topic Re: Mass unsubscribe in Advanced Threat Prevention Discussions

Mass unsubscribe

NoyesJ — Fri, 16 Feb 2018 00:08:17 GMT

I work for an email marketing company. We have a sender who sent out 3 separate emails blast to over 1 million contacts. They had a very high unsubscribe rate. After our engineering team looked at the logs, we see that all the unsubscribes happened seconds apart but were all different domains. We noticed that they were coming from these IP's

74.217.90.250 and 10.4.34.203. After looking up I see that 74.217.90.250 is pointing to Palo Alto Networks. My question to you is, would your system do a mass unsubscribe if a scan picked up a url in an email as malware? Thank you.

Re: Mass unsubscribe

bvandivier — Fri, 16 Feb 2018 15:56:04 GMT

This is possible if your firewall is performing Wildfire inspection of email links.

https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/How-does-WildFire-handle-links-within-emails/ta-p/72628

If the Wildfire Cloud receives e-mail links for analysis it will reach out and attempt to analyze the link and the content presented by cicking that link.

Re: Mass unsubscribe

NoyesJ — Tue, 20 Feb 2018 18:10:40 GMT

Hello,

Would you be able to lookup URLs containing verticalresponse.com, vresp.com, vrmailer3.com to see if they've listed VerticalResponse as a company hosting malicious/phishing content? Or is there a PAN site we can go to and lookup URLs ourselves? We want to make sure our urls are not blacklisted.

Re: Mass unsubscribe

bvandivier — Tue, 20 Feb 2018 18:12:15 GMT

You can test URL categorization at the following site/link:

https://urlfiltering.paloaltonetworks.com/

Re: Mass unsubscribe

NoyesJ — Tue, 20 Feb 2018 18:21:07 GMT

Thank you,

So I have added both our URL and the sender who is having the mass global unsubscribe issue and I do not see their site or our site being listed with any issues. I am still at a loss how our customer who sent an email to 1million contacts had over 30k unsubscribe from different domains all around the same time?

Re: Mass unsubscribe

bvandivier — Tue, 20 Feb 2018 18:27:12 GMT

Wildfire can perform e-mail link following for analysis purposes if the firewall is configured to detect e-mail links within SMTP sessions. If there was an e-mail campaign and Wildfire picked up the links within these e-mails for analysis it may have followed those links (clicked them) thereby resulting in unsubscription. Without additional data I am only speculating at this point.

Re: Mass unsubscribe

NoyesJ — Tue, 20 Feb 2018 19:35:31 GMT

What additional information can I provide you with to help figure out this issue? Would you be able to tell me if you have blacklisted this URL? http://cts.vresp.com this is part of our unsubscribe link and we are seeing it associated with PAN in our log files.

Re: Mass unsubscribe

bvandivier — Tue, 20 Feb 2018 21:05:13 GMT

We have not blacklisted cts.vresp.com.

URL	cts.vresp.com

Category	Business and Economy
Description	Marketing, management, economics, and sites relating to entrepreneurship or running a business.
Example Sites	www.bothsidesofthetable.com/ , www.ogilvy.com , www.geisheker.com/ , www.imageworksstudio.com/ , www.linearcreative.com/
Additional comments	Includes advertising and marketing firms. Should not include corporate websites as they should be categorized with their technology. Also shipping sites, such as fedex.com and ups.com.

I suggest opening a support case with our TAC for deeper analysis of your issue.

Kind regards.

Re: Mass unsubscribe

mivaldi — Tue, 20 Feb 2018 23:48:43 GMT

The problem may not be that it could have been blacklisted, but instead, it hasn't been whitelisted.

It's possible the Palo Alto Networks firewall is extracting the elink and following it to test whether it's a safe link.

The sole fact that it's following the link to test it is causing the unsubs. You should look into whitelisting the domain so that the firewalls' won't automatically follow your unsubs links. You can explore this option with Support.