[Mailman-Users] Users being unsubscribed without requesting it.

Grant Taylor gtaylor at tnetconsulting.net
Mon Aug 21 17:56:52 EDT 2017

On 08/21/2017 02:08 PM, John Levine wrote:
> There are plenty of anti-spam schemes that fetch all the URLs in a
> message to see whether they're malicious.  That's why ESPs usually
> have a landing page with a confirm link, and why we wrote RFC 8058
> which defines a one-click opt-out link that uses POST rather than GET,
> since the URL malware fetchers all do GETs.

Why do single click?

Why not do confirmed?

I.e. you go to a page that asks you to "Click here to confirm that you 
want to unsubscribe."?

I never understood the problem with (what I consider to be) double opt 
in / out.

I'd also worry that the POST method is not distinct enough compared to 
GET.  (At least compared to double opt out.)

Grant. . . .
unix || die

More information about the Mailman-Users mailing list