Do mail servers follow links in emails as part of a security scan before inbox delivery?

This is not a new problem.

I haven't had to work around it in a few years, so I don't know if the state of the art has changed, but there are a few things you can try:

1) don't process your link unless it has a special query param in it. The query param is added by a client-side redirect (I used http://insider.zone/tools/client-side-url-redirect-generator/ to handle some of the cross-browser messiness) but the server-side code would return this with the query-paramless link to the browser. So:

user clicks 'https://magiclink.foo.org/ajskdfjwlakefj'

server does not see magic redirect, so

redirects to 'https://magiclink.foo.org/ajskdfjwlakefj?follow=true'

and server-side code, seeing "follow=true", would process and then invalidate that token.

2) I think you could do the same with a redirect from GET->POST with a form submit, but I haven't tried.

Good luck!


Easy enough to put a CAPTCHA on the one-time link to confirm the visitor is human before using the link. So, the mail filter will still visit the page but won't trigger the action expected by simply visiting the link (likely a cURL request instead of a browser with DOM/JS)