10 Replies Latest reply on Aug 28, 2017 11:27 PM by Sanford Whiteman

    Issue with Email Address in a form (Unsubscribe)

    Manish Khemani

      Hello Marketo Experts

      Before I explain the issue Let me highlight the steps I am executing:
      1. On a landing page I fill out a (Marketo) form with email address 1 and I receive an email confirming the same which has the 'Global Unsubscribe link' pointing to http://info.tcs.com/NewsletterUnsubscribe.html on email address 1
      2. Now, from the same workstation & from the same landing page again, I fill up the form with email address 2 and accordingly receive the email on email address 2
      3. I click on the Unsubscribe link from email I received on email address 1 and it pops-up email address 2, instead of email address 1.
      Is there a way I can show the email address 1 if I click on the Unsubscribe from email of email address 1 & vice-versa?

      This is required to control SPAM.

       

      Please Guide.

       

      Thanks,

      Manish

        • Re: Issue with Email Address in a form (Unsubscribe)
          Sanford Whiteman

          It's not customary to want to override this behavior.

           

          The reason this happens is simple: you've forcibly reassociated your web session with email address 2 (which is a different lead, not just a different email).

           

           

          What I have to ask is why did you not actually want to change the email address of the same lead? Is it the case that multiple humans are using this form from the same workstation and browser session?

            • Re: Issue with Email Address in a form (Unsubscribe)
              Manish Khemani

              Hi Stan,

              Though the industry I am in will not have such a scenario but My Security Team needs to plug all loop holes that can cause a SPAM to a Lead.

              Currently we do not have a Sign-in functionality on our site.

               

              If any one downloads a white paper by entering his email address and later my CEO's email address and opts for the unsubscribe option from the Thank you mail that he received on his email id - He can actually go and unsubscribe my CEO since the cookie is holding the CEO's email address.

               

              Hence the requirement.

                • Re: Issue with Email Address in a form (Unsubscribe)
                  Sanford Whiteman

                  But the scenario you're talking about is not avoided by resetting or disabling web session association.

                   

                  Anybody can unsubscribe anybody else by posting a form with their information, including the Unsubscribe field, as long as that field is not blocked from updates in the Marketo Admin UI. (And you can't block it from updates if it's on the form for the purpose of updating!) It doesn't matter if they have a cookie at all.

                   

                  I think your Security Team needs a better grip on how public forms work. If you don't require a password or even a casual passcode, you're trusting (perhaps mistakenly) that the provided email address correctly identifies the interactive user. Whether the address has been previously entered in that session isn't really relevant. It only matters if it's posted along with the form.

                   

                  You might instead require that a sensitive form post contain a secret code that is unique to the lead. This code can be passed in the URL and added to the form as a hidden field, so it doesn't need to be manually entered. And put a proxy field on the form instead of the real Unsubscribed field. Then, on the server, compare the secret code before performing the update to the actual field (which has form-based updates blocked but flow-based updates allowed). 

                   

                  But note this arrangement means you're blocking people from unsubscribing if they don't have their secret code on hand, so they will need to request one via email. In some jurisdictions, it's illegal to create such barriers to unsubscribing (yes, even if forged unsubscribes are therefore easier). Check with your legal counsel on this.

                   

                  Some people attempt to use Click Link for instant confirmation, but this is too risky now with mail scanners prefollowing links.

                    • Re: Issue with Email Address in a form (Unsubscribe)
                      Manish Khemani

                      Thanks Stan,

                      Will try making the Security team understand, But tell me if the following approach is right (which I came up from your reply above):

                       

                      If I append the Unsubscribe link with a parameter e.g. ?emai_address={{lead.Email Address}} and on the Unsubscribe Landing page form I fill in the Email address from this parameter - This way the user will only be able to unsubscribe her /himself. What do you think of this?

                        • Re: Issue with Email Address in a form (Unsubscribe)
                          Sanford Whiteman

                          If I append the Unsubscribe link with a parameter e.g. ?emai_address={{lead.Email Address}} and on the Unsubscribe Landing page form I fill in the Email address from this parameter - This way the user will only be able to unsubscribe her /himself. What do you think of this?

                          I think that won't do any good at all.

                           

                          In your scenario, the person knows the email address of the person they're trying to maliciously unsubscribe. So they can just put that email address in the URL. (And a malicious person with only the slightest bit of skill can substitute the targeted email address directly into the form without it being in the URL, I mean, the Forms API is publicly documented, you don't even have to touch the form itself.)

                           

                          I'm talking about a parameter that the attacker would not know.