On Fri, 14 Nov 2008, Chris Lewis wrote:
Rich Kulawiec wrote:
On Fri, Nov 14, 2008 at 12:21:29PM +0000, Ian Eiloart wrote:
They needn't require confirmation. It might be better to send a
notification, including a mechanism for restoring subscription.
A decade ago, I would have concurred with this, but given ensuing
events, I think it's now a best practice to require confirmation
in order to forestall the inevitable abuse.
There are ways to avoid needing confirmation (or worse, passwords) that
still protect against malicious unsubscribes.
The MAAWG sender BCP talks about saying that unsubs should be a "single
action", and not require any additional information (eg: "confirmation
cycle" or password).
The unsubscribe URL could contain a cookie in addition to the email
address to prevent malicious unsubscriptions, if such a thing became a
problem.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg