Hacker News new | past | comments | ask | show | jobs | submit login
Cloudflare have made it impossible for me to unsubscribe from marketing emails
450 points by sdflhasjd on March 22, 2022 | hide | past | favorite | 193 comments
This morning, I received a marketing email from Cloudflare (through one of our mailing groups), being militant about these kinds of emails, I immediately go to unsubscribe.

Dark pattern one: You must login to manage your marketing preferences. There's no security related emails here, so this is completely unnecessary.

Dark pattern two: "...confirm your email address to save your communication preferences.". I've no idea how we have a several-year old account without a confirmed email, but it should not have to confirm an email to remove old marketing preferences - or if cloudflare is so careful about this, why did it end up opted-in ion the first place?

Dark pattern two-point-five is that the email somehow became unverified - something it seems is only necessary to adjust marketing emails.

Okay, so I hit the "Resend verification email" link and check my inbox, nothing just yet. I wait a little longer. It's odd that I immediately got a security email about the login from a new IP, but I've not received this verification email yet.

10 minutes later, and I've still not got anything. I know these things can take longer, but I don't have the patience, especially since Cloudflare are clearly trying to make this hard.

Going to the preferences page, I hit that verify link again - still nothing. Okay, F12, I switch to the network inspector and click the link again.

To my surprise: Absolutely nothing. There's no network requests being initiated by this link. Maybe it's websockets, or maybe there's a script that failed to load? The UI does respond when I hit the link, but nothing else. I opened up the element inspector to find a click handler:

  function () {
      return a.setState({
          toast: 'verificationResent'
      })
  }
That is certainly less than I was expecting. If that's just a react setState... this link is literally doing nothing other changing the UI when I press it. Perhaps some silly frontend developer reads that `toast` state elsewhere to trigger the real behaviour? Nope the only other reference to verificationResent is a ternary statement in the render function.

Dark pattern three: Just break unsubscribe. The cynic in me says this was intentional. Hanlon's razor tells me perhaps it is just a mistake, in which case dark pattern three is the overengineering of the unsubscribe function so you can get as much dropoff as possible and it's most convenient if it just breaks.

So wtf Cloudflare?

Oh, and to supplement dark pattern two: The verification check is only on the frontend. In the end, I was able to use the debugger to skip the verified check and edit & submit my email preferences anyway.




> Dark pattern one: You must login to manage your marketing preferences. There's no security related emails here, so this is completely unnecessary.

This may be in violation of US law:

> You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.

I wonder if requiring a login means that additional personal information is sent, or that the recipient must perform additional steps other than visiting a single page.

https://www.ftc.gov/business-guidance/resources/can-spam-act...


It is a violation of Swiss law:

"The advertising message must include a "Remove me" link. If a recipient clicks on this, he must be removed from the distribution list."

https://www.bakom.admin.ch/bakom/en/homepage/digital-switzer...


Interesting. All of my messages have a link that leads to a "click to unsubscribe" button because email scanners frequently "click" links. I guess if I was under Swiss jurisdiction I may be breaking that law.


In countries where such laws exist, most of the same links that take you to a button will immediately unsubscribe instead. I guess IP addresses are used.


I know why the button is there, as GET requests are not supposed to change state but POST requests can, and you can only make a GET request by clicking on a link in the email.

I'd be interested to see if that interpretation has been upheld by a court. Has anyone taken legal action arguing that the server should have used the GET request as the action to unsubscribe, not made the user click an extra button to get that POST request.


You can change state with a GET request. You aren't "supposed" to do it but there's no technical barrier preventing an unscrupulous company from effectively using the GET as a POST.


Wait, what do scruples have to do with how you handle GET and POST?


Remember those web counter images that would increment the number displayed each time it received a GET request? They were the most evil. -scary laughter-


Thankfully they were all replaced by Google - Do no Evil - Analytics


> you can only make a GET request by clicking on a link in the email.

Took a look and indeed there are a lot of email clients that don't support the form tag.

https://www.caniemail.com/features/html-form/


I'm having trouble following what you mean. How can IP address help? What is the point of a button if you are immediately unsubscribed anyways?


The IP is used for geolocation. If the server detects that you're in a jurisdiction where clicking "unsubscribe" has to immediately unsubscribe you, the server does that, otherwise it shows you a button.


In foreign languages, such a "remove me" link may be hard to recognise. I've had spam in languages for which I don't even recognise the character set.


It's definitely illegal, but (ianal) it's the kind of thing that's tough to do anything about legally. The inconvenience to a particular individual is so small that there are no damages worth suing over. And so nobody bothers. But add that up over thousands of companies wasting millions of people's time, and it's a tragedy.


When I encounter this I mark that email as spam in gmail. My hope is that if enough people do it, they will get blacklisted.


But the CAN-SPAM act has built-in penalties:

> Q. What are the penalties for violating the CAN-SPAM Act?

> A. Each separate email in violation of the law is subject to penalties of up to $46,517, and more than one person may be held responsible for violations. For example, both the company whose product is promoted in the message and the company that originated the message may be legally responsible.

https://www.ftc.gov/business-guidance/resources/can-spam-act...

That's ... not a trivial amount of money.

Wait for them to send you a dozen spam, and it's even more substantial.


Those penalties are only theoretical. They only matter if the FTC bothers with enforcement. Lowly citizens such as you and I cannot bring a suit and cannot cost these companies a dime. Source: https://www.law.cornell.edu/wex/inbox/can-spam_and_consumer_...

If the FTC cared, they would have made an example of at least one company in the intervening 20 years.


Just send the company an email and quote this section, it gets great results. I’ve used this method to get off a few mailing lists that implement these dark patterns.


I did this a couple of years ago to my alma mater alumni association by sending an email to the president directly. So far I haven't gotten an email so I guess it's working. In my case, every time I tried unsubscribing I'd get some kind of sql error showing up inlined in the html so it was even more frustrating.


> up to $46,517

Meaning the same as "not more than". And $0 is of course not more than $46,517.


This is true, but the intent probably isn't for the individual to sue, it's for them to report it to the relevant rule making executive agency who also has standing to sue (or just has standing to fine them directly depending on the agency and the rule, I don't know who governs this or if they have that power or not).


The relevant agency would be the FTC, but is the FTC even interested in pursuing these cases? I've seen a few cases where they sued scammy businesses (https://www.ftc.gov/news-events/news/press-releases/2019/12/...), but there are lots of legitimate businesses that are nonetheless breaking the law. For example Xfinity sent me an ad for a voice-activated remote, categorized it as a "service-related email" and had no unsubscribe link. Instantly marked as spam.

What I want to know is: has there ever been even a single case of the FTC going after one of these real companies?


Experian sends me marketing emails classified as service-related as well, seems like once a week at least. Thankfully, Gmail has learned that I always mark them as spam and classifies them accordingly, though I wonder if it'll do the same if a non-marketing email ever comes through.


I can't be the only one who's noticed that most of these companies are above the law...? When was the last time someone even got a slap on the wrist? Some class action lawsuit that gave a coupon for 10% off your next purchase?

Spam got better because Gmail, not because the law did anything...


Spam got better because email delivery became an industry. You can’t get email delivered at scale yourself, and all the businesses have a long term reputation to protect by following best practices, of which „the law“ is part.


I don't think the law really had much to do with it, vs reputation based blacklists and SPF and such that the email industry created to combat spam.

I'm not saying this because I'm anti government, I just don't remember any of the spam laws doing anything, historically, vs the technological defenses invented by the community.

Hell, almost all of the spam I get these days is FROM the government begging for campaign donations, because they so thoughtfully excluded political spam from the laws. Gee, thanks. Now I just globally block anything from NGP VAN.


if anything we are lacking a law. A law ensuring a government backed email system comparable to USPS for regular mail

Just as the USPS allows for personal mailing, each person should be provided an email address that has unhindered access to send email to any other email address in that domain. government ID required for the email address, so there is accountability if you abuse it the same way you would be held accountable for mailing dangerous goods from your home mailbox


Mm, seems like the costs of that would way outweigh the benefits...

An email system with the speed of the USPS, the ease of use of the DMV, the security of the social security system, and the billing of the IRS. It already sounds like a digital gulag, lol


Haha I know what you mean - but realistically all the government really needs to do is provide specification and fund it, while having the courts uphold its reliability.

for example, Google could provide the service - but they would have to avoid co-mingling the service with their existing one. They wouldnt have the same rights to the content within the email as they do with a gmail account. And they wouldnt be spam filtering small businesses into oblivion for trying to talk to each other directly.

technically the service can be fulfilled by multiple vendors adhering to the same specification.


If the law had nothing to do with it, then why would excluding political spam from the law do anything?


It doesn't. It's just ironic. They end up in my spam box thanks to Gmail not thanks to the law.


Okay, that makes sense. I'm in the UK and voting spam outside of obvious political groups like the EFF that you would have signed up to doesn't appear to exist.


In the US, our campaign finance is heavily corrupt. There is no public finance system so candidates beg for money anywhere they can. Our 2020 elections spent nearly 15 billion dollars between our president and our congress. Some of that money comes from candidates directly asking for money. Other times, supposedly independent organizations (superpac) working to further the cause of a candidate, but not directly working with them, will also try to fundraise and campaign on their behalf without direct coordination. There is no limit to the amount of money such an org can get or spend, because the conservative Supremes ruled it an expression of free speech. Other conservatives worked to mask the sources of funding for such organizations.

Political activity was specifically excluded from our already sad and almost never enforced spam laws. Further, individual campaign donations are considered a matter of public record. So individual donors get recorded in these databases, and then private companies like NGP will harvest those databases, cross reference / deduplicate people with other databases, figure out their email and text contacts and then sell that information to candidates and parties who will in turn use it to spam you nonstop across email and SMS for every subsequent or similar election.

Good times.


UK as well:

> Organisations must not make it difficult to opt out, for example

> by asking customers to complete a form or confirm in writing.

> It is good practice to allow the individual to respond directly to

> the message – in other words, to use the same simple method

> as required for the soft opt-in. In any event, as soon as a

> customer has clearly said that they don’t want the texts or

> emails, the organisation must stop, even if the customer hasn’t

> used its preferred method of communication.

https://ico.org.uk/media/for-organisations/documents/1555/di... (page 43)


You also can't automatically opt people into a mailing list but nearly every company does it. I really wish the government would enforce CAN-SPAM.


You can auto-check the "sign me up" option, but you have to present it and allow the user to avoid it. Perhaps I've insulated myself a bit too much, but I haven't seen a signup form in the past few years that doesn't follow this pattern, and allow me to avoid signing up.


Many signup forms do seem to use this pattern.

I never leave it in the opt-in state. Ever.

And a vast number of these companies go ahead and email me anyway.

Sometimes they’re 100% marketing emails and they’ve just blatantly ignored my opt out, other times the emails are under the guise of being related to my account/purchase as opposed to marketing (eg those annoying drip feed “getting started with our product” daily emails) but the lines are very (deliberately) blurred.

In either case, the amount of inbound communication seems very heavily geared towards benefiting the company in being able to send out marketing messages / increase “engagement” as opposed to being actually necessary or useful from the point of view of a customer.

These thoroughly annoy me.

Edit: ironically Cloudflare is among the few companies who I do willingly receive marketing emails from - but even so, if the unsubscribe flow is as OP described, this is not really acceptable and needs looking at.


That's what the spam button is for. Enough spam reports causes them real financial costs.


Redfin does this, has some forms that start a process with your email, tells you you'll be on a list, no box to uncheck, terrible/dark unsubscribe process


Express is sending me promotional emails with no unsubscribe link. They even justify it saying it is a “transactional email as part of their loyalty program” (it is not transactional, it’s just ads for sales) and the only way to stop them is to call their customer service to remove yourself from their loyalty program. Has to be the most blatant violation of CAN-SPAM I’ve seen. They used to have an unsubscribe button too, but it never did anything.


I have passed this on to our marketing team. Sorry you are having difficulty unsubscribing. In the meantime, feel free to email me (jgc@) from the email that needs to be removed and I will make sure it happens.


You're lucky this person cares. If there's not an easy unsubscribe I just report it as spam, and hope enough other people do the same that the firm becomes untrusted.

Pitting a corp against Google's customer support is a nice revenge.


This is exactly how I feel too.

If reporting the email as spam is quicker than unsubscribing, that's what I do.


It takes way too many clicks to report spam in GMail. Considering this is such a frequent operation, it should have a one-button "ban" function, possibly with an "Oops" undo if you pressed it by mistake. I have received quite a bit of Cloudflare spam on my (GMail) work address and immediately added it to my ban list. I also have a long memory and am highly unlikely to use services from companies that rely on spam for marketing.

For my personal email I run my own mail server, create a unique address for each vendor and ban the address if it is abused.


> I run my own mail server, create a unique address for each vendor and ban the address if it is abused

I do the same and it's immensely useful!

I find it's also a great indicator of how well that vendor protects my info... if there's a sudden surge of spam to an address only that vendor knows, there's a chance they leaked/sold my info and I know it's time to change passwords and/or reassess my relationship with the vendor.


Yes. I knew all I needed to know about Dell's infosec when I started receiving pornographic spam addressed to dell@majid.fm (my old vanity domain, no longer in use).


> It takes way too many clicks to report spam in GMail. Considering this is such a frequent operation, it should have a one-button "ban" function, possibly with an "Oops" undo if you pressed it by mistake.

If keyboard shortcuts are enabled, '!' is mapped to "Report as spam". I don't recall whether the status popover that appears at the bottom of the UI has an "Undo" link, though...


I should have been more precise. I meant the process of banning an email address so it can never again spam me. Doesn't work for the worst offenders who forge random source addresses, but usually does for slimy marketing departments.

You have to:

1. click on the email from the inbox

2. click on the three-dot hamburger menu on the far right of the sender line

3. click on the 'Block "Evil Sender"' entry in the popup menu

4. confirm that you do in fact want to stop receiving spam from the spammer by clicking the "Block" button

5. Click the "Move to spam" button in the dialog box that appears


Me too.


Same here. I do try to unsubscribe. I'm fine with up to 1.5 'pain points' during unsubscribing. That usually means I hit the limit after exactly 1 thing below as long as it's not taken to a point of ridiculousness:

- Logging in

- Clicking between multiple confusing tickboxes of which emails I want to unsubscribe from. Hint: If someone is actually going to the trouble to hit "unsubscribe", the answer is simply all of the bullshit non-critical emails.

- "You've been unsubscribed from Saturday morning emails sent by this particular product manager" ... implying I have to go find where to unsubscribe from all the rest of the damn emails.

But after that, or if any of these things are too onerous, I hit "spam" with a vengeance on. every. single. email. I get from that company ever again.

That said, I actually never got any Cloudflare spam at all, which is impressive.


Not everybody is using Google/Gmail/Microsoft :( I would like to point out that this attitude (do not take it personal please) helps Google became the world wide communication arbitrer. Do we want that?


Well, they're better at it than anyone else so far. Especially compared to the captured US regulators that don't do anything at all. Can spam indeed.


It's pretty easy to stop crime if you kill everyone except your close friends.


I do the same with my Tutanota account.


I believe “this person” is Cloudflare’s CTO


Nobody is exempt from nerd beatdown time on HN.


No, "this person" refers to the OP complaining here loudly enough instead of just marking as spam.


"this person" is OP.


Please try not to use weasel phrases like "Sorry you are having difficulty..." The poster clearly articulated the very real technical problems they are having with your broken unsubscribe process, doing your debugging work for you, and the phrasing of your response implies that the fault lies with the user. I don't think this was intentional weasel-speak on your part, but do please try to be aware of your audience.


I am in the middle of writing up/dealing with the Okta mess. Sorry if my language wasn't clear.


Is "sorry you are having difficulty" a "weasel phrase"?

"Weasel phrases" are non-apologies. A simple non-apology is something like, "I'm sorry you are feeling that way". Let's say Bob wrecks Alice's car after coming back from the bar last night. When Alice wakes up, she notices the car is wrecked and she will be unable to take a client out for lunch in it. Alice becomes angry at Bob as a result and indicates he is responsible for wrecking the car and not telling her the night before, so she could get another car to drive. Alice would want a resolution, either in the moment (Bob giving Alice another car) or an assurance that it won't happen again (a real apology accepting responsibility). An "I'm sorry you are feeling this way" from Bob becomes the non-acknowledgment of the actual cause of the emotional output from Alice. Instead, it deflects back to Alice for resolve. This is tedious, at best.

A good tip for Bob avoiding these "you statements"[1] is to leave out "you" as the object of his stated emotional output. Instead, Bob could say "I hear you are feeling sad and angry because I had a wreck and came home last night and went straight to bed without telling you". This comment from Bob becomes a non-you statement by splitting on the "because" and the "without". There exists a separate acknowledgement of the emotional output from Alice, "I hear you are feeling sad and angry" and an acceptance of the action and result, "I wrecked your car and didn't tell you about it."

It is my opinion you get a lot of these types of comments in public forums, where the conversation is a matter of public record. When given the choice between leaving a public trace of "We were the cause of your difficulty...we'll fix you up though." vs. "We hear you are having issues...", I do think companies will tend to do the later, waiting to give the more specific comment to the recipient outside the public view. Maybe our tendency to think we need these comments aired in public is some sort of error in our reassignment of another's emotions. Their emotional output isn't ours, but we may have empathy for it.

As others have mentioned, the comment comes from someone who seems to care about these things, so if Alice trusts Bob, she'll let the comment slide knowing he'll come through for her in the future.

[1] https://www.cnvc.org/


"Having difficulty" means it's still possible, just difficult and - dark patterns aside - the OP could still succeed if they knew the right steps. Given what OP said though, that's not the case here, so yeah, that phrasing is deflecting responsibility. Definite weasel wording.


Amends > Apology. And Mr. Graham committed to making amends.


Great point!


How is "Sorry you are having difficulty" a "weasel phrase"? I don't see how that implies the user is at fault. It seems like you're policing language unnecessarily


> How is "Sorry you are having difficulty" a "weasel phrase"?

Because it's trying to avoid accepting any responsibility for a problem that is quite clearly Cloudflare's intentional doing.


No, I'm not. I'm literally on HN responding almost immediately to the OP and emailing marketing saying WTF?


I've seen you post here on HN a few times and I think you're genuine here.

However I also think the previous commenter has a point - "we're sorry you're having trouble and we're looking into it" or words to those effect are things anyone who reports issues to big companies hears over and over again and it usually means "we don't give a damn about you and we're not gonna do anything. Suck it, puny human".

For anyone who doesn't recognize you except as a random person who popped up speaking for CloudFlare, it probably seems reasonable to interpret your words as corporate weasel speak, especially on a post accusing your company of potentially illegal behavior. Even if you didn't mean it that way and this does turn out to be an honest and temporary mistake.


For those who want to reduce corporate weasel speak:

Do not criticize those who USE it. It is a symptom of a larger problem.

Rather, criticize people (like many in this thread) who say "you should sue" in response to any problem you have with a corporation. That litigiousness is what makes corporate weasel speak necessary. If the result of acting like a human and saying "oh, my bad" is to get sued (and have a slam dunk case, because they admitted to it!), then people are going to stop saying "my bad" and start saying "that sucks".

This is a cultural choice that we make in the US, and the choice is made in places like this thread. If you want to change it, start here and shame those who say "sue!" after a person encounters a bug trying to unsubscribe.

Or we can all continue to assume that everything is malicious, everyone is in on it, and there are no good people. And we'll continue to get a lot of corporate weasel speak. And we'll deserve it.


FWIW I've since changed my stance on this. My apologies, if that means anything.


I don't agree with this view or the chain - you do a great job.

I do not think when you said "you are having difficulty" that you implied it was the users fault.


> quite clearly Cloudflare's intentional doing.

I don't think you can really know that. It's the sort of thing that would be very easy to slip through testing (or that a lower-level employee could slip through unapproved), and lots of companies don't pay as much attention to the technical side of their marketing operations as they do their main product tech.

> Because it's trying to avoid accepting any responsibility

I would argue the opposite. If you are not taking responsibility then you shouldn't use the word "Sorry" as it actually implies that it was your fault. You ought to use "I regret" in those cases - there's a blog post on this floating around somewhere.


He's not saying that the cause of the difficulty is on the user, simply pointing out that the user is facing a difficult situation (caused by CloudFlare in this case)


do you think jgc person is the personal incarnation of cloudflare and if they say they're sorry you'll feel better or something?


JGC is the closest possible thing to a personal incarnation of Cloudflare


God, I hope not.


Well, at least you are relatable in ways that Cloudflare generally cannot be. Your recent post on the Minitel conversion is just one example [0].

There is one key thing to keep in mind for those advancing uncharitable critiques of JGC and Cloudflare. It is entirely plausible that JGC is well-intentioned. Yet, Cloudflare has had to hire quite a few people recently.

There may not necessarily be a culture fit. Some new marketing hires may have thought that this dark pattern was fair game. And JGC can strongly disagree without really being aware of this dark pattern. Those two things can hold at the same time.

[0] https://news.ycombinator.com/item?id=30743891


*punts fourth wall* Forum's gonna forum and memefy everything it can (then there's the entirely cognitively-dissonant way this mindset looks up to things...). I think the only solution is to be hyper-aware of the unintuitive impact (and toll) it can legitimately have... but that can be difficult when distracted by idk being Senior Juggler Of Cat Herders or whatever. shrug internet be weird but probably harmless


Maybe check his bio?


> How is "Sorry you are having difficulty" a "weasel phrase"?

Sorry you are offended by that characterization.


Another delicious example positively dripping with chagrin. Kudos.


You're presumably unaware of jcg's reputation. John's one of the good guys; no need to jump down his neck.


That is not the impression I got from this reply.


What would you prefer?

"That's valid, we'll fix this"?


I find this kind of funny in a sad way. What does the marketting team have to do with this? This should go directly to the law people in the company and to the engineering team, who fixes it as quickly as possible. Does the law need to be validated first by the marketting team at cloudflare? If they have had any say in how this process works, then they f'ed it up already, breaking the law! Basically being Internet criminals. Might even be intentional to drive their number games.


Not sure how it is at your company, but at most companies marketing email is almost entirely handled by...marketing. Their email service provider should have provided review and guidance on the preferences page.


This is not about the e-mail itself, but the pages, which are supposed to let you unsubscribe and their way of functioning. Of course it would be best to have a single click link in the e-mail, but even that would require some kind of API in the system. I doubt the marketing department has people working on those systems.


Those are usually handled by the email service provider. Email deliverability is a speciality in itself, something even a company as tech-savvy as Cloudflare probably doesn't have the skills in-house.

Properly handling opt-outs is part of it. MailChimp does the right thing by soliciting feedback, including the option "I never signed up for these emails", hopefully that goes into whatever scoring mechanism they use to kick out abusive customers. Sadly the current state of what passes for front-end development is abysmal, with pages often not working if a user has cookies or javascript disabled, or an ad-blocker.

As for JGC, he deserves credit for doing the right thing, but that does not change the fact his company violated the law, and their marketing department richly deserves any fire and brimstone is raining down their necks right now. I would say most companies should probably have their email service provider contracts controlled by legal rather than marketing, most marketing departments have an inherent conflict of interest in this regard.


In general marketing teams try to be “smart” like this. I have many many examples of this.

It’s the exact same bs as using someone’s contact list to spam them with farmville.

Marketers have no respect for their audience whatsoever.


How many other companies do you know of where the CTO himself jumps in to help on an issue like this (and in 20 minutes, no less!)

Cloudflare is awesome.


I'm going to point out that it's only because this is HN and someone here is much more likely to be able to cause PR problems than the average customer. Awesome companies don't harangue people who are already paying them and then make it harder than clicking "unsubscribe" to put a stop to it. I don't think anybody at Cloudflare is terrified that somebody's scorned mistress could wreak her revenge by punching their e-mail into an insecure Unsubscribe box and thus delaying their knowledge of having access to a new beta.


Yeah but you don't ever really see Google or Amazon or Facebook or Netflix or Spotify on here, except employees commenting unofficially. Cloudflare is on here quite frequently and meaningfully. I'd rather companies communicate, even if (and especially when) they fuck up.

It helps that cloudflare isn't too big to fail yet and still trying to get better.

Hopefully they'll fix this email situation.


Yeah but you don't ever really see Google or Amazon or Facebook or Netflix or Spotify on here,

In the words of a limbo competition judge, "that's not a high bar".


I know a lot of companies where you can unsubscribe from the mailing lists easily, so their CTO doesn't have to do the PR damage control when they hit a social media front-page. Those companies are way ahead of those with CTO having a google alert setup.


Setting up Google alerts for when your company's name gets mentioned on an exceptionally popular discussion board is not special in the slightest.


He's been a HN user forever and he is active in threads that are unrelated to cloudflare too. You can just take a look at his profile


Indeed. He has previously mentioned that he set up an alerting system to notify him when Cloudflare is mentioned on HN, as well. So it's a mix of both.

His response here was perfectly adequate and beyond what the CTO of almost any other large tech company would ever do. Not that it deserves unbridled praise and admiration or something, but the immediate attacks and "weasel word" accusations from others are really weird. HN is way too cynical, sometimes.


In better companies, where legal blocks marketing from pulling stuff like that, this is not necesarry.


That sounds like a magical company.


If you like the sound of that you should consider a career in a regulated industry like banking or healthcare.


No, no and absolutely no they're not.


This is awesome. So, smart companies have monitoring for their brand keywords across key websites/web and jump in to respond the nip the bud before things go bad.

I had read somewhere that Gitlab does the same. They have a "How to respond discussions on Hackernews." or something in that line.


This is often true, but [un]fortunately in this case you're letting everyone know you don't really have any idea what you're talking about. JGC is active in non-CloudFlare discussions on HN all the time, and is the CTO. He'd probably be in this thread regardless of his role.


So why is it even necessary hes on this (particular) thread?


They fucked up, possibly breaking the law in the process. It's just fire extinguisher, nothing really awesome.

Regarding GitLab, it[1] was discussed here[2].

[1] https://about.gitlab.com/handbook/marketing/community-relati...

[2] https://news.ycombinator.com/item?id=30003221


Only for the easy or tech things though. I was curious if I'll trigger some response about CloudFlare enabling targeted abuse online, but that topic seems untouchable to people doing monitoring.


They're on here quite a bit and regularly contribute.


OP does not seem to be "having difficulty". That sounds a bit passive-aggressive, like if OP was a grandma having difficulties with her computer due to age. OP jumped through a lot of hoops and done a solid investigation without much issues. It is clear that it is the system that is having difficulty, or just not doing what it's supposed to do.

(The "sorry" further makes it sound more like talking down. Have you noticed how in a hierarchy the bosses are the ones usually saying "thank you" and "sorry"?)

The correct phrasing is "it is clear to me our system is broken [for you], let me …".

Edited to address the "sorry", it is easy to slip it in without thinking. I'm sure CF rep here did not use that phrasing intentionally either.


So much wrong with this comment. But the "CF rep" is the CTO.


How is CTO not representing the company in this context?


I'm a shareholder. Sorry to learn your marketing team is damaging the company's reputation in this way.


Looking forward to a follow-up on how this happened.


Thank you for acknowledging this.


If you didn't throw the email out the window in disgust, could you forward it to me... jgc@cloudflare.com


And this is why I love HN


What a masterful evasion of the issues OP raised.

There is no excuse whatsoever for requiring someone clicking a link in an email you sent them, to verify their address with you (by clicking a link you sent them.) OP is right, you're engaged in dark pattern techniques and you know damn well that you're doing it.

OP: don't give him a pass. Sue him under the CAN-SPAM act.


CAN-SPAM is a toothless show of an act that only punishes the most flagrant "Nigerian prince" spammers and keeps small players in line.


OP has no standing to sue anyone under CAN-SPAM.


If it takes me more than 2-3 seconds to find the unsubscribe link at the bottom of the email, or if that page is anything other than a confirmation (nobody is forwarding your bullshit, you don't need to "confirm" my email address it's just intentional friction), I just mark it as spam. If I'm feeling generous I might let gmail unsubscribe me, but usually I will explicitly not click that just so I can mark all your emails as spam moving forward.


The fun thing about Gmail's "attempt to unsubscribe" is that if you're looking at spam sent to a Google Group, it won't trt to unsubscribe you from the spammer. It'll unsubscribe you from your Google Group.

As we use groups for some SSO auth at work, the thing that tipped me off to this was having my work Dropbox delete itself from my machine. Nearly gave me a heart attack.


Right - but that puts the 'solution' to this problem on your end, and not on the plate of the organisation sending it to you in the first place. Sure, this is the easiest way of dealing with it, but it's not how it should be. If Cloudflare needs more customers, they need to follow the marketing rules, and one of them is to allow users who are not interested in their offer to no longer receive these. The whole "verify your e-mail address" is bad enough and as stated above is nothing more than a barrier to prevent you from unsubscribing...


If you use a provider like Gmail, you're not just solving the problem on your end. Google trains their global spam filter through every user's behavior. So if enough people keep marking Cloudflare mails as spam, they will eventually end up in other people's spam folder by default.


There are some things that I am petty enough about to go out of my way to hurt a bad actor rather than take an easy route which may hurt them less.


That processs might be in violation of CAN-SPAM act. FTC guidelines say:

> You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request.

https://www.ftc.gov/business-guidance/resources/can-spam-act...


Unfortunately there's nothing you can actually do under CAN-SPAM to act on or obtain recourse for violations. The best you can do is contact your ISP, who is supposedly required to take action on your behalf. The penalties are steep and the rules are strict, but nobody actually enforces them.


YCombinator is doing the same thing for their StartupSchool mailings. I think such simple unsubscribe actions should be accessible without logging into a service. In the worst case an adversary could abuse this to unsubscribe me from some marketing e-mails. And you can always send a confirmation mail to the unsubscriber to make sure it didn't happen inadverently.

But I get it, putting up barriers around account cancelation and unsubscribe functionality increases retention. I mean look at Facebook's "delete my account" workflow.


> But I get it, putting up barriers around account cancelation and unsubscribe functionality increases retention.

Kind of, I would suspect it wasn't a conscious decision for many services that do this. More like "damn we suck at session management in React" and nobody noticed or thought about why a particular view was not accessible without a pre-existing session.

The retention methods and analytics for getting them create the perverse incentives to never notice though.

"The A/B test says users looooove staying on our website! great KPI folks!"

People aren't sitting in a shadowy room thinking about how to get their users stuck and lost on their website. They're just not looking at the CAN-SPAM act, and likely would be willing to make that exception to how their session management system works.


If you live in Canada, you can report a CASL (Canada Anti-Spam Law) violation to the CRTC here[1].

The FAQ[2] shows an example of a CASL violation for requiring multiple steps to unsubscribe.

[1]https://www.fightspam.gc.ca/eic/site/030.nsf/frm-eng/MMCN-9E...

[2]https://crtc.gc.ca/eng/com500/faq500.htm#wb-auto-28


Thanks for this. I’ve been having issues with CD Baby emailing me spam for months. Their unsubscribe button/process doesn’t work at all. Glad to have an avenue to report them for this bad behaviour.


Made a little mistake (can't edit). CASL is Canada's Anti-Spam Legislation and not Canada Anti-Spam Law.


Never take crap like this, just "Report spam" if there is no option to directly unsubscribe with a single click.


So I've been tracking companies that don't honour the unsubscribe link for 10 years. I've found that a few companies per year (out of hundreds I'm tracking) end up emailing me 4-5 years after I unsubscribe, as if a new marketing intern got a copy of the old customer DB from years ago and figured it'd be okay to just spam it.

Aside from my article※ explaining the basics of email aliasing to avoid this sort of thing, a few more suggestions:

You can use a service like Mailinator or Mailnesia for one-time disposable emails, but I actually use it for services that I will use for a limited time, even if I pay for them. Sometimes companies make it hard to delete an account, and others make it impossible. So just generate a very long random email and it'll be unlikely that anyone would collide with it. Then just fill in random or fake data for anything personally identifiable. When it comes time to delete the account, just abandon it rather than jumping through hoops to delete it.

If you need something that is more secure and still trivially easy, I highly recommend AnonAddy. Just make up an email alias (for you_subdomain.anonaddy.com or a domain you point to it) and those emails will get forwarded to an email address you specify. All emails forwarded from AnonAddy have some controls on the top, so if you get spammed with automated email from PMs asking for your feedback you can just delete the alias from the email.

This would not be of use for something like Cloudflare though as it's a critical service, but very useful for less important services that cost between $0-10/mo). If they end up being critical you can just change the address to an alias on your main domain.

※ - https://jonpurdy.com/2020/06/using-email-aliasing-to-detect-...


I've moved most of my marketing mails to unique Fastmail Masked Emails: https://www.fastmail.help/hc/en-us/articles/4406536368911-Ma...

And with 1Password integration, most new services that I wouldn't give my real name to will get a Masked Email too.

If I get spam, I know exactly where the adress came from and I can just destroy the address with one click.


This is how I've been managing my personal email account for some time.

Have you noticed that some services won't let you use their name in the email through?

Samsung, for example, wouldn't let me spell out the word "samsung" in the email field at all.


> Samsung, for example, wouldn't let me spell out the word "samsung" in the email field at all.

I wonder if this is, in their mind at least, a sort of phishing prevention/deterrent.

I also use the [foo-company]@[my-domain] structure, and the number of times a customer service rep has asked me "Oh, do you work for [foo-company]?" is more than I can count.


These days "report spam" doesn't seem to do anything. I've gotten as many as five identical e-mails from the same sender and hit "report spam" on each one with no effect before eventually creating a custom filter rule to stop it.


Speaking of which, I went years without getting scam spam in my inbox (not counting marketing emails I never signed up for). In the last year or so some spam does make it through the filters into my inbox.

There's typos, unverified domain, big warning and all that, but gmail still thinks I'm interested in buying amazon gift cards in bulk. What changed?


UPS won't let me unsubscribe from their emails and I have hit "Report Spam" in Google Mail on hundreds of them. It does nothing.


I think you, as the GP, fall victim here of the approach of data analysis by Google. They probably have some analysis analyzing all users' spam markings and since too many other users do not mark it as spam, your marking does not weigh in much. You basically don't train the model enough. Just guessing though.


While some businesses may ignore FBL's and abuse complaints, most still handle them. Report spam definitely does something.


Report spam? No. I report to BBB. &pizza is the only one I've run into.


Just make a custom filter and move on. The BBB is a scam and the government doesn't care and report spam is a black hole.

There's not enough humanpower to manually vet these things and do anything about them. Far easier to spam than to fight spam. Just block it.


BBB does nothing.


If a company makes it hard for me to unsubscribe, I mark it as spam. Because at that point, that's exactly what it is.


I had this same experience the last marketing email they sent. If they dark pattern the unsubscribe flow, I report them as spam.

You're not reaching my inbox one way or the other. May as well have a pleasant unsubscribe flow so it doesn't impact your spam rating


I've experienced these kind of things so many times that I am literally obsessed with what I check when I sign up to something, never had issues after that except for very rare cases.

Checking what can and cannot be sent to my account must be taken seriously. I'm like a firewall, deny EVERYTHING by default, if something interests me (almost never) then I'm willingly subscribing.

When I can't unsubscribe from something I get very frustrated and I always go full annihilation mode and create a new rule to sweep everything coming from that domain to junk and instantly delete everything, I don't care.


Even if you do unsubscribe successfully, they will periodically re-add you and send you marketing spam without your permission. I've unsubscribed from emails from cfmarketing@cloudflare.com so many times over the years. I've even sent them emails asking them to stop, but they just ignore me.


My biggest pain as a Tor user is having to fill out 10 captchas a day to do anything. Hcaptcha and recaptcha those that ship them make me furious in general for punishing people for privacy.


I sympathize, but have you considered using cloudflare captchas as an accidental content moderation service by ignoring any site that requires them? If I disable tor as an experiment for any length of time, I find that the average quality of material I read diminishes. Combine tor usage with disabling javascript, and you're well on your way to an information diet from technically adept sources that respect their readers.


Vast majority of traffic from Tor IPs is abuse, which makes it challenging to deliver a good experience for the handful of normal users mixed in there.

You might be interested in one approach we've been working on for this: https://www.hcaptcha.com/privacy-pass

(full disclosure: work on hCaptcha)


That does not help me on mobile, or in disposable Qubes I browse in to keep totally anonymous. At best I could see using fido2 taps with random identifiers to prove I am physically touching a hardware authenticator even if the ID is a throw away.


To be fair they flag TOR because of the IPs and all other bot traffic that goes thru TOR that harass website owners with spam and DDOS.


While we're griping about marketing emails, another pattern I've noticed from some companies are emails with subjects like:

> January monthly statement: <some drivel>

> February monthly statement: <more drivel>

> Account summary: please review your statement

> Your January eStatement

Would you be surprised if I told you that none of these emails contained an account statement? The general content of these emails is something to the effect of "Your statement is: nothing changed! So while I have your attention, here's 20MB of flashy images and here's some new ways you can give us money and why haven't you been giving us money recently?" These tactics are straight out of spammer's playbooks.

These still go to my gmail account which I'm slowly migrating off of. One thing I've noticed is that often, these emails are long enough that gmail clips the message short and adds a "show full message" button. But that means it clips off the "unsubscribe" link.

I've started adopting the tactic I learned here of signing up for services with different emails like `me+to-servicename`, and then having filters set up to keep their spam out of my inbox. It's wonderful, although sometimes I worry about missing an email from some support staff who urgently needs to contact me (this has literally never happened, but I still worry).


> Dark pattern one: You must login to manage your marketing preferences. There's no security related emails here, so this is completely unnecessary.

Did you just give your credentials to a website linked from a spam email?


I like Cloudflare but this type of email marketing madness pisses me off. Mark as spam and block sender - let their mail reputation take a hit for having these dark patterns in place.


I’m so glad that you made this post. It sums up so many pain points of working with tech, and how sometimes we’re able to self-help. Loved the ending.


I push for a strong "Zero Burden" policy: I will spend exactly zero seconds of my life trying to unsubscribe from something I did not willingly subscribe to in the first place. Report as Spam directly and let the automatic filtering take care of whatever happens next.

Ideally the "Report as Spam" button would evolve into a "Report as Illicit" system that reports to a third party authority with a punitive capacity (while requiring near-zero effort on my side: burden must be with the sender to prove that I willingly subscribe to their messages).


Okay, so I hit the "Resend verification email" link and check my inbox, nothing just yet. I wait a little longer. It's odd that I immediately got a security email about the login from a new IP, but I've not received this verification email yet.

This was definitely a bug and it's been fixed the rolled out. Sorry that happened.


Facebook makes you log in to unsubscribe from all marketing mails (instead of the very specific category each unsubscribe link takes you to).

Of course they also like to block your login, so I've been getting their spam to close to a decade now.


Kodak, Visa, and Comcast do this too. AT&T makes it VERY difficult.


> Dark pattern one: You must login to manage your marketing preferences.

This is an immediate Report Spam for me. I also forward all my emails from Gmail into Fastmail, Protonmail, and iCloud, so I go and report spam here as well.


And how many hundreds, thousands, maybe millions of people need to mark "cloudflare.com" as spam before Google even thinks about disabling email coming from that domain?


How does that work? If you forward the message to another account, wouldn't the account that forwarded the message be the one tagged as spam?


That's not how it appears to me.


Thanks, but that's not really helpful in explaining what it is you are doing to mark the forwarded email as spam to a new mail host. Doesn't marking a message as spam tell the spam system that email user (your original email account used to forward the message) is a spam account?


I don't know.


Anything that wont let me unsubscribe with a single click I just mark as spam, block, and report. I've no particular data to suggest that this really works other than the fact my 25yr old email address gets very little spam.

10-15 years ago I might have given a company the benefit of the doubt, but these days marketing operations employ dozens if not hundreds of people. They could get this right if they cared to.


I've tried to unsubscribe from affirm 2 months ago. I finally setup a go direct to trash filter.

Affirm's unsubscribe link:

http://click.e.affirm.com/u/?qs=0e4276f59f1315c3c386855d4ec2...


What the heck! I expect better than this from Cloudflare. They aren’t supposed to fall into the same nonsense that every other company does.


> Dark pattern two-point-five is that the email somehow became unverified - something it seems is only necessary to adjust marketing emails.

It seems very weird that you need to verify your email to opt-out, because it implies that you did not verify your email _before_ they sent you marketing material, implying it's actually spam.


Marketing unsubscribe flows are a mess. I've worked at places with broken unsubscribe flows and few people actually care.

It's not even a pernicious thing--meaning it's not as if marketers are like, "That's fine we want to minimize unsubs." Just getting people to care about the unsubscribe experience is really hard.


Unsubscribe works on majority of services I have subscribed too. But they are some bad actors.

And we work with many “marketing professions” which do not understand that how nice “unsubscribe” actually helps the bussiness. At least can tell you if your marketing emails suck…


I hope that there was some effective collective action. Like shared domain list where we could automatically add companies like this after proven wrong doings. Just drop accepting any mails from them for some reasonable period of time like 10 years.


I remember fixing a bug where the checkbox "I want to receive marketing emails" didn't work and always wrote True to the database.

All customers were receiving marketing emails.

Don't assume malice. Those things are rarely tested.


I assume malice in any company that doesn't test the basic functions of a page works. Someone made a resource decision the negatively affected the customer.


What gets tested and what doesn’t is an active choice which reveals malice, even if unintentional. A process important to Cloudflare will have the budget for testing; one important only to its customers, apparently not so much. Impersonal malice.


What is your definition of malice? I'm not sure we're on the same page here.

For me, there must be intent to cause harm.


You think the choice of what to test is unintentional? It’s not that people actively prioritize harm, it’s that they actively prioritize not thinking about harm when it will hurt profits. The repeated pattern belies claims of ignorance.


If it's not going to hurt profits then it's probably not that important to customers.

I'm yet to see a company that went out of business because they forgot to put a link in their email.


Seems reasonable to hold a company the size of Cloudflare to a higher standard.


What else can I expect but malice when it is by default true and not false. Which would be much less harm.


This is nothing. You can do a hard unsubscribe in Gmail.

I've been trying for months to delete my Nexo account. For some reason the only way to delete account is via their support...They haven't replied to me in months.


I've completely given up on unsubscribing and just straight up made filters to remove the clutter from my inbox.


Cloudflare kept sending emails to my former name, and their support directed me to, get this, update it via API call.

And then it turned out the name still persisted somewhere. So I complained again (I technically have some legal leverage beyond GDPR to have it pruned). To their credit, they did conduct an investigation, apologized a lot and let me know they had improved their process.

They also seem to have stopped using your name in emails. (I guess I did that?)

But it does seem to be rather systemic to how Cloudflare handles data.


Do you have an adblocker installed? Perhaps thats why nothing happening.


Why go through all of that when you can just create a filter to mark everything as spam?


Might want to receive account notifications from Cloudflare, even though you don't want to see ads.


They usually use different email addresses to send spam and to send important stuff.


Menard's is like this too.


Just send it to spam.


Consider filing a GDPR complaint if you're an EU citizen.


Cloudflare has being charging me for services I don’t have for more than a year, every time I open a ticket they said they will cancel it but they kept charging me.


Do you use periods in your email address?

For Gmail the email "myemail@gmail.com" is interchangeable with "my.email@gmail.com". Some services that rely on simple email auth do not make the same distinction (Such as Slack). You may have signed up with periods and are attempting to restore access to a non-period address.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: