Adobe Campaign Classic v7 & Campaign v8

dmoorethree · 2/27/24

I'm wanting to add One-Click unsubscribe option as per the requirements from Google/Yahoo. I've investigate the webapp provided by Adobe but have a concern. This webapp will unsubscribe a person without any interaction whether you send a POST or GET request. I've seen many recommendations/warnings on the web that you should never allow any form of One-Click unsubscribe via GET even if the url is in the header of the email.

Has anyone else had experience of this? How have they solved it? What can you do to discover if the webapp request came from a POST or GET call.

The Adobe web app can be found in the XML hyperlink on this page

https://experienceleague.adobe.com/docs/deliverability-learn/deliverability-best-practice-guide/addi...

dmoore2607 · 2/27/24

The List-Unsubscribe-Post: List-Unsubscribe=One-Click does not stop email clients or email client protection systems sending GET requests, it's only purpose is to inform email clients that the URL in the List-Unsubscribe header supports POST requests and will perform the unsubscribe without any further action from the client.

Therefore it does not protect your OneClick unsubscribe webapp from receiving GET requests. You have to ensure the webapp does not perform unsubscribes in response to GET requests. Otherwise you could end up with a lot of clients unsubscribed because some email protection system has performed numerous HTTP GET requests on the unique URLs you've provided in the List-Unsubscribe headers.

The One-Click unsubscribe webapp provided by Adobe has this vulnerability as it unsubscribes recipients if it receives GET or POST requests.

The way to protect your webapp is to add a test on the request.method variable. If this = POST then perform the unsubscribe, however if it equals anything do not unsubscribe the recipient

View solution in original post

pavan_nauhwar · 2/27/24

Hi @dmoorethree,

Some email protection systems perform analysis of the email source code to identify any malicious links. To do that they'd perform HTTP GET requests to those links to see what happens. This can trigger unwanted unsubscribes. To avoid that the JSSP should only perform actions when called using HTTP POST requests. You can advise email clients to send HTTP POST requests in the background (when the user clicks the button) by setting an additional header:

List-Unsubscribe-Post: List-Unsubscribe=One-Click

The value in this header must be the fixed string "List-Unsubscribe=One-Click" that is sent in the HTTP request body during the HTTP POST request (compare RFC 8058, https://www.rfc-editor.org/rfc/rfc8058). E.g.:

List-Unsubscribe: <https://www.brandname.com/cus/unsubscribe.jssp?messageId=someMessageId>

List-Unsubscribe-Post: List-Unsubscribe=One-Click

That way, if some analysis software opens any links found in the email source, it will not trigger unwanted unsubscriptions and still the List-Unsubscribe feature is supported.

Regards,
Pavan Nauhwar

dmoore2607 · 2/27/24

The List-Unsubscribe-Post: List-Unsubscribe=One-Click does not stop email clients or email client protection systems sending GET requests, it's only purpose is to inform email clients that the URL in the List-Unsubscribe header supports POST requests and will perform the unsubscribe without any further action from the client.

Therefore it does not protect your OneClick unsubscribe webapp from receiving GET requests. You have to ensure the webapp does not perform unsubscribes in response to GET requests. Otherwise you could end up with a lot of clients unsubscribed because some email protection system has performed numerous HTTP GET requests on the unique URLs you've provided in the List-Unsubscribe headers.

The One-Click unsubscribe webapp provided by Adobe has this vulnerability as it unsubscribes recipients if it receives GET or POST requests.

The way to protect your webapp is to add a test on the request.method variable. If this = POST then perform the unsubscribe, however if it equals anything do not unsubscribe the recipient

_Manoj_Kumar_ · 2/27/24

Hello @dmoorethree

Within in the same JSSP, You can add one condition to check if the response was GET or POST.

Code to allow POST request Only

 if( request.method !== "POST" ) {
document.write("METHOD NOT ALLOWED");
}

Manoj
Find me on LinkedIn

VedantVyas · 5/23/24

Hi Dmoore,

Have you tested this personally?

I've tested all combinations but stand alone post never works - I do not see unsub link in gmail - header, to.
If i add mail to then its visible.
Other forums are saying

Use JSSP
Don't use JSSP
Use only web app
move web app code to typology

Nothing works.

If it works for you by using jssp in post then can you please post your jssp code and SMTP header as well

IMHO i think no one has cracked the post method, everyone is saying what adobe is suggesting and no one has the success

Best

Vedant

Adobe Campaign Classic v7 & Campaign v8

List-Unsubscribe One-Click Webapp

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe