Double opt-in, Question about adding people to a Mailman list
![](https://secure.gravatar.com/avatar/7cf88649933be81c7f08fbbf722c08e0.jpg?s=120&d=mm&r=g)
Hi,
I run a Mailman 2 list for an organization of writers with disabilities. Recently our president has become concerned that some people wanting to join the group may not be responding to the standard Mailman subscription confirmation message because, from the From: line and the subject line, they're not sure what it is and don't want to open it. I understand why the subject line needs to be what it is, so people can just reply to the message to confirm their subscription. Even more confusing is that for complicated historical reasons the name of our list has nothing to do with the name of our organization, which might confuse prospective new members further.
One proposal for fixing this problem is for our secretary to confirm that a new member does want to be subscribed to our list, then use the Mailman interface to add the new member outright, without that person having to go through the confirmation process. My concern with this approach is the ever-present spam police. I know that the way Mailman works by default, where someone requests to subscribe, receives a confirmation Email, then has to take some action to confirm their subscription, is confirmed opt-in or double opt-in. My question is, if person A tells person B they want to join the list, through Email or some other method that person B can later document, then person B puts person A on the list with no further confirmation required, does this constitute confirmed/double opt-in in the eyes of anyone to whom this matters?
Thanks for any thoughts,
Jayson
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 5/22/22 00:17, Jayson Smith wrote:
By default, confirmation requests are sent with From: and Subject: like
From: listname-request@example.com
Subject: confirm+the_hex_token
If you, or the installation sets
VERP_CONFIRMATIONS = Yes
in mm_cfg.py, they will be sent like
From: listname-confirm+the_hex_token
Subject: Your confirmation is required to join the listname mailing list
If you can do this, it will help.
Not really. Person C can still send email to person B spoofing person A. In your scenario, upon receiving email allegedly from person A, person B would need to respond to person A asking for confirmation and receive confirmation from person A before adding person A to the list.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Mark Sapiro writes:
On 5/22/22 00:17, Jayson Smith wrote:
@Jayson Is this especially a problem for people with disabilities, as compared to new subscribers in general?
In fact, I expect the answer is "no". But I think it's worth trying to improve this in Mailman 3 for the general population, too, and if we can improve this in a more accessible way I would like to be aware of it.
@Mark This is "From: listname-confirm+the_hex_token@EXAMPLE.COM", right? I'm not sure that's much better, especially in Jayson's situation where the email address and the organization are hard to associate with each other.
Note that the point of this multipart handshake is that email itself is insecure; it is rather easy to fake authorship of an email message well enough to get past someone who is not well-versed in email arcana. It is much harder to fake the ability to read from a mailbox.
So it's really not possible to omit the "send token" and "receive confirmation" steps if you want to be sure the person who requests a subscription has the right to request people send stuff to the mailbox.
Steve
![](https://secure.gravatar.com/avatar/b273ab068bc220d17a3e4c710c401c4b.jpg?s=120&d=mm&r=g)
On 5/22/2022 12:17 AM, Jayson Smith wrote:
That's not an uncommon problem but it's often managed simply by some instructions that explain what they'll receive-
"When you ask to subscribe and enter your email address, you will soon receive an email there that looks like (insert example); you must Reply to that email in order to be added to the %%%-list. We do this to make sure that your email works and that you want to receive mail from it."
or something like that
Later,
z!
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 5/22/22 00:17, Jayson Smith wrote:
By default, confirmation requests are sent with From: and Subject: like
From: listname-request@example.com
Subject: confirm+the_hex_token
If you, or the installation sets
VERP_CONFIRMATIONS = Yes
in mm_cfg.py, they will be sent like
From: listname-confirm+the_hex_token
Subject: Your confirmation is required to join the listname mailing list
If you can do this, it will help.
Not really. Person C can still send email to person B spoofing person A. In your scenario, upon receiving email allegedly from person A, person B would need to respond to person A asking for confirmation and receive confirmation from person A before adding person A to the list.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/8da339f04438d3fcc438e898cfe73c47.jpg?s=120&d=mm&r=g)
Mark Sapiro writes:
On 5/22/22 00:17, Jayson Smith wrote:
@Jayson Is this especially a problem for people with disabilities, as compared to new subscribers in general?
In fact, I expect the answer is "no". But I think it's worth trying to improve this in Mailman 3 for the general population, too, and if we can improve this in a more accessible way I would like to be aware of it.
@Mark This is "From: listname-confirm+the_hex_token@EXAMPLE.COM", right? I'm not sure that's much better, especially in Jayson's situation where the email address and the organization are hard to associate with each other.
Note that the point of this multipart handshake is that email itself is insecure; it is rather easy to fake authorship of an email message well enough to get past someone who is not well-versed in email arcana. It is much harder to fake the ability to read from a mailbox.
So it's really not possible to omit the "send token" and "receive confirmation" steps if you want to be sure the person who requests a subscription has the right to request people send stuff to the mailbox.
Steve
![](https://secure.gravatar.com/avatar/b273ab068bc220d17a3e4c710c401c4b.jpg?s=120&d=mm&r=g)
On 5/22/2022 12:17 AM, Jayson Smith wrote:
That's not an uncommon problem but it's often managed simply by some instructions that explain what they'll receive-
"When you ask to subscribe and enter your email address, you will soon receive an email there that looks like (insert example); you must Reply to that email in order to be added to the %%%-list. We do this to make sure that your email works and that you want to receive mail from it."
or something like that
Later,
z!
participants (4)
-
Carl Zwanzig
-
Jayson Smith
-
Mark Sapiro
-
Stephen J. Turnbull