Access to unsubscribe and change settings
A member can change their settings and unsubscribe using the web interface. This web interface account requires the email address and password for access.
On most mailing lists, in order to make things simple, users do not have a password and only need their email address in order to access the web interface. This means that if someone knows another
person's email address, they can log into the web interface as that person and then act on their behalf. In practice, this problem occurs rarely, but you may nonetheless want to prevent this
security breach.
The simplest way to prevent this is to require passwords on your mailing list. As the list administrator, you can set your mailing list up to require that every member have a password. After this
is set, emailed-in subscription requests are assigned a random password, and notified of it. Subscription requests from the web interface require that the person fill in a choice for their password.
Once passwords are used, it is much more difficult for a malicious person to effect other people's subscriptions. For added security, you can use a secure web server (using SSL) or restrict web
interface access using your web server's security measures (i.e., an additional name/password combination, or a TCP/IP address block). Lyris List Manager also supports TCP/IP address blocks for both
the user and admin portions of the web interface, so you can optionally lock out the web interface from any TCP/IP address that is not pre-approved.
Lyris List Manager supports unsubscribing by email. The simplest way to unsubscribe from a mailing list is to send email to the unsubscribe address which Lyris List Manager custom-makes for each
member. For example, if you are on a mailing list called "jazztalk", the unsubscribe address that it displays for you might be:
leave-jazztalk-4323P@lyris.net
Only member 4323 will see this address. When email comes into Lyris List Manager with this address, it will unsubscribe that member. The final "P" on the address is a "check
character". This means that if someone malicious changes the number to something else, say "4000", by mailing to "leave-jazztalk-4000P@lyris.net", that Lyris List Manager will see that this number
has been tampered with, because "P" is not the correct "check character" for the number "4000". In this case, Lyris List Manager will interpret the message is if it were sent to
"leave-jazztalk@lyris.net" and unsubscribe the sender of the message.
Lyris List Manager has three levels of unsubscribe confirmations. An unsubscribe confirmation is an additional step that is taken when someone tries to unsubscribe -- instead of immediately
unsubscribing the person, Lyris List Manager sends an unsubscribe confirmation email message to the email address of the member. The member then receives the email message and follows the
instructions (which involve replying to the message) in order to be unsubscribed.
By default, all mailing lists are set to confirm "suspicious" unsubscribes. By "suspicious", we mean an unsubscribe request where something does not look right about it. For example, if the MAIL
FROM (i.e., Return-Path:), or the From: do not match address of the member being unsubscribed, Lyris List Manager believes the unsubscribe to be "suspicious" and issues a confirmation to the
unsubscribe.
As a list administrator, you can also choose to never have unsubscribe confirmations, or to confirm all unsubscribes. You might want to never confirm unsubscribes on an announcement list, where
members are not aware of each other, and thus cannot try to maliciously unsubscribe each other. On a close-knit discussion group, where all the members should stay on the mailing list, you might
want to confirm all unsubscribes.
Note: Identification of the email address to unsubscribe is a major problem with most other list managers. For example, if you subscribe to a mailing list with the email address "bob@acme.com" and
then a corporate mail system change causes your email address to become "bob@mail.acme.com", most list managers will not be able to automatically unsubscribe you, because they will not know that you
are the same person in both cases.
Some list managers, such as majordomo, let you specify another email address to unsubscribe. This approach solves the immediate problem of not being able to unsubscribe, but has several major
problems. First, it is a major security hole to allow anyone to be able to unsubscribe any other email address they please. Secondly, this solution presumes that the person realizes that their email
address has changed in this subtle way and knows enough about the list manager to issue this modified unsubscribe command. Some list managers work around this second problem by allowing people to
obtain the list of members, to see if some previous email address of theirs is on it. Of course, this solution is also a security hole, since it allows anyone to obtain your member list.
The Lyris List Manager approach of per-member unsubscribe addresses with a check-character does not suffer from any of these security flaws. It requires no special knowledge on the part of the
member, and works very well.
The per-member unsubscribe address is implemented as a mail merge tag, so that each member receives a unique email message, customized for their membership. By default, this tag is inserted in the
header of each outgoing message and is also defined in the default footer. You can remove either tag, as you wish, though we recommend that for infrequent announcement lists, you ought to leave the
unsubscribe directions in the footer.
As far as changing settings by email are concerned, Lyris List Manager does not do a confirmation message when a setting has been changed. However, it does send a notification email message to the
email address of the member, letting them know that their settings have been changed. This is generally effective in preventing security problems, as changing other people's settings is not a common
type of security breach.
|