[Mailman-Users] Users being unsubscribed without requesting it.
Mark Sapiro
mark at msapiro.net
Mon Aug 28 18:34:27 EDT 2017
On 08/19/2017 08:31 AM, Steve Wehr wrote:
>
> Some further info... I was including a link at the bottom of all emails sent
> by mailman (in the msg_footer field:
> "Click this link to unsubscribe:
> %(user_optionsurl)s?password=%(user_password)s&unsub=1&unsubconfirm=1"
>
> I thought perhaps users were accidentally clicking this and unsubscribing
> themselves, so I have removed the "&unsubconfirm=1" part of the URL so they
> will have to manually confirm.
>
> Maybe this would foil ISPs who are automatically following this link to
> unsubscribe people. Do ISPs really do this?
Including a link like the above is a very bad idea. It leads to:
A receives a list post.
A forwards the post to friend B
B clicks the unsubscribe link either maliciously or thinking she's been
subscribed to a list.
A is removed from the list.
Do not include the password in the link. Just make it
%(user_optionsurl)s?login-unsub=Unsubscribe
This will send a "Your confirmation is required to leave the xxx mailing
list" message to user A which user A will hopefully ignore.
If you just drop the &unsubconfirm=1, B can still confirm and unsubscribe A.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list