The mailing list for listmasters using Sympa

[Adam Bernstein <address@concealed>]

Steve -

This sounds like the confirmation-before-ticket-activation step that 
Steve Shipway introduced for similar reasons here:

https://listes.renater.fr/sympa/arc/sympa-users/2014-03/msg00036.html

It requires editing only templates, not actual Sympa code, so I hope 
that the fact that it was created on Sympa 6.1 won't matter for 6.2 (but 
as we're still using 6.1 ourselves, I can't say from experience).

And I sure hope Sympa will incorporate something like this solution.

   adam

On 10/12/2015 10:57 AM, Steve Rich wrote:
> Hi All,
>
> At the request of our student users, we decided to append an unsubscribe
> footer to the bottom of every message for all lists that allowed for
> members to unsubscribe.  The implementation worked great with one
> exception.  The unsubscribe link we used contained was generated using
> the provided method from the docs in the form of [% wwsympa_url
> %]/auto_signoff/[% listname %]/[% user.escaped_email %].  Our testing
> indicated that it worked very well.  On the day we implemented it, we
> got a flurry of users reporting that they were being unsubscribed with
> no action on their behalf.  We started digging in to the logs and
> realized that the initial unsubscribe request (unauthenticated url
> above) was visited by one IP and then the followup authenticated url was
> visited by a different IP in the same block.  All of the IPs we checked
> were registered to Microsoft.
>
> Our user email service is Office 365 and it turned out that Microsoft’s
> anti-spam/phish/malware protection was visiting the URL to ensure that
> it was safe before delivering the message.  We immediately rolled back
> the change and spent the better part of 2 days gathering stats on who
> was impacted and ensuring that users that were unintentionally
> unsubscribed were resubscribed to the list.  What made it worse were the
> forwarding and replying to of messages sent prior to rolling the change
> back.
>
> This got us thinking and we realized that the Microsoft is not the only
> company doing this.  A lot of email perimeter protection solutions
> (Proofpoint, Ironport, etc) will sandbox URLs prior to delivery to
> ensure that the URL is safe. I am currently working on a patch that
> requires a secondary action when visiting the unauthenticated and
> authenticated links (more than likely just clicking a button to confirm)
> and will send the patch to the list when I am done.  I just wanted to
> get this out there in case anyone else is thinking of implementing
> something like this for themselves.
> Thanks,
> Steve


--
Electric Embers Cooperative
Handcrafted hosting, powering the fires of change
electricembers.coop
(800) 843-6197