On Fri, Sep 20, 2002 at 09:14:05AM -0400, Jim Popovitch wrote: > Sure, but that's why other packages confirm unsubs as well as subs. If I > can completely take over a users' account, Mailman will tell me the > password. Again, there is no valid reason for requiring a password to unsub > via email other than to eliminate confirmation emails. At the end of the > day more of my users would prefer confirmation emails over having to go to > some website to request a password be sent in an email so that they can send > another email to unsubscribe. > > -Jim P. > > > -----Original Message----- > > From: Kyle Rhorer > > Sent: Friday, September 20, 2002 1:33 AM > > To: Jim Popovitch > > Cc: [EMAIL PROTECTED] > > Subject: Re: [Mailman-Users] Subscription options help > > > > > > On Thursday 19 September 2002 22:38, Jim Popovitch wrote: > > > <rant> > > > Mailman should allow unsubscriptions via confirmed email w/o > > > requiring a password, there is no valid reason to require the > > > password when unsubscribing via email. > > > </rant> > > > > Do you know how easy it is to spoof email? That's the valid reason > > Mailman requires a password even when unsubscribing via email. > >
No it isn't. Do you know how easy it is to kick down the door of a house and steal the stereo? That's not valid reason in and of itself for all of us to install ten-foot cyclone fences with razor wire. As always with security, this is a risk management decision. Informed people in different circumstances will make different decisions. Sometimes even in the same circumstances. And they may all be right. You may run a contentious discussion list with members who hate each other and love to play pranks. You'd better secure your "unsubscribe". Joe over there may run a 20,000-subscriber announce list where nobody knows or cares who else is subscribed, but a significant number of clueless or even marginally functioning people sign up, maybe not fully understanding what they're doing, and after receiving a few posts, decide they want off. If he's lucky they won't report his list to SpamCop, who then will holler at his upstream ISP, who in turn will want him to prove for the nth time that his lists use double-opt-in. Try telling these angry people "you have to go to a website and get your password mailed to you then go back to the website and unsubscribe." If they even try, they'll autoreport the password reminder. Then yell at Joe for not sending it. Even mailback confirmation will elicit an angry response from some of them. Hoping they'll leave quietly, Joe wants to make it as easy as possible for announce list members to leave. That's a very strong and sufficient reason to offer simple single-email unsubscribe, at least as an option. I've implemented such here at SSC, using a certain amount of string and sealing wax, and it cuts down customer service expense by a lot. -- ----------------------------------------------------------------- Dan Wilder <[EMAIL PROTECTED]> Technical Manager SSC, Inc. P.O. Box 55549 Phone: 206-782-8808 Seattle, WA 98155-0549 URL http://www.linuxjournal.com/ ----------------------------------------------------------------- ------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
