I was looking through my spam folder, and there’s a 100% sure spam email, that asks me to confirm that I want to unsubscribe by clicking some big unsubscribe button. That button is simply a mailto: link, similar to the one below
There are no images in the email, so no pixel tracking.
What is the attack here?
Is the attacker’s hope that I would click on the mailto link, and then click send, and then they’d know that my email address is of a gullible person, so they’d better prioritize their real spamming resources, or is there more to it?
I find the above attack odd, because it puts quite some burden on the attacked. I need to ignore the fact that I never subscribed to require clicking on unsubscribe, then I need to click on Unsubscribe, then the mailto: protocol needs to be correctly associated with whatever I use for email, then I also need to click send, then the email client would ask me to confirm that I want to send a message without any content, then I would either confirm, or actually write some text in the content, and then the message would be sent, and the attack would be successful. That’s a lot of work and I can change my mind at any time in this process and the attack would be unsuccessful.
Can a mailto link be somehow exploited?