[Mailman-Users] Unsubscribe without a password

Simon White simon at caperet.com
Mon Jan 26 09:56:50 CET 2004 

25-Jan-04 at 22:21, Ed Wilts (ewilts at ewilts.org) wrote :
> On Sun, Jan 25, 2004 at 11:17:34PM -0500, Brian Haines wrote:
> > I am very interested in the topic of configuring Mailman to allow
> > subscribe/unsubscribe requests without a password. From the archives Simon
> > White offered something of a solution and was willing to share it, but his
> > email was not in the message (as it should be).

Have you seen how much spam I get already, without leaving my email
open to even more harvesters? It's inconvenient but I don't have time to
create some clever anti spam scheme at the moment (server too low spec
for any kind of heuristics).

> > I would be interested in Simon's or any other's solutions or thoughts on a
> > solution.

I put up a web page here:

http://mediadev.homelinux.net/mailman.html

> You should be aware that there are morons out there that will try to
> spam your lists with messages and probably fake subscribe/unsubscribe
> messages. If you allow for an Internet-wide subscribe without
> confirmation, you could easily be classified a spammer and end up on
> blackhole lists.  You better know what you're doing before you dig into
> this.  It isn't that hard for a user to subscribe or unsubscribe
> themselves.  Admins, of course, can do it for them with the utilities I
> listed above or via the web pages.

You make an important point, Ed. However, there are a number of
mitigating circumstances for most admins. They do not want to have to
handle subs/unsubs manually. If a spammer starts to abuse a list managed
by a conscientious admin, then the potential problems that arise are
usually minimised. I haven't made it too easy to allow unconfirmed
subs/unsubs in my scripts because of this. You have to have root access
to the console in order to install the scripts, and I haven't released a
patch to the Mailman source. (As an aside, I did send a patch for the
remove_members script on a separate issue, never got any feedback about
that).

Are spammers are going to make a bad name for Mailman if they download
and screw around with my scripts? Perhaps. But they could equally do
damage (and in a less complex manner) with the standard tools available
with Mailman. So I don't consider that I'm lowering the bar here.

In my opinion, for most lists that I have ever managed or sub-managed
for a manager that isn't a techie, subscribing and unsubscribing is
hard. Indeed, unsubscribing requires a password, something that a lot of
newbies or even longtime casual web users are visibly not able to
fathom. The law in some countries implies that email unsubscription
should be simpler than that.

I put the emphasis on unsubscribing anyway. Automating subscription
without a confirmation email (which is just a simple reply mechanism) is
probably NOT a good idea. Automating subscription before making all
posts require approval is NOT a good idea. 

I automate subscription without confirmation on my install on the
provisos that all it is a once monthly announce list only. Also, the
confirmation email is in English (or was at the time), whereas the list
subscribers are all French, so every new subscription caused emails to
the admin saying there was a bug in the subscription and they had this
"strange English error message".

Regards,

-- 
Simon White. Internet Consultant, Linux/Windows Server Administration.
email, dns and web servers; php javascript perl asp; MySQL MSSQL Access
     Bridging the gap between management, HR and the tech team.

More information about the Mailman-Users mailing list