[majordomo-users removed from addressees, as (1) I do not belong to it and
(2) my text here is not specific to Majordomo]
Katav Chuq Von Rospach,
| The idea that came up, which I really like, is to move the
| "authorization" token out of the e-mail space and into the web space.
| Instead of sending an auth string a user has to send back in a way the
| list server can process, you send the user a URL, which points in some
| customized way back to your web site. The web site can then verify the
| token and data, and use the admin password or whatever to sneak behind
| the standard list server mailback authorization.
That sounds very much like what ezmlm does -- or at least like what
FindMail/Makelist's installation of ezmlm does.
It has a serious drawback, which must be addressed. I've seen this happen
twice.
Ezmlm sends email to the applicant address with a Reply-To: address whose
local part is suffixed with the applicant address (the @-sign defused into
an equal sign) and a personal confirmation token. Any mail to that exact
address, suffix and all, confirms the subscription request. The message
says that the subscription request can also be confirmed by http to a URL
that also contains the applicant address and its confirmation token.
It is presumed that anyone knowing that full suffix or full URL has received
the confirmation token sent only to that address, so there is no check on the
sender or surfer at confirmation time. And that is a good thing, as it al-
lows the applicant some flexibility in confirming.
Unfortunately, nothing in the instructions comes out and says that its return
address or the supplied confirmation URL is for that subscriber and nobody
else; ezmlm expects that the recipient will be alert and intelligent enough
to spot his or her own address embedded and figure it out.
But some aren't, and they don't (no surprise to us).
On two occasions *that*I*have*seen*, people have posted to another mailing
list (one of which is gated to a newsgroup) that here's the cool new mailing
list others on the older list may want to join [and in each case the older
list was on a closely related topic, so they were reasonable places to publi-
cize the newer lists], and that they can join by pointing their browsers to
the poster's personal confirmation URL. No, the poster didn't get subscribed
multiple times, but the reader of the other list or newsgroup who tried it
didn't get on either. I think the poster may have gotten email every time to
say that he or she had already confirmed, or something like that; I am fairly
sure that the repeated confirmation attempts were not just silently ignored
and did create some annoyance to the poster.
So if you implement something like this, please make it very very clear (to
the extent that minds can be penetrated at all) in your software's reply that
the confirmation reply address or URL "is for you, and you alone. Do not
give it out to anybody else. If you would like to invite a friend to join
our list, please tell your friend to [follow whatever the basic subscription
instructions are], and the list will send your friend his or her own person-
alized confirmation form."
(Aside: in one of those cases the publicizer also pointed Reply-To: to his
personal confirmation address and said in the text that one could join by
replying to his post, but the older list where he was spreading the news
clobbers Reply-To:, so the older list's submission address received a sub-
scribe request from someone who already belonged to it, which slipped
through its admin filter. There may have been others that the admin filter
caught.)
I'm sure that FindMail/Makelist can customize these texts, per site if not
per list, and that this omission is their fault, not DJB's.
