On 08/19/2017 08:31 AM, Steve Wehr wrote: > > Some further info... I was including a link at the bottom of all emails sent > by mailman (in the msg_footer field: > "Click this link to unsubscribe: > %(user_optionsurl)s?password=%(user_password)s&unsub=1&unsubconfirm=1" > > I thought perhaps users were accidentally clicking this and unsubscribing > themselves, so I have removed the "&unsubconfirm=1" part of the URL so they > will have to manually confirm. > > Maybe this would foil ISPs who are automatically following this link to > unsubscribe people. Do ISPs really do this?
Including a link like the above is a very bad idea. It leads to: A receives a list post. A forwards the post to friend B B clicks the unsubscribe link either maliciously or thinking she's been subscribed to a list. A is removed from the list. Do not include the password in the link. Just make it %(user_optionsurl)s?login-unsub=Unsubscribe This will send a "Your confirmation is required to leave the xxx mailing list" message to user A which user A will hopefully ignore. If you just drop the &unsubconfirm=1, B can still confirm and unsubscribe A. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
