When I posted about Chuq Von Rospach's suggestion about confirmation by http
that ezmlm already provides it, I wrote,
| > Ezmlm sends email to the applicant address with a Reply-To: address whose
| > local part is suffixed with the applicant address (the @-sign defused into
| > an equal sign) and a personal confirmation token.
Chuq thoroughly misunderstood, commenting,
| Frankly, if it's subscribing the From: address, but sending the
| confirmation to the Reply-To: address, it has a security hole the size
| of Rhode Island.
Yes, it would be a huge security hole, and that hole isn't present in ezmlm.
| ... if "[EMAIL PROTECTED]" is being zubscribed, then
| "[EMAIL PROTECTED]" gets the confirmation notice. Not whatever the email
| subscribing that address uses as a reply-to.
Exactly. Let me try again, VERY SLOWLY ...
Ezmlm receives a subscription request by email or http; from that, in ways
I did not detail (because that would get to be too package-specific for
list-managers and too far afield from this thread about accepting subscrip-
tion confirmations by http as well as in email), ezmlm determines the appli-
cant address.
Ezmlm sends the confirmation request to the address that would receive the
list if the subscription is confirmed. Sending it elsewhere would be foolish.
The Reply-To: address that I was discussing is the one for responding to the
confirmation request. It has nothing to do with whatever return address may
have been on the subscription request itself; perhaps the subscription re-
quest was made by web form and had nothing comparable to a Reply-To: header.
The Reply-To: line OF THE CONFIRMATION REQUEST THAT EZMLM MAILS TO THE AD-
DRESS THAT IS TO BE SUBSCRIBED -- got it now? -- points to an address (at the
listserver) whose local part is suffixed with the applicant address and a
personalized confirmation token. As an alternative, it offers an http: URL
to visit that also includes the applicant address and the personalized con-
firmation token for that applicant.
The trouble comes when the text of the confirmation request, which is emailed
to the applicant address, leaves it up to the recipient's intellect and at-
tention to realize that the instructions are personalized and doesn't spell
out that the return address and the URL are for that application only, and
then the applicant tells friends to use them if they want to join the list.
I've seen that happen twice.
