Hello, I have to configure mailman 3 for a german company. The privacy policy in our country demands for mailing-lists, that its member can sign out in one step, it is called sigle-sign-out.
So I would like to ad a link in the footer of every message, with which every receiver/member can sign out of the newsletter with one click. It does not seam to be possible, to put this into effect with mailman 3. Does anybody have any hints, how to create a link, and when this link is called, the user is signed out of the newsletter. Thank you, Wolfgang
On 8/13/20 6:21 AM, w.schoener@alp.dillingen.de wrote:
So I would like to ad a link in the footer of every message, with which every receiver/member can sign out of the newsletter with one click. It does not seam to be possible, to put this into effect with mailman 3. Does anybody have any hints, how to create a link, and when this link is called, the user is signed out of the newsletter.
You can set the list's unsubscription_policy to open and set the link as a mailto: to the list-leave address, but that still requires a second click to send the mail.
The solution is to create a web based CGI script which is called with a
URL like
<https://example.com/unsub_script/list.example.com/user@example.net> and
have that script invoke the appropriate mailman command to remove the
member from the list. Beginning with Mailman 3.3.2, this would be
mailman delmembers -l list.example.com -m user@example.net -g
to remove the member and send a goodbye message. In older Mailman, it would be something like
echo user@example.net | mailman members -x - list.example.com
I understand you may have a legal requirement do do this, but these "one-click - no user confirmation" links are a bad idea because usera will reply to a list post or forward it and not remove the link and userb will receive usera's reply and click usera's unsubscribe link either maliciously or thinking it will unsubscribe userb.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Thu, Aug 13, 2020, at 10:04 AM, Mark Sapiro wrote:
On 8/13/20 6:21 AM, w.schoener@alp.dillingen.de wrote:
So I would like to ad a link in the footer of every message, with which every receiver/member can sign out of the newsletter with one click. It does not seam to be possible, to put this into effect with mailman 3. Does anybody have any hints, how to create a link, and when this link is called, the user is signed out of the newsletter.
You can set the list's unsubscription_policy to open and set the link as a mailto: to the list-leave address, but that still requires a second click to send the mail.
The solution is to create a web based CGI script which is called with a URL like <https://example.com/unsub_script/list.example.com/user@example.net> and have that script invoke the appropriate
mailmancommand to remove the member from the list. Beginning with Mailman 3.3.2, this would bemailman delmembers -l list.example.com -m user@example.net -g
to remove the member and send a goodbye message. In older Mailman, it would be something like
echo user@example.net | mailman members -x - list.example.com
I understand you may have a legal requirement do do this, but these "one-click - no user confirmation" links are a bad idea because usera will reply to a list post or forward it and not remove the link and userb will receive usera's reply and click usera's unsubscribe link either maliciously or thinking it will unsubscribe userb.
There is also the issue that these days some Mail clients will try to create a preview of all the URLs if they can and it would inadvertently GET the URL resulting in the un-subscription.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
-- thanks, Abhilash Raj (maxking)
On 2020-08-13 at 16:55 -0700, Abhilash Raj wrote:
I understand you may have a legal requirement do do this, but these "one-click - no user confirmation" links are a bad idea because usera will reply to a list post or forward it and not remove the link and userb will receive usera's reply and click usera's unsubscribe link either maliciously or thinking it will unsubscribe userb.
There is also the issue that these days some Mail clients will try to create a preview of all the URLs if they can and it would inadvertently GET the URL resulting in the un-subscription.
It's not just mail clients, but also anti-spam solutions. So for some customers, when the email passes through the antivirus/anti-spam solution, it would automatically unsubscribe the user.
Check also this piece: https://inboxplacement.com/2020/05/machine-clicks-in-email/
If you end up with such system, the very least, I would make such system to also email the user one last time saying "Per your instruction as requested by machine IP V.X.Y.Z, we have unsubscribed from foobar-list, you can subscribe again by XYZ, etc." (maybe bcc the responsible internal team)
And you don't want to start trying to tell apart real vs synthetic clicks.
Regards
On Thu, Aug 13, 2020, at 10:04 AM, Mark Sapiro wrote:
On 8/13/20 6:21 AM, w.schoener@alp.dillingen.de wrote:
So I would like to ad a link in the footer of every message, with which every receiver/member can sign out of the newsletter with one click. It does not seam to be possible, to put this into effect with mailman 3. Does anybody have any hints, how to create a link, and when this link is called, the user is signed out of the newsletter.
You can set the list's unsubscription_policy to open and set the link as a mailto: to the list-leave address, but that still requires a second click to send the mail.
The solution is to create a web based CGI script which is called with a URL like <https://example.com/unsub_script/list.example.com/user@example.net> and have that script invoke the appropriate
mailmancommand to remove the member from the list. Beginning with Mailman 3.3.2, this would be
If this is one-click, can't this URL be hit by anyone trying to remove the user from any MailingList without any auth or anything?
mailman delmembers -l list.example.com -m user@example.net -g
to remove the member and send a goodbye message. In older Mailman, it would be something like
echo user@example.net | mailman members -x - list.example.com
I understand you may have a legal requirement do do this, but these "one-click - no user confirmation" links are a bad idea because usera will reply to a list post or forward it and not remove the link and userb will receive usera's reply and click usera's unsubscribe link either maliciously or thinking it will unsubscribe userb.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
-- thanks, Abhilash Raj (maxking)
Abhilash Raj writes:
If this is one-click, can't this URL be hit by anyone trying to remove the user from any MailingList without any auth or anything?
Mark's suggested implementation, yes. (This is NOT a knock on Mark; he's just providing what the customer asked for.) In particular, this is apparently a marketing newsletter. If somebody gets mad at the company, they can just unsubscribe every address they know of. (And for a small cost on the darkweb, millions of addresses that were never subscribed.) Sadly, GDPR is a collection of a variety of very bad ideas in one place. Almost a textbook on shooting off your own foot.
That said, I have some ideas for how to make this safe for corporate Germany, specifically, keep a database of user-specific OTKs. (These could be time-limited -- with the server returning a "use a more recent message's URL message -- or permanent.) For the usera/userb reasons Mark gives, and the preview-url reason you give, this is *still* not going to be safe for discussion lists. But if the From: is <noreply@DeutscheKompany.co.de>, so you have to shoulder surf and have a photographic memory to get the user's unsubscribe URL, it should be reasonably secure for announce lists and newsletters.
Perhaps we should implement it?
Steve
On 8/13/20 7:45 PM, Stephen J. Turnbull wrote:
That said, I have some ideas for how to make this safe for corporate Germany, specifically, keep a database of user-specific OTKs. (These could be time-limited -- with the server returning a "use a more recent message's URL message -- or permanent.) For the usera/userb reasons Mark gives, and the preview-url reason you give, this is *still* not going to be safe for discussion lists. But if the From: is <noreply@DeutscheKompany.co.de>, so you have to shoulder surf and have a photographic memory to get the user's unsubscribe URL, it should be reasonably secure for announce lists and newsletters.
I have experience with a one way email newsletter from Constant Contact. These have a link to unsubscribe and also a link to forward the email to someone else. We ultimately added our own
If you want to forward this email, please press the Constant Contact
"Forward this email" link below. If you use your
"forward" button, you might be unsubscribed.
note just above those links because people were forwarding the mail and getting unsubscribed when the person they forwarded it to clicked the unsubscribe link. The real pain is once a user is unsubscribed in this way, the mailing manager can't add her back. She has to personally deal with Constant Contact do get them to remove her from their "do not mail this address" list.
FWIW, our note seems to help reduce if not eliminate the problem.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hallo Mark, Thanks a lot for your help. I will discuss this with my boss. Explanation: Our newsletters will be one-way-newsletters, in some way you could call it a marketing newsletter. Best wishes Wolfgang
participants (5)
-
Abhilash Raj -
Mark Sapiro -
Stephen J. Turnbull -
w.schoener@alp.dillingen.de -
Ángel