Security software visiting email links and carrying out actions

Imar Spaanjaars

Posted on 24/10/2023 21:48:17

Hi there,

I have a site where users need to double-opt for a newsletter. When they click the Confirm link in their email, they are not taken to the page set as "redirect after confirmation" but see the signup form page again. At first I couldn't reproduce it but then I could by clicking the same link a second time. At that point, the account is already confirmed and DW shows the form and not the redirect page. The customer says they are clicking only once, so something else seems to be reading these links. I did some research and found that some mail security software can extract and visit links, therefore approving the account without the user actually consenting. (This reminds me of Chrome prefetching URLs years ago, thereby causing destructive actions like deleting things that were accessible over a GET rather than a post.)

Has anyone seen this before and is there a way to handle it? A POST would handle this in a browser but for email that's a different story.

Imar

Replies

Nicolai Pedersen

Posted on 24/10/2023 22:12:46

I have seen this once before - solved by using https links as they were not followed by that particular security software.

Alternative solutions - which requires us to change something

Allow the confirm multiple times and still show the same receipt (super easy)
Redirect to a page that will use JS magic and some auto captcha-ish behavior to do js redirect to the final receipt destination - will solve most of the issue with autofollow.

Imar Spaanjaars

Posted on 25/10/2023 09:03:55

In this case, the site already uses https, and apparently those links are followed. So option 1 would be good to have.

Imar

You must be logged in to post in the forum

Developer forum

Security software visiting email links and carrying out actions

Replies