0

I ran into an interesting bug today. I was trying to update my address on a mailing list, and it sent an email to the new address, with a unique URL that I was supposed to visit to confirm my request. However, when I clicked it, I received an error that the link had already been used and was now invalid.

Upon further investigation, it seems that some host in my organization's email system visits URLs in incoming email before delivering it (GETs the page), presumably to check whether the link points to some sort of virus or other malware. Apparently the mailing list's confirmation page requires an extra click to actually confirm the request, so this doesn't actually update my subscription, but it does invalidate the URL. As a result, I can't update my subscription at all!

The question is:

Who is wrong in this situation? To whom should I complain? The mailing list server which sends links that only work once, or my own email admins who have a scanner set up to visit links?

And which of these practices should I avoid (or both)? They both seem kind of antisocial, but each seems to make sense in its own way.

I can imagine more serious results from automatically visiting loading random URLs from incoming email; for instance, simply requesting the URL could trigger some irreversible action, maybe one that I didn't want to do at all. On the other hand, it doesn't seem unreasonable to want to check whether an email contains malicious links, and how can you check this except by seeing what's at the other end?

Nate Eldredge
  • 101
  • 3
  • What did your IT department say about this when you asked them? – Michael Hampton Nov 21 '13 at 18:24
  • @MichaelHampton: I haven't asked them yet, I was trying to figure out first whether they were the right ones to ask. I suspect they'll blame the mailing list software :) Anyway, I'm asking more about best practices than about my specific problem. – Nate Eldredge Nov 21 '13 at 18:27
  • 1
    Practically all mailing list software sends you a subscription confirmation that says "Click here to verify you actually own this email". If someone signs you up to a mailing list as a prank or trolling, your IT department's anti-virus bot will auto-confirm that subscription. It will also auto-unsubscribe you from any mailing list that has a one-click unsubscribe process. – Ladadadada Nov 21 '13 at 18:35
  • It will also navigate to the dreaded 'unsubscribe which really just confirms your email is active to spammers' links. – Dan Nov 21 '13 at 18:36
  • Scanning the website is the job of your AV-Software on your computer when you try to visit the website in your browser not of the email-system. – lsmooth Nov 21 '13 at 18:52
  • `"visits URLs in incoming email before delivering it (GETs the page), presumably to check whether the link points to some sort of virus or other malware"` - that's silly...it should be using signatures/lists and comparing the URL to that...not actually visiting the site (and possibly becoming infected in the process) – TheCleaner Nov 21 '13 at 18:54
  • @TheCleaner: Well, I presume attackers are capable of sending each victim a unique link to their malware, which won't appear on a blacklist (though of course one could blacklist the entire domain). And I expect the scanning host fetches the page directly, not through a browser, and is careful not to execute anything it receives, so I don't think it's at risk of being infected. But I agree with you that it seems questionable. – Nate Eldredge Nov 21 '13 at 18:56
  • @NateEldredge I gave you an answer below that you can point your IT department to (I also closed this question as off-topic since it's really not a "system administration" question, it's you as a user having a problem with your IT department's policies). Bottom line though, there's only one good reason for your scanner software to visit links in emails (scanning them for malware), and a whole bunch of reasons ***NOT*** to do so. You should tell your IT department their policy breaks things and try to get them to fix it. – voretaq7 Nov 21 '13 at 19:02
  • @voretaq7: Ok, thanks. I actually was interested from a sysadmin perspective about whether this was an appropriate setup, but in any case I have an answer now: it isn't. – Nate Eldredge Nov 21 '13 at 19:06

1 Answers1

1

Nobody is technically "wrong" in this situation: The email RFCs say nothing about visiting links. In fact they don't concern themselves with links or virus scanning.
Since the standard is mum on the issue there's nothing to violate.

That said, what your email system is doing certainly strikes me as sub-optimal.
I would certainly not implement such a system in my environment.

Normal behavior is to evaluate the URL (the string itself), not to visit it.
This is because plenty of links in emails are not idempotent - Some examples:

  • The "Yes, I want to subscribe to this email" link you get from mailing lists
  • The "Get me the heck off this list!" link in the footer of many mailing list messages
  • The "I want to reset my password" link some companies send when you forget your password
  • One-Time Download links as are generated by some E-Commerce platforms
  • Faux-Unsubscribe links, embedded images, etc. that tell spammers your email is alive
  • Legitimate View-Tracker links (often embedded 1px images)
voretaq7
  • 79,879
  • 17
  • 130
  • 214