoring the first amendment, there is no enabling clause that grants the general power to regulate communication.


Are you saying that the CAN-SPAM act is abridging someone's freedom of speech? Whose?

You may have the right to speak but you don't have a right to force the populous to listen.

Communication is two way, spam is one-way.


The person sending the spam.

You have the right to expose people to communications with no Congressional control whatever. Congress shall make no law. You may shout on a street corner, you may set up a PA system until your neighbors are driven to madness, you may place pornography on a billboard, etc. Congress can do nothing to stop it.


>"You may shout on a street corner, you may set up a PA system until your neighbors are driven to madness, you may place pornography on a billboard, etc. Congress can do nothing to stop it." //

Are you trolling. You consider the constitutional right to free speech to encompass things like setting up a PA in public that is so loud it physically harms people?

It's not a right to amplified speech, nor "free shouting".


Your freedom of speech does not entitle you to free usage of any privately owned electronic communications system. Your freedom of speech protects the content of your message, but does not guarantee you free postage.


Stop with the analogies. We are talking about elements of law, not elements of what-ought-to-be that might be studied by analogy. Congress is without power to regulate communication, end of dispute. Congress cannot stop spammers any more than they can stop me from casting messages into bricks and mailing them to someone who is paying a package forwarding service.


There is no abridgment of the freedom of speech, or the press.

Freedom of speech does NOT involve the freedom to send individually addressed messages to anyone. There is no freedom to spam.


Regulating commercial speech is constitutional under the Commerce Clause.

CAN-SPAM doesn't apply to political or non-profit organizations.


Within its scope, the first amendment completely overrides the commerce clause. There is not the tiniest exception—that is the point of amending.


What speech or press is being abridged?


Companies like LinkedIn are training users (at least me) to report as spam instead of unsubscribing because it's an exercise in futility to try to opt-out of their spam.


I've been doing this for years and don't feel the least bit bad about it, and I think everyone should adopt this practice.

If marking as spam or unsubscribing are approximately equal effort, I will unsubscribe; if unsubscribing is even slightly more difficult than marking as spam, I mark as spam with no regrets. Even if you don't force me to login but make me do some monkey trick like type "CANCEL" into a box => spam! One click is the only acceptable method, and don't hide the link in a bunch of small print legalese, because I'm not going to expend much effort looking for it while the nice, inviting "Mark as Spam" button is just sitting there waiting for me to click it.


It's not because you have no regrets that it's ethical. Even if it's a company like LinkedIn that makes it hard to unsubscribe, your input pollutes the anti-spamming algorythms with semi-legit emails. There are clearly millions of people who are fine with getting LinkedIn messages, and you're just being an ass, like putting your half-eaten burger into the recycling bin because the garbage bin was further out. Someone on the other side of your transaction is going to be tasked with taking your now-rotten burger outside of the recycling.


That is a problem for the anti-spam algorithms that need to figure out who will consider what to be spam.

Spam is in the eye of the recipient. If you send me marketing emails that I do not want, it is spam. Even if someone else would want it.

If people didn't mark stuff as spam, then there would be absolutely no reason for marketing people not to send spam to everyone. Even if only one person in 10,000 wants to read it, why not? But the option of marking stuff as spam is a way of making my attention as not free for you.


Seems to me that it's helping the anti-spam algorithms by marking spam as spam


The data helps solve the challenge. But the real challenge for the anti-spam algorithms is that what is considered spam is recipient-dependent.


The nice thing about Bayesian algorithms is that they are probailistic. If only a couple people flag as spam, it will have little effect on everyone's filtering algorithms. If, on the other hand, enough people have trouble unsubscribing to make this a serious "problem" then the email is arguably spam.


You should generally do Report Spam,at least I do that. If the email was sent from something you didn't actually subscribe, hitting unsubscribe tells the spammer that the email id is in fact genuine which will ultimately get you more spam.


Got any recent evidence for this? Because I'm not sure if this is actually still the case.

I don't have the link anymore because this was already a couple of years ago, was someone taking this ages-old advice to the test. Clicking the "unsubscribe" link on all spam delivered to an old spam-infested email address, he found that it reduced the amount of spam received to that address by a significant amount.


That's why senders should use the List-Unsubscribe header. GMail will prompt you to unsubscribe rather than blindly classify the message as SPAM.

http://www.list-unsubscribe.com

https://support.google.com/mail/answer/81126?hl=en


Also Amazon. There are certain emails for certain account types (eg Student Prime, Affiliates) they do not let you opt out of, period. The only way to stop the email is to close your account. Gmail has done a great job of filtering them as spam though and letting non-spam (eg order confirmation) through.


For me it's 1 warning that future spam will result in a domain block.

Then the domain block goes into place. /dev/null, auto-trash, or whatever the local filter rules support.


Why not just write an email filter to send all emails from them to the trash?


Alternatively, email filter to forward said mail to their CEO. This was my last resort for: from:(@ashampoo.com), as I got tired of sending my 10th unsubscribe request to their technical staff, support, ubsubscribing from their "official unsubscribe website", and marking every mail from them as spam.


As someone that works in email disseminations for large public companies across the globe, it's really bad idea to not have one click unsubscribes, due to the actual weight large email services weighting the act of a user marking an email as spam.

It's a crappy process to deal with, and can affect you for a critical day or two. An example being that one of clients collected email in a greasy was, and increased their email blasts from 25,000 to 75,000.

I'm sure they wanted to reach more people, but yahoo and a few others marked ALL of the messages as spam due to massive increase in volume from this client.

Advice: Do things in a non greasy way, and while you may grow slower because of it, your users, and their email providers, will like you more for it.


http://xkcd.com/1279/

This happens to me about twice a year (not a firstname.lastname, but a commonword.commonword. It's like a stupidity-driven dictionary attack). The worst companies I've had to deal with:

Steam - took me multiple emails over the course of weeks, and they actually made me send them screenshots to prove the account was mine. I only went to this much trouble because I have a legit Steam account. Especially funny since I casually told them that I was a hair trigger away from just resetting the idiot's password and hijacking his account.

AT&T - Flat-out refused to unsub me from someone else's phone bills. After several calls to AT&T I finally gave up and called the customer. An AT&T rep actually had the balls to tell me that making me do this was for the customer's protection.


I get these as well, roughly once a month.

Getting that first E-mail is not too bad; having to sign in to a service I never signed up for in order to stop the e-mail is the pain-point.

I wish more companies would require e-mail verification before activating accounts and sending out a flood of messages. It would also protect their customers, because it is quite easy to request a password reset and then, say, go dick with someone's data-populated chat-app settings.


For real. Today alone, I got someone else's golf course information (twice) and Valvoline receipt. I hate golf, and am deliberately car-free. I just mark it as spam now.


This is really annoying. What I find more annoying is response like "We will process your request within 30 business days." (and after that period receive another spam). What could possibly take 30 business days to unsubscribe email? This is evil.

I would also like to see some sort of standard - like email header with link, that would unsubscribe you. Outlook/thunderbird/etc could just show button (probably next to "mark as spam" :)) and you couldjust click and be done. I think google tried something like this, but I've never heard of anyone else.


> What could possibly take 30 business days to unsubscribe email? This is evil.

Companies can, and do, take out lists of subscribers and pass them to agencies to run campaigns for them, with potentially long lead times. Still stupid, but that's usually the reason.

Regarding standard, the List-Unsubscribe: header is sort-of that. It's not used much because there's little reason to - most clients don't do anything with them.


Gmail does use List-Unsubscribe: when you mark as spam a mail which has a valid List-Unsubscribe header, it will ask you if you want to unsubscribe instead, and will handle the unsubscribe request automatically.


The typical reason is that there's a whole host of systems that might be sending e-mail on behalf of the company, so there might be some delay (generally far less than 30 days) for it to flow through whatever integrations are set up, and hey - since there's going to be a delay anyway, why potentially shoot yourself in the foot by giving yourself less than what you're entitled to by law?


That's possible. But if DNS changes can propagate throughout the entire world in 24 hours, seems like removing my email from a bunch of Internet databases could too.


Sending unwanted email to the maximum allowed by law doesn't seem like a quality business practice.


I'm assuming that the thought process businesses are going through goes something like:

- We have a complex series of integrations (marketing automation -> CRM system -> app -> transactional e-mail provider) (as one example) where propagation isn't real time and could take a few days (if say, each of these were propagated on a nightly batch).

- Something could go wrong with any of these.

- It's better to err on the side of caution and give a super-conservative estimate and always beat it by a huge margin, than give an accurate estimate and occasionally break it (particularly with something as sensitive as unsubscribes).


I assume you're over-exaggerating unsubs that say "up to 10 days". That's because the CAN-SPAM act requires that they be processed within 10 days.


Sounds like a misinterpretation of CAN-SPAM which says:

"Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days."

which means the recipient gets 30 days (from receipt of each email) to opt out, the sender has 10 days to process the opt-out.


I have given up trying to unsub from many places, sometimes unsubing doesn't do anything, I generally just mark it as spam now days.


Then you're punishing the good guys.


The good guys don't send me mail I didn't ask for.


Yes, login-to-unsubscribe would be much more palatable if it were for things I actually opted in to. If I did not subscribe, then it should be easy to unsubscribe.

I'm looking at you, LinkedIn and Twitter. I've unsubscribed from about three or four waves of your bullshit. No, I don't care about what I might have "missed on Twitter". I didn't subscribe to this, you spamming fucks.


No, but they send you mail that you inadvertently asked for, and mail that you initially asked for but have since decided that you no longer want.


"mail that you inadvertently asked for" IS spam.

Personally I give them the benefit of the doubt and try to unsubscribe with ONE click.

There is no good reason to make people click more than once.


Easy for me , no direct "unsubscribing" => spam box. If you provide a newsletter the last thing you want is to be flagged as spam, so think about it.


This is exactly what I do. I believe that developers (or site owners) need to think about the state of mind of the user. If they are trying to unsubscribe, they must think that they should not be contacted by you or want not much to do with your site. If you ask them to log in to your site to complete their "do not bother me" action, they will take more drastic measures such as marking it as spam. UX is important, even when users leave your service.


I share a name with dozens of people who all seem to have a common issue - they can't spell their own email address, so they use mine.

This means it's impossible for me to unsubscribe from all sorts of things, since 'forgot my password' with a lot of places requires a birthday, access to the phone that's on the account, answers to security questions, etc. etc.

If I click 'unsubscribe' and get asked to log in? I just go back and click 'Report Spam'.


Yes. Especially when someone else mistyped their email address, you did not ask for confirmation, and now I get endless emails without the ability to sign out. So I just mark everything as spam, which I know isn't what you were hoping for. :)


One of my email addresses is very generic, and I get the same thing all the time - at least one random signup a week... Please, please, please - anybody who has sites that has a signup, the very first thing after saying "Thanks for signing up for [service]" should be "If you didn't create this account, click here" with a link to disassociate the email from the account and never email me again!

It's ridiculous how hard some services make it. Especially banks - I had someone in the US sign up for a bank account with my email, and I was getting fairly important sounding emails (like "your account had insufficient funds to pay [automatic bill payment]" and stuff), and there was almost nothing I could do - to contact the bank, you had to log into your account and use the "secure contact form" or phone them (which would be an international call, annoying time zones, etc.). I stopped getting emails eventually so they must have figured it out eventually!


This is a deal-breaker for me, and I immediately delete my account on any service that attempts this type of bullshit.

If a service makes me log in to unsubscribe from their spam, they can be assured that it will be the last time I ever log into their service.


It's why my initial signup to virtually anything is via a mailinator.com address (or alternate domain of theirs).

Abuse a privilege? Lose it.


Especially when your email address has been signed up to dozens of mailing lists as some sort of perverted revenge via spam. I can't log in because I didn't create the account. The developer is doubly at fault for allowing an account to be created without confirming the email address.

My revenge is training Gmail that email from such senders is Junk and Spam. Eventually Gmail dumps them automatically, hopefully for everyone.


Hear, hear. If you're worried about legit customers getting unsubscribed against their will (because that is TOTALLY a significant occurrence...), you can have a dual approach. Unsubscribing without authentication sends one final message which has an undo link; unsubscribing while authenticated shows a confirmation on the site instead of the inbox.

I know, the "Here's an email to confirm that you hate our emails" message isn't anyone's favorite... but if it helps companies improve their unsubscription mechanisms, I can let it slide.


If your unsubscribe links are something impossible to guess (e.g., "https://example.com/spam/unsubscribe?d=<long, randomly generated string, which is a key into your DB>"), how could someone possibly get unsubscribed against their will?


You (subscriber who wants the mail) forwards it to a friend who wants to /dev/null it; friend clicks unsub link and original subscriber stops getting the messages.


What if I forward you a newsletter that I thought was interesting and you click the unsubscribe link?


Do you have an example in mind of what makes that a significant occurrence?


I subscribe to patio11's newsletter. Then I send a particularly good article from the newsletter to you via forwarding email. You say "Screw this" and hit the unsubscribe link.

Happens all the time, and now you've unsubscribed someone who is a high value member of the list.


If a sender does not let me unsubscribe without logging in, I usually end up (after 3 or 4 times clicking the unsubscribe link, getting frustrated, and deleting the email) adding a filter to automatically mark their emails as spam.


I mark as spam and automatically move it to the trash. I actively try to see if spam maybe missed on accident and I don't need that in the way. I also don't bother unsubbing because it always seem like you get more spam. Why take any chances?


Oh, easy, I just mark all emails as spam.


Same here. If I remember well, LinkedIn is one of the worst offenders. I hate how much unnecessary mail they send!


So how well has that tactic worked to thwart LinkedIn so far? Have they been permabanned from sending to gmail yet?

Oh, thought so.


That explains why I never get email from LinkedIn! Thanks everyone. I do like LinkedIn because its acts like a honeypot for recruiters, they just go there first. Keeps it simple.


At my old job I made the mail server's spamassassin globally trash ALL emails from Linkedin, no matter the content.

Nobody ever complained, which kinda goes to show exactly how spammy LI is.


I disagree, the most annoying thing is when the unsubscribe link leads you to a 404 page (or an "Untrusted SSL certificate" warning).


+1

I never log in in such circumstances, I just hit the 'spam' button and that's that. I trust the email service to categorize the further emails accordingly and that's what usually happens.


> There's nothing more annoying than clicking that 'unsubscribe' link at the bottom of your email only to be asked to login first.

But there's a reason, and to understand the reason, you need to understand something about the law.

You want to be taken off the mailing list of a company that technically is spamming you, violating the law. But if the company can get you to sign in first, you technically become a customer, and they can then spam you endlessly and legally.

But -- a company that requires you to sign in, in order to opt out, is breaking the law. The Can-Spam Act requires opt-out to be readily available and simple (see below). On that basis, sites that require signups to opt out are engaged in a criminal conspiracy.

From the law: "You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request."

-- http://www.business.ftc.gov/documents/bus61-can-spam-act-com...

They're breaking the law. They are criminals.


The one thing that you do need to consider with a complete one-click unsubscribe is whether your e-mail could be forwarded - if a user forwards an e-mail, it's possible that whoever recieved the message could unsubscribe on their behalf.

Probably the best thing to do, IMO, is a simple two click unsubscribe - take them to a page with their e-mail address already filled in, and just require them to click "OK" to confirm which address is being unsubscribed.


Making it difficult to unsubscribe will also make it difficult for your mail to continue to deliver to inbox. It encourages people to report your mail as spam.


Another side effect of such requirements: it means that even white-hat ops at the service itself cannot address the issue sanely.

At multiple gigs, at multiple sites, a significant amount of bounced mail consists of messages sent to long-term undeliverable addresses (in many cases: to domains which no longer exist, and/or have been tranferred, and/or the owning company has gone out of business: think Enron, AT&T's discontinued ISP network, Lehmann Brothers, etc.).

Even if I'd _wanted_ to create rules or write scripts to automatically process the messages, the login requirements generally meant that wasn't possible. Instead, these comprised both a significant amount of outbound mail queues and nondelivery notifications, potentially masking more serious issues (you've got to come to understand what notifications are effectively part of background noise vs. not).

Oh, and some of those domains still exist in some regards (e.g., there's a skeleton crew at Lehman winding down the firm), so you can't just blindly select entire domains.

File under continuing hassles of a conscientious admin's job.


If your unsubscribe isn't one click, or you don't have an unsubscribe, and I don't like your emails, the message gets marked as spam.


I was recently bitten by the Freelancer/vWorker acquisition in this regard! I became "vw9916640" and had–to my knowledge–no password. This did not stop their unsubscribe form from prompting for the aforementioned unknown/nonexistent password.

I'm still getting e-mails from them to this day.


password reset?


Nitpick, but the person(s) who wrote the code are probably not the one(s) who make these sorts of decisions about how the product or service will handle un/subscription. More likely its the product manager(s) or other business person types.


Oh man! If I could vote you up more, I would.

A while back a forum spammer decided to use my Gmail address to spam forum sign-ups. I got Gmail to filter most of them into the trash (the spammer used a variation of my email address I don't use. Gmail allows variations in email addresses). Afterwards I wanted to clean things up and a lot of the senders require that I log in first to unsubscribe. That they would sign me up without verification is bad enough but requiring that I login to unsubscribe made it just too difficult. So now I just filter everything that was sent to that variation of my email and mark them all as spam.

Lose-lose for everyone.


At Zapier, we jumped through a lot of extra hoops to make sure that emails are categorized and you can easily opt-out with a single click (no matter if you are logged in or not). Some emails cannot be opted out of (the only two right now are payment transactions and forgotten/reset password) but everything else can be.

We have a lot of other cool stuff in emails like single click logins, viewing pixels with custom payloads, our open source drip campaign mailer for Django, and much more. If there is any interest, I'd be happy to go into deeper detail.


We do the same and just got our first request to unsubscribe from our receipt emails since we don't provide an unsubscribe link on it. Waiting for our first person to complain about our reset password email, have a feeling its coming soon.


I'd be interested if you have details on handling single-click login as securely as possible.


Sure!

Basically, reuse a lot of signing functions that you might find in a library (IE: Django's https://docs.djangoproject.com/en/dev/topics/signing/), don't roll your own. Then, keep track of last login IP address and block auto-logins when they mismatch. Then, set a max age for the login links to work (for example, 24 hours). There are a few other things we do as well, but those are the major ones.

Those three combined are fairly secure.


Thanks. You said "last login IP". If it's a single IP, I guess you're talking about transactional mails the user has triggered. If it was marketing mails, you'd surely want to compare against a list of recent IPs, not just the very last, wouldn't you?


I always mark mails as spam if it takes more than one click to unsubscribe.


I'm inclined to think requiring the login is an intentional choice in most cases rather than an oversight; it raises a barrier to unsubscribing, and can even make it impossible, if you never set up an account in the first place. It's sort of like saying you can unsubscribe if you like, without actually providing the option; it offers plausible deniability.

I just click on "Spam" and, if it continues, set up a filter to /dev/null.


+100000000 !!!!!!!!!!!!!

I can't think of how many times I've had to do this. I relaly like georgemcbay@'s idea to just mark as spam. Gonna do that from now on


I was recently reading an article about making it easy for users to use a website http://sixrevisions.com/usabilityaccessibility/getting-users....

In my opinion, I agree. User-friendly is key. In my personal experience, users appreciate ease of access, including unsubscribing.


It's also a violation of the CAN-SPAM act: http://business.ftc.gov/documents/bus61-can-spam-act-complia...

If I try to unsubscribe from an email list and am presented with a login prompt, I report the sender as spam without an instant of hesitation or regret.


No it's not. There is nothing in the CAN-SPAM act that requires you to allow unsubscribing without logging in.


I always simply mark it as spam repeatedly until gmail auto-generated a filter to auto-spam it. It is spam and should be treated as such.


If you're using gmail, just use the "filter messages like this" feature to make messages from the given address skip the inbox or be deleted on arrival.

So there's no reason to ever have to deal with the unsubscribe links in emails. It puzzles me that people that people who use gmail still complain about this stuff. Do people not know about this feature?


I mark those messages as spam. If enough people do that, Google will permanently allocate them where they belong.


Someone used my email on several children's games websites, and some of them started sending me emails without verifying, so I couldn't even unsubscribe at all because I wasn't the one that registered to that site... At least emailing their support got me out of that mailing list...


On one hand, I do agree that it is very annoying. However, I can kind of understand.

There may be a way around this, but if no session was required, then couldn't someone just make a bunch of GET requests to the unsubscribe url for each user id and unsubscribe the entire user base?


Well, I think most professional developers would use a GUID for each user anyway. Good luck bruteforcing that.


Yes, this is a solved problem.


Just use CSRF tokens.


Yeah, I don't know why I didn't think of that. In that case, there really isn't any justification.


A relevant post: http://shahart.al/2013/07/13/on-the-perils-of-owning-a-vanit... (Also - check out the reddit thread [link in text])


Reminder: some updates are needed regardless of unsubscribe state (such as change of TOS and changes to pricing). These are allowed under CAN-SPAM.

If you are still a user (you unsubscribed but didn't delete your account), expect much less mail, but not quite zero.


If I have to login to unsubscribe, I block the sender and report the emails as spam.


I wish they not only put one click unsubscribe link but also one click remove account from given service. I've noticed that removing account is is what I need more often than unsubscribe.


A more aggressive version of this I posted 1019 days ago: https://news.ycombinator.com/item?id=2139617


I usually just resort to the report spam button if I have to login.


I've been experimenting with using the Report Spam button to avoid Reverse Identity Theft - http://xkcd.com/1279/ - for fuckwits who sign up for stuff using my email address. It's a lot easier than doing a reset password and then unsubscribing or changing the registered email address to fuckwit@example.com


Just press the SPAM button in your mealreader. Problem solved.


What if your mail reader doesn't have a spam button?


(If the question's serious...) many email providers that give IMAP access will let you set up a "mark spam" folder and they'll check it to update their spam filter for you.

Otherwise, search for "your mail reader" and "mark spam" and you'll probably figure something out.


This is one of the most annoying things I've experienced! You can nuke all these emails if you add the "Unsubscribe" keyword to your filters.


Agreed, that's very annoying. I'm still subscribed to a few emails I don't want, only because they make it so difficult to unsubscribe.


Mark them as Spam and you will help the whole email ecosystem.


Not that I'm supporting login-to-unsubscribe system, but wouldn't requring just an email to unsubscribe allow anyone to unsubscribe you?


Not if there is a unique key encoded into the unsub mail. E.g.: unsub-73A6F7S-you=at=example.com@mydomain.com


LinkedIn does it, why shouldn't they? LI is a successful, IPO'ed company, surely they wouldn't be doing anything detrimental.


LINKEDIN


"If your newsletter doesn't have a single-click unsubscribe link, GMail surely has a single-click spam button"


I usually try to hit unsubscribe first. If I'm not immediately unsubscribed, I just mark them as spam and move on.


I kinda gave up, and simply create an email filter that deletes any email from the domain name of the sender.


Sorry, this is a darkpattern* (their deliberate action)

I also mark such email as spam.


In case of "unsubscribe" - click on "Spam" link.


Twitter does it the right way! Kudos!


Agree


this x 10




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: