The mailing list for listmasters using Sympa

[Steve Rich <address@concealed>]

Hi All,

At the request of our student users, we decided to append an unsubscribe footer to the bottom of every message for all lists that allowed for members to unsubscribe.  The implementation worked great with one exception.  The unsubscribe link we used contained was generated using the provided method from the docs in the form of [% wwsympa_url %]/auto_signoff/[% listname %]/[% user.escaped_email %].  Our testing indicated that it worked very well.  On the day we implemented it, we got a flurry of users reporting that they were being unsubscribed with no action on their behalf.  We started digging in to the logs and realized that the initial unsubscribe request (unauthenticated url above) was visited by one IP and then the followup authenticated url was visited by a different IP in the same block.  All of the IPs we checked were registered to Microsoft.

Our user email service is Office 365 and it turned out that Microsoft’s anti-spam/phish/malware protection was visiting the URL to ensure that it was safe before delivering the message.  We immediately rolled back the change and spent the better part of 2 days gathering stats on who was impacted and ensuring that users that were unintentionally unsubscribed were resubscribed to the list.  What made it worse were the forwarding and replying to of messages sent prior to rolling the change back.  

This got us thinking and we realized that the Microsoft is not the only company doing this.  A lot of email perimeter protection solutions (Proofpoint, Ironport, etc) will sandbox URLs prior to delivery to ensure that the URL is safe. I am currently working on a patch that requires a secondary action when visiting the unauthenticated and authenticated links (more than likely just clicking a button to confirm) and will send the patch to the list when I am done.  I just wanted to get this out there in case anyone else is thinking of implementing something like this for themselves.

 

Thanks,

Steve