Re: [Mailman-Users] Users being unsubscribed without requesting it.
On 08/19/2017 08:31 AM, Steve Wehr wrote: > > Some further info... I was including a link at the bottom of all emails sent > by mailman (in the msg_footer field: > "Click this link to unsubscribe: > %(user_optionsurl)s?password=%(user_password)s&unsub=1&unsubconfirm=1" > > I thought perhaps users were accidentally clicking this and unsubscribing > themselves, so I have removed the "&unsubconfirm=1" part of the URL so they > will have to manually confirm. > > Maybe this would foil ISPs who are automatically following this link to > unsubscribe people. Do ISPs really do this? Including a link like the above is a very bad idea. It leads to: A receives a list post. A forwards the post to friend B B clicks the unsubscribe link either maliciously or thinking she's been subscribed to a list. A is removed from the list. Do not include the password in the link. Just make it %(user_optionsurl)s?login-unsub=Unsubscribe This will send a "Your confirmation is required to leave the xxx mailing list" message to user A which user A will hopefully ignore. If you just drop the &unsubconfirm=1, B can still confirm and unsubscribe A. -- Mark Sapiro The highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
There would still be a confirmation step. On Sun, Aug 20, 2017 at 5:39 PM, List Manager wrote: > Steve- > > Just a thought, but since the "unsubscribe link" has been part of the > output of your list, it is possible that someone other than the > recipient sees the link and clicks on it, either in malice or error > (trying to unsubscribe themselves) > -- > Jack Hill, W4KH - BoatAnchors Listowner/Archiver > list...@nanniandjack.com > "Plus ca change, plus c'est la meme chose" > "Il n'y a que les idiots qui ne changent jamais d'idee" > > On 2017-08-19 10:00, Steve Wehr wrote: > > > That's the best theory I have heard so far to explain the facts. > > > > The user's in question, who are being unsubscribed without asking to be, > are people who like the mailing lists they are on, and would not be > flagging emails from the list as spam. Now their ISP might, but they > wouldn't. The list owners swear to me that these people are friends who > want their emails. > > > > Some further info... I was including a link at the bottom of all emails > sent by mailman (in the msg_footer field: > > "Click this link to unsubscribe: > > %(user_optionsurl)s?password=%(user_password)s&unsub=1&unsubconfirm=1" > > > > I thought perhaps users were accidentally clicking this and unsubscribing > > themselves, so I have removed the "&unsubconfirm=1" part of the URL so > they will have to manually confirm. > > > > Maybe this would foil ISPs who are automatically following this link to > > unsubscribe people. Do ISPs really do this? > > > > _____ > > Steve Wehr > > Tunedin Web Design > > > > -Original Message- > > From: Keith Seyffarth [mailto:w...@weif.net] > > Sent: Saturday, August 19, 2017 10:55 AM > > To: Steve Wehr > > Cc: mailman-users@python.org > > Subject: Re: [Mailman-Users] Users being unsubscribed without requesting > it. > > > > "Steve Wehr" writes: > > > > > > > >> The problem is that when contacted, these users swear they DID NOT > >> unsubscribe themselves. So how can they be getting unsubscribed (with > >> messages in the logs like the one above) but they are not going to the > >> member options page and unsubscribing?? > > > > One possibility would be that they are marking these messages as "Junk" > > or "Spam" and their ESP/ISP, either through a manual or automated > process, > > is following the unsubscribe link in the email to remove them from the > > list... > -- > Mailman-Users mailing list Mailman-Users@python.org > https://mail.python.org/mailman/listinfo/mailman-users > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: http://www.mail-archive.com/ > mailman-users%40python.org/ > Unsubscribe: https://mail.python.org/mailman/options/mailman-users/ > joly%40punkcast.com > -- --- Joly MacFie 218 565 9365 Skype:punkcast -- - -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
Is it possible that others sharing the same ISP could have been spam-marking and this has led to other subs on ISP getting removed? I had a spate of nyu.edu unsubs a while back that and that seemed to possibly be the case. I had to resub people using alt emails. On Sat, Aug 19, 2017 at 10:55 AM, Keith Seyffarth wrote: > "Steve Wehr" writes: > > > > > The problem is that when contacted, these users swear they DID NOT > > unsubscribe themselves. So how can they be getting unsubscribed (with > > messages in the logs like the one above) but they are not going to the > > member options page and unsubscribing?? > > One possibility would be that they are marking these messages as "Junk" > or "Spam" and their ESP/ISP, either through a manual or automated > process, is following the unsubscribe link in the email to remove them > from the list... > > -- > > from my mac to yours... > > Keith Seyffarth > mailto:w...@weif.net > http://www.weif.net/ - Home of the First Tank Guide! > http://www.rpgcalendar.net/ - the Montana Role-Playing Calendar > > http://www.miscon.org/ - Montana's Longest Running Science Fiction > Convention > -- > Mailman-Users mailing list Mailman-Users@python.org > https://mail.python.org/mailman/listinfo/mailman-users > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: http://www.mail-archive.com/ > mailman-users%40python.org/ > Unsubscribe: https://mail.python.org/mailman/options/mailman-users/ > joly%40punkcast.com > -- --- Joly MacFie 218 565 9365 Skype:punkcast -- - -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
Julian H. Stacey writes: > Some people are clueless thus forward without pruning. While I strongly agree with you that pruning is a great idea, and award bonus points to those who prune, I think "clueless" is unfair. Granted, "leaking" personalized links is a pretty serious issue and people "should" learn to trim them, but in the face of top-posting culture that's a pretty severe demand. For more about why I believe this, see http://turnbull.sk.tsukuba.ac.jp/Teach/ESES/socsys-2.html (The last in the series is socsys-9, titled "Institutions".) Steve -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
In article <7e0bd0e4-b837-4d76-3c14-a0b6dfda9...@tnetconsulting.net> you write: >-=-=-=-=-=- >-=-=-=-=-=- > >On 08/21/2017 02:08 PM, John Levine wrote: >> which defines a one-click opt-out link that uses POST rather than GET, >> since the URL malware fetchers all do GETs. > >Why do single click? Why not do confirmed? You can read RFC 8058 and find out about the specific problem it addresses. https://www.rfc-editor.org/info/rfc8058 R's, John -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
On 08/21/2017 02:08 PM, John Levine wrote: There are plenty of anti-spam schemes that fetch all the URLs in a message to see whether they're malicious. That's why ESPs usually have a landing page with a confirm link, and why we wrote RFC 8058 which defines a one-click opt-out link that uses POST rather than GET, since the URL malware fetchers all do GETs. Why do single click? Why not do confirmed? I.e. you go to a page that asks you to "Click here to confirm that you want to unsubscribe."? I never understood the problem with (what I consider to be) double opt in / out. I'd also worry that the POST method is not distinct enough compared to GET. (At least compared to double opt out.) -- Grant. . . . unix || die -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
In article <201708210145.v7l1io7x003...@fire.js.berklix.net> you write: >> Maybe this would foil ISPs who are automatically following this link to >> unsubscribe people. Do ISPs really do this? There are plenty of anti-spam schemes that fetch all the URLs in a message to see whether they're malicious. That's why ESPs usually have a landing page with a confirm link, and why we wrote RFC 8058 which defines a one-click opt-out link that uses POST rather than GET, since the URL malware fetchers all do GETs. R's, John -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
"Steve Wehr" wrote: > That's the best theory I have heard so far to explain the facts. > > The user's in question, who are being unsubscribed without asking to be, are > people who like the mailing lists they are on, and would not be flagging > emails from the list as spam. Now their ISP might, but they wouldn't. The > list owners swear to me that these people are friends who want their emails. > > Some further info... I was including a link at the bottom of all emails sent > by mailman (in the msg_footer field: > "Click this link to unsubscribe: > %(user_optionsurl)s?password=%(user_password)s&unsub=1&unsubconfirm=1" > > I thought perhaps users were accidentally clicking this and unsubscribing > themselves, so I have removed the "&unsubconfirm=1" part of the URL so they > will have to manually confirm. > > Maybe this would foil ISPs who are automatically following this link to > unsubscribe people. Do ISPs really do this? Those list members may have forwarded some posts to acquaintances, those 3rd parties may have clicked those links mostly by accident. I have received stuff like that quite often from people (regardless what mail manager was) Some people are clueless thus forward without pruning. Some careless, some time pressured, & some 3rd parties will click Anything. Andy C's idea is good: Track a couple of cases in apache (or other httpd) logs . Cheers, Julian -- Julian H. Stacey, Computer Consultant, BSD Linux Unix Systems Engineer, Munich Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable. http://berklix.eu/brexit/#3,500,000_stolen_votes_inc_700,000_in_EU -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
Steve- Just a thought, but since the "unsubscribe link" has been part of the output of your list, it is possible that someone other than the recipient sees the link and clicks on it, either in malice or error (trying to unsubscribe themselves) -- Jack Hill, W4KH - BoatAnchors Listowner/Archiver list...@nanniandjack.com "Plus ca change, plus c'est la meme chose" "Il n'y a que les idiots qui ne changent jamais d'idee" On 2017-08-19 10:00, Steve Wehr wrote: > That's the best theory I have heard so far to explain the facts. > > The user's in question, who are being unsubscribed without asking to be, are > people who like the mailing lists they are on, and would not be flagging > emails from the list as spam. Now their ISP might, but they wouldn't. The > list owners swear to me that these people are friends who want their emails. > > Some further info... I was including a link at the bottom of all emails sent > by mailman (in the msg_footer field: > "Click this link to unsubscribe: > %(user_optionsurl)s?password=%(user_password)s&unsub=1&unsubconfirm=1" > > I thought perhaps users were accidentally clicking this and unsubscribing > themselves, so I have removed the "&unsubconfirm=1" part of the URL so they > will have to manually confirm. > > Maybe this would foil ISPs who are automatically following this link to > unsubscribe people. Do ISPs really do this? > > _ > Steve Wehr > Tunedin Web Design > > -Original Message- > From: Keith Seyffarth [mailto:w...@weif.net] > Sent: Saturday, August 19, 2017 10:55 AM > To: Steve Wehr > Cc: mailman-users@python.org > Subject: Re: [Mailman-Users] Users being unsubscribed without requesting it. > > "Steve Wehr" writes: > > > >> The problem is that when contacted, these users swear they DID NOT >> unsubscribe themselves. So how can they be getting unsubscribed (with >> messages in the logs like the one above) but they are not going to the >> member options page and unsubscribing?? > > One possibility would be that they are marking these messages as "Junk" > or "Spam" and their ESP/ISP, either through a manual or automated process, > is following the unsubscribe link in the email to remove them from the > list... -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
That's the best theory I have heard so far to explain the facts. The user's in question, who are being unsubscribed without asking to be, are people who like the mailing lists they are on, and would not be flagging emails from the list as spam. Now their ISP might, but they wouldn't. The list owners swear to me that these people are friends who want their emails. Some further info... I was including a link at the bottom of all emails sent by mailman (in the msg_footer field: "Click this link to unsubscribe: %(user_optionsurl)s?password=%(user_password)s&unsub=1&unsubconfirm=1" I thought perhaps users were accidentally clicking this and unsubscribing themselves, so I have removed the "&unsubconfirm=1" part of the URL so they will have to manually confirm. Maybe this would foil ISPs who are automatically following this link to unsubscribe people. Do ISPs really do this? _ Steve Wehr Tunedin Web Design -Original Message- From: Keith Seyffarth [mailto:w...@weif.net] Sent: Saturday, August 19, 2017 10:55 AM To: Steve Wehr Cc: mailman-users@python.org Subject: Re: [Mailman-Users] Users being unsubscribed without requesting it. "Steve Wehr" writes: > The problem is that when contacted, these users swear they DID NOT > unsubscribe themselves. So how can they be getting unsubscribed (with > messages in the logs like the one above) but they are not going to the > member options page and unsubscribing?? One possibility would be that they are marking these messages as "Junk" or "Spam" and their ESP/ISP, either through a manual or automated process, is following the unsubscribe link in the email to remove them from the list... -- from my mac to yours... Keith Seyffarth mailto:w...@weif.net http://www.weif.net/ - Home of the First Tank Guide! http://www.rpgcalendar.net/ - the Montana Role-Playing Calendar http://www.miscon.org/ - Montana's Longest Running Science Fiction Convention -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
On Aug 19, 2017, at 8:27 AM, Steve Wehr wrote: subscribe:Aug 18 00:41:10 2017 (22583) saintsofswing: deleted dorrainescofi...@gmail.com; via the member options page Steve, if this was done via the web interface the first thing I would do is get the date/timestamp for the log entry “deleted via the member options page.” Next, search through your apache logs looking for that same date/timestamp. You should be able to find the exact apache access log entry with that date and time down to the second where someone submitted the form to remove the user. Your apache log should contain the IP address of the client who submitted the form. Finally, look up that IP address to see who owns it. You could also grep for that IP address to get all the access logs for that user to see what else they are up to. This would allow you to track down the client responsible for unsubscribing that address. — Andy -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
Re: [Mailman-Users] Users being unsubscribed without requesting it.
"Steve Wehr" writes: > The problem is that when contacted, these users swear they DID NOT > unsubscribe themselves. So how can they be getting unsubscribed (with > messages in the logs like the one above) but they are not going to the > member options page and unsubscribing?? One possibility would be that they are marking these messages as "Junk" or "Spam" and their ESP/ISP, either through a manual or automated process, is following the unsubscribe link in the email to remove them from the list... -- from my mac to yours... Keith Seyffarth mailto:w...@weif.net http://www.weif.net/ - Home of the First Tank Guide! http://www.rpgcalendar.net/ - the Montana Role-Playing Calendar http://www.miscon.org/ - Montana's Longest Running Science Fiction Convention -- Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org