hngopher.com

       [HN Gopher] Gmail is opening and caching URLs within emails with...
       ___________________________________________________________________
        
       Gmail is opening and caching URLs within emails without user
       intervention?
        
       Author : _wldu
       Score  : 27 points
       Date   : 2021-08-19 22:43 UTC (17 minutes ago)
        
 (HTM) web link (support.google.com)
 (TXT) w3m dump (support.google.com)
        
       | etaioinshrdlu wrote:
       | I always wondered when single-click unsubscribe was going to be a
       | problem because of exactly this. I mean, how do you expect to
       | give a URL to Google and have them just never crawl it?
        
         | Xophmeister wrote:
         | Or "click this link to verify your e-mail address"...
        
       | _wldu wrote:
       | I built a small Go web app to do some security testing. When a
       | user registers for an account, I generate a 128-bit secure token
       | and email it to the address they provided (as a URL). Token URLs
       | look like this:
       | 
       | /validate/email/1d00a5c2648c211befd33f5a8a7cbfab
       | 
       | The token is cryptographically strong and disappears after
       | access. It can't be guessed and no one but the email account
       | holder should click it, but I am seeing the URL accessed multiple
       | times from multiple IPs, so I investigated.
       | 
       | Turns out, if the user provides a Gmail or Gsuite email account
       | during registration, Google clicks the link. I was curious if
       | others on HN had encountered this and how they dealt with it. It
       | is interfering with user registration and testing.
       | 
       | Edit, if any gmail users wish to try the test app:
       | https://gen.go350.com/
        
       | judge2020 wrote:
       | This is a good feature in my opinion. Why should I let the sender
       | know when I click on tracking links or view the email? If you
       | really want to, just filter out clicks from AS15169.
        
         | alpaca128 wrote:
         | So this way Google automatically confirms the validity of the
         | email to spammers by visiting all their links? Doesn't sound
         | great, and people still know when you click on links or view
         | the email. They just have to guess a bit better.
        
       | mike_d wrote:
       | All URLs sent to any major email provider are "clicked" because
       | they are scanning the page to see if it is phishing or otherwise
       | malicious (desktop antivirus and other things will also prescan
       | URLs). It also protects privacy by defeating click tracking on
       | marketing emails.
       | 
       | Google will also pre-load all the images in your email too.
       | 
       | You shouldn't take any write action to your database just based
       | on a URL being visited. Take them to the verification page and
       | ask them to sign in or submit a form with the token pre-filled.
        
       ___________________________________________________________________
       (page generated 2021-08-19 23:00 UTC)