search

phpList / phplist3

Fully functional Open Source email marketing manager for creating, sending, integrating, and analysing email campaigns and newsletters.
https://www.phplist.org
GNU Affero General Public License v3.0
738 stars 268 forks source link

Block BingPreview (auto-visits links in emails) #415

Open da2x opened 5 years ago

da2x commented 5 years ago

Outlook.com (therein also Hotmail and Live Mail) customers are being auto-subscribed to my newsletter. They open all links by default for security purposes. phpList should block their User-Agent on the confirmation page to prevent this from happening.

As far as I can tell, this is only a problem with email services from Microsoft.

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b

michield commented 5 years ago

Interesting. Would be good to get a few steps to reproduce this. I have several Outlook accounts, so I can try to replicate it. Can you give the steps?

da2x commented 5 years ago
  1. Sign up for a phpList managed mailing list with an @outlook.com account.
  2. Wait.

BingPreview bot will visit the link within a few minutes of the email being delivered. You should see the welcome message being sent to the Outlook email too. Opening the email in the Outlook.com email interface (don’t click the confirmation link!) seems to reduce the time you have to wait.

michield commented 5 years ago

Trying now :+1:

samtuke commented 5 years ago

A similar issue with bots crawling campaign links was recently described on relation to Yahoo and unsubscribe links here: https://discuss.phplist.org/t/users-reporting-unauthorized-unsubscribes/4417

It would be good to add user agent checking and blocking for both Microsoft and Yahoo mail bots.

michield commented 5 years ago

I wasn't able to replicate it. But I think that in general we should add anti-bot headers (no-follow, no-index) to all pages and also document the robots.txt lines to use. The issue with robots.txt is that it lives in the site root and therefore we have no access to it from the application.

yscumc commented 4 years ago

Just confirming OP's issue. Note that I'm not here because of phpList, but of a related issue with Office 365.

Our organization uses Office 365 and it auto visits every link that's sent to our emails with that BingPreview user agent mentioned by the OP. This has been an issue for us because not just phpList, but many other web apps out there also sends out one-click URLs in confirmation emails.