Re: [Mailman-Users] Users being unsubscribed without requesting it.

[Mark Sapiro]

On 08/19/2017 08:31 AM, Steve Wehr wrote:
> 
> Some further info... I was including a link at the bottom of all emails sent
> by mailman (in the msg_footer field: 
> "Click this link to unsubscribe:
> %(user_optionsurl)s?password=%(user_password)s=1=1" 
> 
> I thought perhaps users were accidentally clicking this and unsubscribing
> themselves, so I have removed the "=1" part of the URL so they
> will have to manually confirm.
> 
> Maybe this would foil ISPs who are automatically following this link to
> unsubscribe people. Do ISPs really do this?


Including a link like the above is a very bad idea. It leads to:

A receives a list post.

A forwards the post to friend B

B clicks the unsubscribe link either maliciously or thinking she's been
subscribed to a list.

A is removed from the list.

Do not include the password in the link. Just make it

%(user_optionsurl)s?login-unsub=Unsubscribe

This will send a "Your confirmation is required to leave the xxx mailing
list" message to user A which user A will hopefully ignore.

If you just drop the =1, B can still confirm and unsubscribe A.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Users being unsubscribed without requesting it.

[Joly MacFie]

There would still be a confirmation step.



On Sun, Aug 20, 2017 at 5:39 PM, List Manager <list...@nanniandjack.com>
wrote:

> Steve-
>
> Just a thought, but since the "unsubscribe link" has been part of the
> output of your list, it is possible that someone other than the
> recipient sees the link and clicks on it, either in malice or error
> (trying to unsubscribe themselves)
> --
> Jack Hill, W4KH - BoatAnchors Listowner/Archiver
> list...@nanniandjack.com
> "Plus ca change, plus c'est la meme chose"
> "Il n'y a que les idiots qui ne changent jamais d'idee"
>
>  On 2017-08-19 10:00, Steve Wehr wrote:
>
> > That's the best theory I have heard so far to explain the facts.
> >
> > The user's in question, who are being unsubscribed without asking to be,
> are people who like the mailing lists they are on, and would not be
> flagging emails from the list as spam. Now their ISP might, but they
> wouldn't. The list owners swear to me that these people are friends who
> want their emails.
> >
> > Some further info... I was including a link at the bottom of all emails
> sent by mailman (in the msg_footer field:
> > "Click this link to unsubscribe:
> > %(user_optionsurl)s?password=%(user_password)s=1=1"
> >
> > I thought perhaps users were accidentally clicking this and unsubscribing
> > themselves, so I have removed the "=1" part of the URL so
> they will have to manually confirm.
> >
> > Maybe this would foil ISPs who are automatically following this link to
> > unsubscribe people. Do ISPs really do this?
> >
> > _
> > Steve Wehr
> > Tunedin Web Design
> >
> > -Original Message-
> > From: Keith Seyffarth [mailto:w...@weif.net]
> > Sent: Saturday, August 19, 2017 10:55 AM
> > To: Steve Wehr
> > Cc: mailman-users@python.org
> > Subject: Re: [Mailman-Users] Users being unsubscribed without requesting
> it.
> >
> > "Steve Wehr" <st...@tunedinweb.com> writes:
> >
> > 
> >
> >> The problem is that when contacted, these users swear they DID NOT
> >> unsubscribe themselves. So how can they be getting unsubscribed (with
> >> messages in the logs like the one above) but they are not going to the
> >> member options page and unsubscribing??
> >
> > One possibility would be that they are marking these messages as "Junk"
> > or "Spam" and their ESP/ISP, either through a manual or automated
> process,
> > is following the unsubscribe link in the email to remove them from the
> > list...
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/
> mailman-users%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-users/
> joly%40punkcast.com
>



-- 
---
Joly MacFie  218 565 9365 Skype:punkcast
--
-
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Users being unsubscribed without requesting it.

[Joly MacFie]

Is it possible that others sharing the same ISP could have been
spam-marking and this has led to other subs on ISP getting removed?

I had a spate of nyu.edu unsubs a while back that and that seemed to
possibly be the case. I had to resub people using alt emails.



On Sat, Aug 19, 2017 at 10:55 AM, Keith Seyffarth  wrote:

> "Steve Wehr"  writes:
>
> 
>
> > The problem is that when contacted, these users swear they DID NOT
> > unsubscribe themselves. So how can they be getting unsubscribed (with
> > messages in the logs like the one above) but they are not going to the
> > member options page and unsubscribing??
>
> One possibility would be that they are marking these messages as "Junk"
> or "Spam" and their ESP/ISP, either through a manual or automated
> process, is following the unsubscribe link in the email to remove them
> from the list...
>
> --
> 
> from my mac to yours...
>
> Keith Seyffarth
> mailto:w...@weif.net
> http://www.weif.net/ - Home of the First Tank Guide!
> http://www.rpgcalendar.net/ - the Montana Role-Playing Calendar
> 
> http://www.miscon.org/ - Montana's Longest Running Science Fiction
> Convention
> --
> Mailman-Users mailing list Mailman-Users@python.org
> https://mail.python.org/mailman/listinfo/mailman-users
> Mailman FAQ: http://wiki.list.org/x/AgA3
> Security Policy: http://wiki.list.org/x/QIA9
> Searchable Archives: http://www.mail-archive.com/
> mailman-users%40python.org/
> Unsubscribe: https://mail.python.org/mailman/options/mailman-users/
> joly%40punkcast.com
>



-- 
---
Joly MacFie  218 565 9365 Skype:punkcast
--
-
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Users being unsubscribed without requesting it.

[Stephen J. Turnbull]

Julian H. Stacey writes:

 > Some people are clueless thus forward without pruning.

While I strongly agree with you that pruning is a great idea, and
award bonus points to those who prune, I think "clueless" is unfair.
Granted, "leaking" personalized links is a pretty serious issue and
people "should" learn to trim them, but in the face of top-posting
culture that's a pretty severe demand.

For more about why I believe this, see

  http://turnbull.sk.tsukuba.ac.jp/Teach/ESES/socsys-2.html

(The last in the series is socsys-9, titled "Institutions".)

Steve

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Users being unsubscribed without requesting it.

[John Levine]

In article <7e0bd0e4-b837-4d76-3c14-a0b6dfda9...@tnetconsulting.net> you write:
>-=-=-=-=-=-
>-=-=-=-=-=-
>
>On 08/21/2017 02:08 PM, John Levine wrote:
>> which defines a one-click opt-out link that uses POST rather than GET,
>> since the URL malware fetchers all do GETs.
>
>Why do single click?  Why not do confirmed?

You can read RFC 8058 and find out about the specific problem it addresses.

https://www.rfc-editor.org/info/rfc8058

R's,
John
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Users being unsubscribed without requesting it.

[Grant Taylor via Mailman-Users]

On 08/21/2017 02:08 PM, John Levine wrote:

There are plenty of anti-spam schemes that fetch all the URLs in a
message to see whether they're malicious.  That's why ESPs usually
have a landing page with a confirm link, and why we wrote RFC 8058
which defines a one-click opt-out link that uses POST rather than GET,
since the URL malware fetchers all do GETs.


Why do single click?

Why not do confirmed?

I.e. you go to a page that asks you to "Click here to confirm that you 
want to unsubscribe."?


I never understood the problem with (what I consider to be) double opt 
in / out.


I'd also worry that the POST method is not distinct enough compared to 
GET.  (At least compared to double opt out.)




--
Grant. . . .
unix || die

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Users being unsubscribed without requesting it.

[John Levine]

In article <201708210145.v7l1io7x003...@fire.js.berklix.net> you write:
>> Maybe this would foil ISPs who are automatically following this link to
>> unsubscribe people. Do ISPs really do this?

There are plenty of anti-spam schemes that fetch all the URLs in a
message to see whether they're malicious.  That's why ESPs usually
have a landing page with a confirm link, and why we wrote RFC 8058
which defines a one-click opt-out link that uses POST rather than GET,
since the URL malware fetchers all do GETs.

R's,
John
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Users being unsubscribed without requesting it.

[Julian H. Stacey]

"Steve Wehr" wrote:
> That's the best theory I have heard so far to explain the facts. 
> 
> The user's in question, who are being unsubscribed without asking to be, are
> people who like the mailing lists they are on, and would not be flagging
> emails from the list as spam. Now their ISP might, but they wouldn't. The
> list owners swear to me that these people are friends who want their emails.
> 
> Some further info... I was including a link at the bottom of all emails sent
> by mailman (in the msg_footer field: 
> "Click this link to unsubscribe:
> %(user_optionsurl)s?password=%(user_password)s=1=1" 
> 
> I thought perhaps users were accidentally clicking this and unsubscribing
> themselves, so I have removed the "=1" part of the URL so they
> will have to manually confirm.
> 
> Maybe this would foil ISPs who are automatically following this link to
> unsubscribe people. Do ISPs really do this?

Those list members may have forwarded some posts to acquaintances,
those 3rd parties may have clicked those links mostly
by accident.  I have received stuff like that quite often from
people (regardless what mail manager was) Some people are clueless
thus forward without pruning. Some careless, some time pressured,
& some 3rd parties will click Anything.

Andy C's idea is good: Track a couple of cases in apache (or other httpd) logs .

Cheers,
Julian
-- 
Julian H. Stacey, Computer Consultant, BSD Linux Unix Systems Engineer, Munich
 Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable.
 http://berklix.eu/brexit/#3,500,000_stolen_votes_inc_700,000_in_EU
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Users being unsubscribed without requesting it.

[List Manager]

Steve-

Just a thought, but since the "unsubscribe link" has been part of the
output of your list, it is possible that someone other than the
recipient sees the link and clicks on it, either in malice or error
(trying to unsubscribe themselves)
--
Jack Hill, W4KH - BoatAnchors Listowner/Archiver
list...@nanniandjack.com
"Plus ca change, plus c'est la meme chose"
"Il n'y a que les idiots qui ne changent jamais d'idee"

 On 2017-08-19 10:00, Steve Wehr wrote:

> That's the best theory I have heard so far to explain the facts.  
> 
> The user's in question, who are being unsubscribed without asking to be, are 
> people who like the mailing lists they are on, and would not be flagging 
> emails from the list as spam. Now their ISP might, but they wouldn't. The 
> list owners swear to me that these people are friends who want their emails.
> 
> Some further info... I was including a link at the bottom of all emails sent 
> by mailman (in the msg_footer field: 
> "Click this link to unsubscribe:
> %(user_optionsurl)s?password=%(user_password)s=1=1" 
> 
> I thought perhaps users were accidentally clicking this and unsubscribing
> themselves, so I have removed the "=1" part of the URL so they 
> will have to manually confirm.
> 
> Maybe this would foil ISPs who are automatically following this link to
> unsubscribe people. Do ISPs really do this?
> 
> _
> Steve Wehr
> Tunedin Web Design
> 
> -Original Message-
> From: Keith Seyffarth [mailto:w...@weif.net] 
> Sent: Saturday, August 19, 2017 10:55 AM
> To: Steve Wehr
> Cc: mailman-users@python.org
> Subject: Re: [Mailman-Users] Users being unsubscribed without requesting it.
> 
> "Steve Wehr" <st...@tunedinweb.com> writes:
> 
> 
> 
>> The problem is that when contacted, these users swear they DID NOT 
>> unsubscribe themselves. So how can they be getting unsubscribed (with 
>> messages in the logs like the one above) but they are not going to the 
>> member options page and unsubscribing??
> 
> One possibility would be that they are marking these messages as "Junk"
> or "Spam" and their ESP/ISP, either through a manual or automated process,
> is following the unsubscribe link in the email to remove them from the
> list...
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Users being unsubscribed without requesting it.

[Steve Wehr]

That's the best theory I have heard so far to explain the facts. 

The user's in question, who are being unsubscribed without asking to be, are
people who like the mailing lists they are on, and would not be flagging
emails from the list as spam. Now their ISP might, but they wouldn't. The
list owners swear to me that these people are friends who want their emails.

Some further info... I was including a link at the bottom of all emails sent
by mailman (in the msg_footer field: 
"Click this link to unsubscribe:
%(user_optionsurl)s?password=%(user_password)s=1=1" 

I thought perhaps users were accidentally clicking this and unsubscribing
themselves, so I have removed the "=1" part of the URL so they
will have to manually confirm.

Maybe this would foil ISPs who are automatically following this link to
unsubscribe people. Do ISPs really do this?

_
Steve Wehr
Tunedin Web Design


-Original Message-
From: Keith Seyffarth [mailto:w...@weif.net] 
Sent: Saturday, August 19, 2017 10:55 AM
To: Steve Wehr
Cc: mailman-users@python.org
Subject: Re: [Mailman-Users] Users being unsubscribed without requesting it.

"Steve Wehr" <st...@tunedinweb.com> writes:



> The problem is that when contacted, these users swear they DID NOT 
> unsubscribe themselves. So how can they be getting unsubscribed (with 
> messages in the logs like the one above) but they are not going to the 
> member options page and unsubscribing??

One possibility would be that they are marking these messages as "Junk"
or "Spam" and their ESP/ISP, either through a manual or automated process,
is following the unsubscribe link in the email to remove them from the
list...

--

from my mac to yours...

Keith Seyffarth
mailto:w...@weif.net
http://www.weif.net/ - Home of the First Tank Guide!
http://www.rpgcalendar.net/ - the Montana Role-Playing Calendar

http://www.miscon.org/ - Montana's Longest Running Science Fiction
Convention

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Users being unsubscribed without requesting it.

[Andy Cravens]

On Aug 19, 2017, at 8:27 AM, Steve Wehr  wrote:


subscribe:Aug 18 00:41:10 2017 (22583) saintsofswing: deleted
dorrainescofi...@gmail.com; via the member options page




Steve, if this was done via the web interface the first thing I would do is get 
the date/timestamp for the log entry “deleted via the member options page.”   
Next, search through your apache logs looking for that same date/timestamp.  
You should be able to find the exact apache access log entry with that date and 
time down to the second where someone submitted the form to remove the user.  
Your apache log should contain the IP address of the client who submitted the 
form.  Finally, look up that IP address to see who owns it.  You could also 
grep for that IP address to get all the access logs for that user to see what 
else they are up to.  This would allow you to track down the client responsible 
for unsubscribing that address.

—
Andy


--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Re: [Mailman-Users] Users being unsubscribed without requesting it.

[Keith Seyffarth]

"Steve Wehr"  writes:



> The problem is that when contacted, these users swear they DID NOT
> unsubscribe themselves. So how can they be getting unsubscribed (with
> messages in the logs like the one above) but they are not going to the
> member options page and unsubscribing??

One possibility would be that they are marking these messages as "Junk"
or "Spam" and their ESP/ISP, either through a manual or automated
process, is following the unsubscribe link in the email to remove them
from the list...

-- 

from my mac to yours...

Keith Seyffarth
mailto:w...@weif.net
http://www.weif.net/ - Home of the First Tank Guide!
http://www.rpgcalendar.net/ - the Montana Role-Playing Calendar

http://www.miscon.org/ - Montana's Longest Running Science Fiction Convention
--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org

[Mailman-Users] Users being unsubscribed without requesting it.

[Steve Wehr]

I host about a hundred lists and from time to time the list owners keep
telling me that users are being unsubscribed from the list without asking to
be. Now I assume these users are just being removed for bouncing, but when I
check the mailman log files in /var/log/mailman I see this:

 

subscribe:Aug 18 00:41:10 2017 (22583) saintsofswing: deleted
dorrainescofi...@gmail.com; via the member options page

 

My understanding of "via the member options page" means that that user
unsubscribed themselves from the list. Users who bound have a completely
different set of messages in the logs and it's clear they were removed by
mailman for bouncing.

 

The problem is that when contacted, these users swear they DID NOT
unsubscribe themselves. So how can they be getting unsubscribed (with
messages in the logs like the one above) but they are not going to the
member options page and unsubscribing??

 

Thanks for your help.

 

_

Steve Wehr

Tunedin Web Design  

 

--
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org