Rich Kulawiec wrote:
On Fri, Nov 14, 2008 at 12:21:29PM +0000, Ian Eiloart wrote:
They needn't require confirmation. It might be better to send a
notification, including a mechanism for restoring subscription.
A decade ago, I would have concurred with this, but given ensuing
events, I think it's now a best practice to require confirmation
in order to forestall the inevitable abuse.
There are ways to avoid needing confirmation (or worse, passwords) that
still protect against malicious unsubscribes.
The MAAWG sender BCP talks about saying that unsubs should be a "single
action", and not require any additional information (eg: "confirmation
cycle" or password).
Each email message's unsub links should contain everything needed to do
an unsub in one action - the user doesn't need to know another password,
and then goes on to say that if malicious unsubscriptions are a concern,
that "everything" could include a magic cookie that only the recipient
of the email sees (in the link) that serves as a password for the unsubs.
Which means that a compliant mailing list, no matter how your address
got on the list, can be unsubbed with a single action, and no
out-of-band info is needed.
"Single action" being intended to mean either unsubs immediately on
clicking the link, or, being presented with an "you're unsubbing from
<x>, <click> to do it". Not a password or confirmation.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg