View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 4
IDProjectCategoryView StatusDate SubmittedLast Update
20317Bug reportsSurvey participants (Tokens)public2025-10-22 15:532025-10-22 16:13
ReporterMazi Assigned To 
PrioritynoneSeverityblock 
Status newResolutionopen 
Product Version6.6.x 
Summary20317: Automatic Opt-Out triggered by email security scanners – requires Two-Click confirmation mechanism
Description

We have recently encountered repeated cases where participants are automatically marked as Opted-Out immediately after the invitation email is delivered.

This behavior has now been confirmed by multiple customers using different mail systems. It can be reproduced reliably when survey invitations containing the standard {OPTOUTURL} are sent to certain corporate domains.

Our current analysis indicates that email security systems (URL scanning tools) automatically follow links in incoming emails to verify their safety. In some cases, these tools even execute the confirmation click on the Opt-Out page, which causes the participant to be marked as Opted-Out in LimeSurvey without any user action.

As a result, entire customer surveys can no longer be conducted because all or most invited participants will not receive any further reminder emails.

Steps To Reproduce

Steps to reproduce

Send an invitation email with the default opt-out placeholder to affected email addresses.

Expected result

Email is marked as opted-out immediately.

Actual result

Using two-click confirmation automatic opt-out actions can be prevented because the security tools are known to click a single link only and not take another action.

TagsNo tags attached.
Bug heat4
Complete LimeSurvey version number (& build)6.15.16
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMySQL/MariaDB
Server OS (if known)
Webserver software & version (if known)
PHP Version8.x

Relationships

Relationship GraphDependency Graph
related to 07494 acknowledged Feature requests Adding List-Unsubscribe header for token 

Users monitoring this issue

There are no users monitoring this issue.

Activities

Mazi

Mazi

2025-10-22 15:54

updater   ~83643

@DenisChenu, I have added a relation to 07494 since a list-unsubscribe feature you are discussing at the ticket could also be another option to temporarily solve this. Unfortunately, Limesurvey is missing both, list unsubscribe and secure opt-out using two-click confirmation.
DenisChenu

DenisChenu

2025-10-22 15:55

developer   ~83644

Opt out need a confirmation.

It's not the cases in 3.X or 5.X ?
Mazi

Mazi

2025-10-22 15:56

updater   ~83645

Potential systems causing this behavior (not tested) are:
Microsoft Defender Safe Links, Proofpoint, Mimecast, Barracuda
Mazi

Mazi

2025-10-22 15:59

updater   ~83646

@DenisChenu, at 3.x (and maybe 5.x) there was no confirmation at all. Clicking the link directly lead to opt-out.
At LS 6.x we do have a confirmation button but that gets triggered by some security tools scanning the links as well and users still get opted-out automatically, e.g. at MOPAN, a division of OECD.

Suggested Solution: Implement a Two-Click Opt-Out procedure as follows:
The first click (GET) should only open a neutral confirmation page, without triggering any action.
The actual Opt-Out should only occur via a POST request with a valid CSRF token or other anti-bot mechanism (short-lived token, cookie binding, JavaScript delay).

This would effectively prevent automated link scanners from triggering Opt-Outs and ensure compliance with best practices for secure and user-controlled unsubscribe flows.
DenisChenu

DenisChenu

2025-10-22 16:08

developer   ~83647

At LS 6.x we do have a confirmation button but that gets triggered by some security tools scanning the links as well and users still get opted-out automatically, e.g. at MOPAN, a division of OECD.

OK, click on button/submit (the security system make it mad …)

Suggested Solution: Implement a Two-Click Opt-Out procedure as follows:
The first click (GET) should only open a neutral confirmation page, without triggering any action.
The actual Opt-Out should only occur via a POST request with a valid CSRF token or other anti-bot mechanism (short-lived token, cookie binding, JavaScript delay).

You're right : current button is only a link.

Suggested Solution: Implement a Two-Click Opt-Out procedure as follows:

  1. Replace button by a submit button
  2. Add a checkbox "I confirm" , add required attribute
  3. Action control both : submitted and confirm checked.
Mazi

Mazi

2025-10-22 16:13

updater   ~83648

Sounds like a plan :-)

@tibor.pacalat: Can you discuss this at the next meeting? We already have complaints by some companies considering Limesurvey useless for closed surveys with opt-out links due to this issue.

Issue History

Date Modified Username Field Change
2025-10-22 15:53 Mazi New Issue
2025-10-22 15:53 Mazi Relationship added related to 07494
2025-10-22 15:54 Mazi Note Added: 83643
2025-10-22 15:54 Mazi Bug heat 0 => 2
2025-10-22 15:55 DenisChenu Note Added: 83644
2025-10-22 15:55 DenisChenu Bug heat 2 => 4
2025-10-22 15:56 Mazi Note Added: 83645
2025-10-22 15:59 Mazi Note Added: 83646
2025-10-22 16:08 DenisChenu Note Added: 83647
2025-10-22 16:13 Mazi Note Added: 83648