[Mailman-Users] Users being unsubscribed without requesting it.

Mark Sapiro mark at msapiro.net
Mon Aug 28 18:34:27 EDT 2017


On 08/19/2017 08:31 AM, Steve Wehr wrote:
> 
> Some further info... I was including a link at the bottom of all emails sent
> by mailman (in the msg_footer field: 
> "Click this link to unsubscribe:
> %(user_optionsurl)s?password=%(user_password)s&unsub=1&unsubconfirm=1" 
> 
> I thought perhaps users were accidentally clicking this and unsubscribing
> themselves, so I have removed the "&unsubconfirm=1" part of the URL so they
> will have to manually confirm.
> 
> Maybe this would foil ISPs who are automatically following this link to
> unsubscribe people. Do ISPs really do this?


Including a link like the above is a very bad idea. It leads to:

A receives a list post.

A forwards the post to friend B

B clicks the unsubscribe link either maliciously or thinking she's been
subscribed to a list.

A is removed from the list.

Do not include the password in the link. Just make it

%(user_optionsurl)s?login-unsub=Unsubscribe

This will send a "Your confirmation is required to leave the xxx mailing
list" message to user A which user A will hopefully ignore.

If you just drop the &unsubconfirm=1, B can still confirm and unsubscribe A.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


More information about the Mailman-Users mailing list