cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ATP Safe Links are automatically unsubscribing users from email lists

Sean Stockburger
Brass Contributor

‎Jun 18 2018 08:41 AM - last edited on ‎May 24 2021 02:03 PM by

‎Jun 18 2018 08:41 AM - last edited on ‎May 24 2021 02:03 PM by

ATP Safe Links are automatically unsubscribing users from email lists

We turned on ATP safe links a few weeks ago, and I have multiple reports of people being automatically unsubscribed from email lists they want to remain members of. 

 

In each case the messages sent to list members includes a "Click-to-unsubscribe" link in the footer. It seems that either ATP is activating the unsubscribe script when it probes the link, or when it rewrites the URL. There are a couple of lists that between 500 and 1000 of our users subscribe to, and they were all unsubscribed the first time that list sent a message after we turned on Safe Links.

 

Is there any way to keep this from happening? I know we can opt users out of safe links, but in this case we need to white list a sender. 

Labels:
12.6K Views
0 Likes
2 Replies
Reply
2 Replies

‎Jun 25 2018 02:10 AM

‎Jun 25 2018 02:10 AM

Re: ATP Safe Links are automatically unsubscribing users from email lists

Please complain to these br0ken lists, since:

 

"GET is for retrieving data.  It should have no side effects, you should be able to request the same URL over and over harmlessly."

https://www.quora.com/HTTP-What-is-the-difference-between-GET-and-POST

 

"In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". (...) Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them."

https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

0 Likes
Reply
Sean Stockburger

‎Jun 25 2018 08:27 AM

‎Jun 25 2018 08:27 AM

Re: ATP Safe Links are automatically unsubscribing users from email lists

Thank you for the reply, but the "one-click unusubscribe" has been a feature in many lists for a very long time. I can ask the owners of those lists to talk to the list host about making changes, but some of these are very old lists that are not maintained with current technology (many of these are ancient academic lists). I did get one list host (Dada Mail) to remove the click to unsubscribe from the footer of messages being sent to our domain. Another host replied to tell me that they could not do remove or change the link. 

 

So I know it's not Microsoft's fault, but from my customers' perspectives it is my department's fault for turning on a feature that has a negative side effect for many of them. The workaround many are using is to re-subscribe using a personal email address, which is less than ideal for many reasons. I did find that it looks like we can create a Transport rule to bypass safe links for specific IP addresses, so we will give that a try. Another user reported that it was triggering the satisfaction rating for their service desk software:

https://techcommunity.microsoft.com/t5/Security-Privacy-Compliance/Anyway-to-disable-Office-365-ATP-...

 

 

0 Likes
Reply