[Mailman-Users] Subscription options help

Dan Wilder dan at ssc.com
Fri Sep 20 18:12:33 CEST 2002

On Fri, Sep 20, 2002 at 09:14:05AM -0400, Jim Popovitch wrote:
> Sure, but that's why other packages confirm unsubs as well as subs.  If I
> can completely take over a users' account, Mailman will tell me the
> password.  Again, there is no valid reason for requiring a password to unsub
> via email other than to eliminate confirmation emails.  At the end of the
> day more of my users would prefer confirmation emails over having to go to
> some website to request a password be sent in an email so that they can send
> another email to unsubscribe.
> -Jim P.
> > -----Original Message-----
> > From: Kyle Rhorer [mailto:rhorer at swbell.net]
> > Sent: Friday, September 20, 2002 1:33 AM
> > To: Jim Popovitch
> > Cc: mailman-users at python.org
> > Subject: Re: [Mailman-Users] Subscription options help
> >
> >
> > On Thursday 19 September 2002 22:38, Jim Popovitch wrote:
> > > <rant>
> > > Mailman should allow unsubscriptions via confirmed email w/o
> > > requiring a password, there is no valid reason to require the
> > > password when unsubscribing via email.
> > > </rant>
> >
> > Do you know how easy it is to spoof email?  That's the valid reason
> > Mailman requires a password even when unsubscribing via email.
> >

No it isn't.  

Do you know how easy it is to kick down the door of a house and steal
the stereo?   That's not valid reason in and of itself for all of us
to install ten-foot cyclone fences with razor wire.

As always with security, this is a risk management decision.  Informed
people in different circumstances will make different decisions.
Sometimes even in the same circumstances.  And they may all be right.

You may run a contentious discussion list with members who hate each
other and love to play pranks.  You'd better secure your "unsubscribe".

Joe over there may run a 20,000-subscriber announce list where nobody
knows or cares who else is subscribed, but a significant number of
clueless or even marginally functioning people sign up, maybe not fully
understanding what they're doing, and after receiving a few posts,
decide they want off.  If he's lucky they won't report his list to
SpamCop, who then will holler at his upstream ISP, who in turn will
want him to prove for the nth time that his lists use double-opt-in.

Try telling these angry people "you have to go to a website and get your
password mailed to you then go back to the website and unsubscribe."  If
they even try, they'll autoreport the password reminder.  Then yell at
Joe for not sending it.  Even mailback confirmation will elicit an angry
response from some of them.

Hoping they'll leave quietly, Joe wants to make it as easy as possible
for announce list members to leave.  

That's a very strong and sufficient reason to offer simple single-email
unsubscribe, at least as an option.

I've implemented such here at SSC, using a certain amount of string
and sealing wax, and it cuts down customer service expense by a lot.

 Dan Wilder <dan at ssc.com>   Technical Manager
 SSC, Inc. P.O. Box 55549   Phone:  206-782-8808
 Seattle, WA  98155-0549    URL http://www.linuxjournal.com/

More information about the Mailman-Users mailing list