Streaming live at 10am (PST)

Ability to remove new "Unsubscribe" link from mail notifications

@cyberdave @samliew @StuM @pxljoy @Revolution

I sent in an email to support regarding this bug, but wanted to additionally add to the consensus that I don’t at all like how webflow is handling this critical issue. It’s now 11 days since Dave’s suggested solution and nothing has changed. End-users are still receiving webflow branded emails despite all the money being spent by webflow subscribers on white-labelled solutions and ANYONE they reply, forward to, or a user that changes the site name and email in the URL can still unsubscribe them from receiving business critical communications.

In fact the only change observed as noted by @samliew since this bug report was posted is that this thread has gone from a bug report to general discussion for PR purposes. I simply can’t accept this was an intended change and if it was then I honestly believe that reflects worse on the company than the issue in the first place.

More so I’m disappointed that it was actually given as a serious suggestion that designers independently vet and edit every incoming email? You must be kidding! Even excluding the obscene time requirement for doing this, we’re talking about business data!

I really think you guys need to step back and revisit your code approval process. It’s closed source software so please invite mangers with more business experience and client understanding to offer feedback before release of any code that fundamentally affects white-labeling and client security. It took multiple years for a anti-spammer feature to be added to the mailserver so it clearly wasn’t that urgent. It certainly doesn’t add any confidence in the software that a webflow branded, security hole was deemed to be the optimal solution after all this time.

As others have pointed out, all that was needed was an initial sign up confirmation email when the recipient address is first entered. Frankly I don’t know of any genuine business owner who would unsubscribe from emails from their own website, and if they do, I highly doubt they understood what they were doing. It simply doesn’t make sense to prioritize free users and spammers over genuine clients. If business end-users are seriously unsubscribing from their own emails then I’d put a strong wager that problem is more related to lack of captcha integration in the form itself bringing in a surplus of junk mail.

Do we have an update on the status of this issue? I would also like to see the complete removal of the unsubscribe message if a solution isn’t forthcoming in the next couple of days.

Finally, webflow is charging enough money for subscriptions at this point to outsource some of their clearly and demonstrably less familiar infrastructure and software requirements to more specialized providers like Mandrill etc. Maybe this is an avenue to be considered? Of course there’s always the option of allowing users to use their own mail servers too. I’d take the flexibility of configuring my exchange servers to send email to clients any day over the current implementation.

2 Likes

Hi guys, not to mention that Gmail automatically collapses the previous email including the unsubscribe link, when replying or forwarding emails.

It’s VERY EASY to overlook/forget not removing the unsubscribe link manually for every email.

I have said enough. It’s very obvious that this security issue is not treated seriously enough with urgency and it affects everyone using Webflow forms.


Disclaimer: I am not a staff of Webflow, and the opinions expressed above are my own and do not necessarily represent the views of the Webflow team. I disclaim all and any responsibility or liability in respect of information detailed or omitted (or the consequences thereof) from this post.

2 Likes

Hi @samliew, this item is still in development, and at the moment I do not have an exact timeline for when the changes will be pushed out. I am monitoring this carefully and will notify you as soon as a change is made.

The solution is planned and will be implemented without any unnecessary delays.

Thanks in advance

1 Like

@dave So can we just get that unsubsribe link taken off until this is resolved? If a client responds to a form submission the link is still active. Is there a way for the form receiver to resubscribe? If not this is sort of a REALLY BIG ISSUE.

2 Likes

@cyberdave So what do we tell our clients? “Hey, by the way. Your potential leads can now unsubscribe you from your own email. So check that you can receive messages from your site every 30 minutes or so?”

2 Likes

I am very very disappointed at the way this issue is being handled. That’s all.

3 Likes

We apologize for the gap in communication, but site owners started getting notifications that emails were being unsubscribed from form notifications since October 9th. Here’s the github pull request:

The way it works is that when someone clicks on the unsubscribe link, the email that is being unsubscribed will be sent an unsubscribe confirmation email, with the owner of the site BCC’ed.

This was originally implemented to satisfy the CAN-SPAM laws around e-mail privacy and anti-spam measures. If we had waited to implement the unsub link, email delivery rates would have suffered for everyone. Since this was implemented in haste, we failed to communicate it broadly in our typical marketing channels.

This should have been communicated via a Since you’ve been gone, and maybe a blog post, but somewhere along the way the wires got cut/dropped. We sincerely apologize for the miscommunication! You can test this functionality out to see if it covers all scenarios you’ve highlighted.

not trying to be a butt-holias about this… “but”
personally I don’t understand why this thread is so long…
I’ve been complaining about this for months… not since Oct 9.
It should have been fixed a long time ago.

And I agree with @samliew

2 Likes

@brryant To be clear on terminology – the site owner is the owner of the Webflow account Pro/Business, ect? So people were using Webflow to spam and since everything is tied to one webforms address instead of the “from” address?

There is something about this that seems off in this situation.

I’ve used forms on Wordpress setups and they don’t have “unsubscribe” because they are going to the account owner. Why would the account owner want to unsubscribe? I guess people were using forms to spam…shouldn’t they just be kicked off Webflow or the sending somehow tied to “from”.

2 Likes

@brryant Appreciate that this was implemented, but sorry to say that its still not ideal. There will be clients and/or their staff that would simply skip over an email “You have been unsubscribed from form notifications”, or it could just get lost in their daily work/spam/junk etc.

IF they do pay attention, then they will “hopefully” contact us as their website provider and ask us what to do - which is not only going to be more work for us but somewhat embarrassing to try and explain why they could get unsubscribed in the first place.

I agree with @samliew and I am very concerned at the potential client/legal issues.

Please, there has to be a better way… urgently.

3 Likes

I’m more concerned that a potentially damaging security breach is not taken seriously enough - big enough to greatly impact clients and open up lawsuits against WF.

Still not a bug? Hmm

This doesn’t reflect that you are putting us customers and users first. Maybe it’s just because your stakeholders and investors doesn’t know about this situation yet.

3 Likes

@brryant So what is the plan to resolve this issue? Because it can’t be considered resolved at this point!

Part of the hosting agreement is to have forms processed. In good faith that means not setting up a system in which clients can be unsubscribed from their own forms.

Please give us an answer to how this is being resolved.

As a fix… what I did was create a redirect

  • that forwards two copies of everything to
    – 1: a dedicated “support” Exchange account (mine) and
    — (since Exchange is push technology… I immediately get the message and don’t need to “check for messages”)
    – 2: a second redirect creates a support ticket in a (ticket) management system.

Once the support ticket is creates…

  • I respond accordingly to an SLA that we provide our clients.
1 Like

@Revolution When you say redirect do you mean, exactly? Do you just mean adding additional emails? I’m open to a work-aournd solution.

@brryant Just because there is a workaround doesn’t mean this is a solution. It’s just more work for the user when it should work to begin with.

We have a couple scenarios…

  • but this is simplest one…

“Webflow” is “the service”.

On a linux server…

Messages sent to "webflow@company.com" are redirected / forwarded to

If Bob unsubscribed from the “service”… you get a copy of the message

  • this gives you’ve the opportunity to “fix the issue” before Bob goes ballistic.

It’s not the best solution - (because for Webflow… only Webflow can true fix this issue)

  • but it’s a solution that works.

To do this… you need a cPanel account and a domain name.

We manage the servers and domain names for over 500+ clients.

I literally have 500+ email addresses that redirect / push client contact emails into one support account.

And the ticket management system we use ensures I address the situation in a timely manner.

We’ve had this process in place for probably 15 years now. I’ve only been a Webflow client for 3 years ?.. maybe going on 4. Don’t remember exactly.

The most important part is… the process has never failed us.

1 Like

Since you are interested… I’ll add a little more.

The “support” email address we use is a Microsoft Exchange account… which is more of “push service”.

We offer Exchange for “higher end” clients. Otherwise “standard” clients use “linux mail”.

In addition to offering higher reliability / scalability / features such as OWA…

  • it also provides the ability to receive messages instantly.

Google and others services are starting to offer technology similar to this… but it’s just not there yet.

And unlike gmail - those services “are not free”.

Basically - Your email client doesn’t have to “ping the email server” every 5 minutes… 10 minutes… 20 minutes etc… which is a “fetch” service.

Within a short time of the server receiving an email - I get it on my phone / ipad / whatever / where ever.

So basically - I know (fairly) instantly what’s happening. For us - the speed in which we get information is important.

We initially setup this process to monitor our servers… as well as to monitor several SAAS products we offer.

Some of our clients have 20 minute SLA’s… which means we MUST respond within 20 minutes of any contact.

  • otherwise we have broken our support agreement. Not a good thing.
1 Like

It’s some progress but still not ideal. I don’t understand why my previous suggestion couldn’t be implemented - which I see in use on many services/sign-ups:

  • New client = you must verify your email address by reply, to receive forms = sorted.
  • Current client = ‘we have made some improvements to the security of web forms = it’s just one click for you to verify your email address’ = sorted.

Stu

Seems like there is some misunderstanding here. Here’s the sequence of actions:

  1. New form entry is submitted
  2. Form triggers email notifications to those subscribed in your site settings
  3. Email contains unsubscribe link
  4. Recipients of email can click the link to unsubscribe themselves
  5. Once unsubscribed, the Recipient gets notified that they have been unsubscribed. The Site Owner is BCC’ed on this email so he/she can be notified.

There are not any security issues with this setup that we’re aware of, and we’re simply following the FTC rules around SPAM, as highlighted in #5 here: https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business.

3 Likes

This topic was automatically closed after 60 days. New replies are no longer allowed.