Got a spam email today. It had an unsubscribe link pointing to a random Azure blob. I click "Mark as Spam" and it offers me to unsubscribe instead?
This was worring as I thought ... well the unsubscribe is a dangerous link so how will it do it.
Turns out it uses a header like X-Unsubscribe-Web. I checked what that was set to, and in this spam it was a well known online newspaper plus a bogus query string. So they probably put a plausible link (i.e. not a black list) to fool Google.
But in general X-Unsubscribe-Web could be set to something malicious, right?
And why is Google even discouraging me from reporting spam (or in this case... phishing).
Edit: I see there is now a report Phishing and that button treats me like an adult :-)
There used to be a button "report spam and unsubscribe" but it's gone now. Can only do one of those.
It's like Google is taking the position that if they respect opt outs, they're not spam, but that is absolutely not true. Especially if I didn't sign up
I never use it. It is extremely easy for a bad-actor to program the unsubscribe feature to identify and mark an email as "active".
I feel OK using it with companies I recognize. Often, it's because I signed up for the mailing list accidentally, or to receive a discount on something. They're not out to scam me, and they'll generally honor the unsubscribe request.
I'd never use it for some scammy spammer.
GMail does a pretty good job of separating the former from the latter. If it ends up in my inbox, and I don't want to see it any more, I'll unsubscribe. If it ended up in my spam folder, it's almost certainly a scam.