I sent in an email to support regarding this bug, but wanted to additionally add to the consensus that I don’t at all like how webflow is handling this critical issue. It’s now 11 days since Dave’s suggested solution and nothing has changed. End-users are still receiving webflow branded emails despite all the money being spent by webflow subscribers on white-labelled solutions and ANYONE they reply, forward to, or a user that changes the site name and email in the URL can still unsubscribe them from receiving business critical communications.
In fact the only change observed as noted by @samliew since this bug report was posted is that this thread has gone from a bug report to general discussion for PR purposes. I simply can’t accept this was an intended change and if it was then I honestly believe that reflects worse on the company than the issue in the first place.
More so I’m disappointed that it was actually given as a serious suggestion that designers independently vet and edit every incoming email? You must be kidding! Even excluding the obscene time requirement for doing this, we’re talking about business data!
I really think you guys need to step back and revisit your code approval process. It’s closed source software so please invite mangers with more business experience and client understanding to offer feedback before release of any code that fundamentally affects white-labeling and client security. It took multiple years for a anti-spammer feature to be added to the mailserver so it clearly wasn’t that urgent. It certainly doesn’t add any confidence in the software that a webflow branded, security hole was deemed to be the optimal solution after all this time.
As others have pointed out, all that was needed was an initial sign up confirmation email when the recipient address is first entered. Frankly I don’t know of any genuine business owner who would unsubscribe from emails from their own website, and if they do, I highly doubt they understood what they were doing. It simply doesn’t make sense to prioritize free users and spammers over genuine clients. If business end-users are seriously unsubscribing from their own emails then I’d put a strong wager that problem is more related to lack of captcha integration in the form itself bringing in a surplus of junk mail.
Do we have an update on the status of this issue? I would also like to see the complete removal of the unsubscribe message if a solution isn’t forthcoming in the next couple of days.
Finally, webflow is charging enough money for subscriptions at this point to outsource some of their clearly and demonstrably less familiar infrastructure and software requirements to more specialized providers like Mandrill etc. Maybe this is an avenue to be considered? Of course there’s always the option of allowing users to use their own mail servers too. I’d take the flexibility of configuring my exchange servers to send email to clients any day over the current implementation.
Hi guys, not to mention that Gmail automatically collapses the previous email including the unsubscribe link, when replying or forwarding emails.
It’s VERY EASY to overlook/forget not removing the unsubscribe link manually for every email.
I have said enough. It’s very obvious that this security issue is not treated seriously enough with urgency and it affects everyone using Webflow forms.
Disclaimer: I am not a staff of Webflow, and the opinions expressed above are my own and do not necessarily represent the views of the Webflow team. I disclaim all and any responsibility or liability in respect of information detailed or omitted (or the consequences thereof) from this post.
Hi @samliew, this item is still in development, and at the moment I do not have an exact timeline for when the changes will be pushed out. I am monitoring this carefully and will notify you as soon as a change is made.
The solution is planned and will be implemented without any unnecessary delays.
@dave So can we just get that unsubsribe link taken off until this is resolved? If a client responds to a form submission the link is still active. Is there a way for the form receiver to resubscribe? If not this is sort of a REALLY BIG ISSUE.
@cyberdave So what do we tell our clients? “Hey, by the way. Your potential leads can now unsubscribe you from your own email. So check that you can receive messages from your site every 30 minutes or so?”
We apologize for the gap in communication, but site owners started getting notifications that emails were being unsubscribed from form notifications since October 9th. Here’s the github pull request:
The way it works is that when someone clicks on the unsubscribe link, the email that is being unsubscribed will be sent an unsubscribe confirmation email, with the owner of the site BCC’ed.
This was originally implemented to satisfy the CAN-SPAM laws around e-mail privacy and anti-spam measures. If we had waited to implement the unsub link, email delivery rates would have suffered for everyone. Since this was implemented in haste, we failed to communicate it broadly in our typical marketing channels.
This should have been communicated via a Since you’ve been gone, and maybe a blog post, but somewhere along the way the wires got cut/dropped. We sincerely apologize for the miscommunication! You can test this functionality out to see if it covers all scenarios you’ve highlighted.
not trying to be a butt-holias about this… “but”
personally I don’t understand why this thread is so long…
I’ve been complaining about this for months… not since Oct 9.
It should have been fixed a long time ago.
@brryant To be clear on terminology – the site owner is the owner of the Webflow account Pro/Business, ect? So people were using Webflow to spam and since everything is tied to one webforms address instead of the “from” address?
There is something about this that seems off in this situation.
I’ve used forms on Wordpress setups and they don’t have “unsubscribe” because they are going to the account owner. Why would the account owner want to unsubscribe? I guess people were using forms to spam…shouldn’t they just be kicked off Webflow or the sending somehow tied to “from”.
@brryant Appreciate that this was implemented, but sorry to say that its still not ideal. There will be clients and/or their staff that would simply skip over an email “You have been unsubscribed from form notifications”, or it could just get lost in their daily work/spam/junk etc.
IF they do pay attention, then they will “hopefully” contact us as their website provider and ask us what to do - which is not only going to be more work for us but somewhat embarrassing to try and explain why they could get unsubscribed in the first place.
I agree with @samliew and I am very concerned at the potential client/legal issues.
I’m more concerned that a potentially damaging security breach is not taken seriously enough - big enough to greatly impact clients and open up lawsuits against WF.
Still not a bug? Hmm
This doesn’t reflect that you are putting us customers and users first. Maybe it’s just because your stakeholders and investors doesn’t know about this situation yet.
@brryant So what is the plan to resolve this issue? Because it can’t be considered resolved at this point!
Part of the hosting agreement is to have forms processed. In good faith that means not setting up a system in which clients can be unsubscribed from their own forms.
Please give us an answer to how this is being resolved.
that forwards two copies of everything to
– 1: a dedicated “support” Exchange account (mine) and
— (since Exchange is push technology… I immediately get the message and don’t need to “check for messages”)
– 2: a second redirect creates a support ticket in a (ticket) management system.
Once the support ticket is creates…
I respond accordingly to an SLA that we provide our clients.
It’s some progress but still not ideal. I don’t understand why my previous suggestion couldn’t be implemented - which I see in use on many services/sign-ups:
New client = you must verify your email address by reply, to receive forms = sorted.
Current client = ‘we have made some improvements to the security of web forms = it’s just one click for you to verify your email address’ = sorted.
