One-Click List-Unsubscribe

From InboxSys document library
Jump to navigation Jump to search

One-Click List-Unsubscribe was invented as a solution to solve a fatal flaw in the https-method of the List-Unsubscribe mechanism. The unsubscribe https-links in the List-Unsubscribe header require a one-click GET mechanism. That means, when the link is clicked, the unsubscription is immediate and all parameters involved are visible from the URL. This mechanism is vulnerable to mistakes and abuse. The List-Unsubscribe link can easily be executed by accident or malicious intent.

This vulnerability can be combated, by adding a specific header to your messages, in addition to the List-Unsubscribe header. The One-Click List-Unsubscribe-header:

List-Unsubscribe-Post: List-Unsubscribe=One-Click

This header simply says, that the displayed GET variables should be sent in a POST request, instead of a GET request. The POST request from the example to your unsubscription-landing-page would look like this:

POST /unsubscribe.html?opaque=123456789
HTTP/1.1 Host:
Content-Type: application/x-www-form-urlencoded
Content-Length: 26 List-Unsubscribe=One-Click

On your landing page it's very important to:

  • Process POST requests
  • Ignore GET requests

One-Click List-Unsubscribe in InboxSys

In the content-section of InboxSys campaign tests, you can see:

  • If your One-Click List-Unsubscribe header is present
  • If your One-Click List-Unsubscribe header is syntactically correct

Useful links