[Mailman-Users] Autoresponder and privacy

[Clare Redstone]

Dear Mark,

Thank you for replying so quickly. I don't understand some of the technical
stuff to understand why 
the autoresponder message came to me not the group. But am glad it did!
Because we're a discussion group, I have MM set up for reply to the list.
But haven't set any of the mung options, or we wouldn't know who messages
are from. We have quite a few people with the same forename so it gets
confusing.

> That's probably true, but if list lurkers choose to use broken
>autoresponders that may reveal their address to a list poster and are
>upset about that, that's really their problem. What do they do about
>all the spam they autorespond to? Do they care about that?

I don't think most people know that autoresponders can be broken. I didn't
until I started running the list and began reading majordomo and mailman
users group. And it probably doesn't cross their minds that the
autoresponder is replying to spam. Maybe because work email systems seem to
trawl out so much spam. In any case, there's nothing they can do about that
apart from telling their IT dept when becoming aware of it. At work, you
have to have an out of office message when you're away.

I will suggest this person tells her IT dept.

> Rather than
>unsubscribing the user, you could just set him/her to no mail

Duh! Silly me. Having only just moved from majordomo, which didn't have the
no mail option, to Mailman, I completely forgot I could do this. Despite
having spent time writing a FAQ for the members which included it. Thanks
for the suggestion.

> You could set all members moderated and new members moderated by
>default and then clear each poster's moderate bit as they post.
>Clearing the moderate bit is just a checkbox in the admindb interface
>when approving the post. That way, a lurker's autoresponse could never
>make it to the full list.

Thanks for this suggestion. Yes, that would solve it for people who never
post. There'd still be the possibility of someone posting a message so
coming off moderation, then later setting their autoresponder. But I'm
reassured that you say loops are rare.

Thanks for your help.
Clare

-----Original Message-----
From: Mark Sapiro [mailto:mark at msapiro.net] 
Sent: 05 April 2011 22:28
To: Clare Redstone; mailman-users at python.org
Subject: Re: [Mailman-Users] Autoresponder and privacy

Clare Redstone wrote:

>I've just moved a discussion group from majordomo to Mailman and posted the
>first message to the group. So far, I've had one autoresponder message sent
>back. Thankfully, from what I can see, it only came to me and not to the
>list address, so hasn't started to loop.


Any autoresponder that responds to a list post is by definition broken.
List posts are sent with "Precedence: list" and autoresponders aren't
supposed to respond to such messages. Also, autoresponders shouldn't
respond to the same address more than once within some period like a
day or a week. Finally, an autoresponder should reply to the From: or
Reply-To: address (although some badly broken autoresponders may
respond to the Sender: or the envelope sender). Thus, if your list
doesn't mung Reply-To:, no autoresponder should ever respond to the
list posting address.

Note that parts of the above apply only to individual posts. For
digests, the From: is the LIST-request address, so if a broken
autoresponder responds to a digest, the response will probably go to
the -request address possibly generating a "results of your email
commands" message from Mailman, but not if the autoresponse is
Precedence: bulk, junk or list as it should be. In those cases, it
will be discarded.



>But I've a problem over preserving members' privacy. The list of
subscribers
>isn't available to other list members. So unless someone posts a message in
>the discussion, when their email address will show up in headers, I'm the
>only person who knows who's registered. And some people will be concerned
>that stays the case.


OK


>But the autoresponder message came from someone using their work email so
it
>includes their name, job and contact details. It doesn't matter this time,
>as it came to me. But as soon as someone else posts to the group, I assume
>they'll get the same out of office message.


That's probably true, but if list lurkers choose to use broken
autoresponders that may reveal their address to a list poster and are
upset about that, that's really their problem. What do they do about
all the spam they autorespond to? Do they care about that?


>I can warn everyone about this and suggest that, if they don't want their
>details revealed, they only use an address that they won't set out of
>office. But is there anything else I can do? Privacy is important in our
>group so I would like to do what I can, rather than leaving it people who
>didn't realise about this vulnerable. Meantime, I may unsubscribe this
>person so no-one else gets her out of office message.


I appreciate your desire to protect your user's privacy, but I think
there's little beyond a warning that you can do. Rather than
unsubscribing the user, you could just set him/her to no mail. You
could also suggest to people that are concerned that they could set
themselves to no mail


>Not a problem with a loop, thankfully. (Yet? Maybe I'd better put some
>filters in pronto!)


As I indicate above, a mail loop is very unlikely if you don't mung
Reply-To:. Yes, there could be some brain dead autoresponders out
there that respond to Precedence: list messages send the autoresponse
to the To: address (or Reply-To: if you mung it), and send multiple
responses to the same address, but I think this is rare.

That's not to say that you shouldn't try to filter, but it's not easy.

You could set all members moderated and new members moderated by
default and then clear each poster's moderate bit as they post.
Clearing the moderate bit is just a checkbox in the admindb interface
when approving the post. That way, a lurker's autoresponse could never
make it to the full list.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan