mailing list is to send email to the unsubscribe address which ListManager custom-
makes for each member. For example, if you are on a mailing list called "jazztalk", the
unsubscribe address that it displays for you might be:
Only member 4323 will see this address. When email comes into ListManager with this
address, it will unsubscribe that member. The final "P" on the address is a "check
character". This means that if someone malicious changes the number to something
else, say "4000", by mailing to "leave-jazztalk-4000P@lyris.net", that ListManager will
see that this number has been tampered with, because "P" is not the correct "check
character" for the number "4000". In this case, ListManager will interpret the message
is if it were sent to "firstname.lastname@example.org" and unsubscribe the sender of the
ListManager has three levels of unsubscribe confirmations. An unsubscribe
confirmation is an additional step that is taken when someone tries to unsubscribe --
instead of immediately unsubscribing the person, ListManager sends an unsubscribe
confirmation email message to the email address of the member. The member then
receives the email message and follows the instructions (which involve replying to the
message) in order to be unsubscribed.
By default, all mailing lists are set to confirm "suspicious" unsubscribes. By
"suspicious", we mean an unsubscribe request where something does not look right
about it. For example, if the MAIL FROM (i.e., Return-Path:), or the From: do not match
address of the member being unsubscribed, ListManager believes the unsubscribe to
be "suspicious" and issues a confirmation to the unsubscribe.
As a list administrator, you can also choose to never have unsubscribe confirmations,
or to confirm all unsubscribes. You might want to never confirm unsubscribes on an
announcement list, where members are not aware of each other, and thus cannot try to
maliciously unsubscribe each other. On a close-knit discussion group, where all the
members should stay on the mailing list, you might want to confirm all unsubscribes.
Note: Identification of the email address to unsubscribe is a major problem with most
other list managers. For example, if you subscribe to a mailing list with the email
address "email@example.com" and then a corporate mail system change causes your email
address to become "firstname.lastname@example.org", most list managers will not be able to
automatically unsubscribe you, because they will not know that you are the same
person in both cases.
Some list managers, such as majordomo, let you specify another email address to
unsubscribe. This approach solves the immediate problem of not being able to
unsubscribe, but has several major problems. First, it is a major security hole to allow
anyone to be able to unsubscribe any other email address they please. Secondly, this
solution presumes that the person realizes that their email address has changed in this
subtle way and knows enough about the list manager to issue this modified unsubscribe
command. Some list managers work around this second problem by allowing people to
obtain the list of members, to see if some previous email address of theirs is on it. Of
course, this solution is also a security hole, since it allows anyone to obtain your
The ListManager approach of per-member unsubscribe addresses with a check-
character does not suffer from any of these security flaws. It requires no special
knowledge on the part of the member, and works very well.
The per-member unsubscribe address is implemented as a mail merge tag, so that
each member receives a unique email message, customized for their membership. By
default, this tag is inserted in the header of each outgoing message and is also defined
in the default footer. You can remove either tag, as you wish, though we recommend
that for infrequent announcement lists, you ought to leave the unsubscribe directions in
As far as changing settings by email are concerned, ListManager does not do a
confirmation message when a setting has been changed. However, it does send a
notification email message to the email address of the member, letting them know that
their settings have been changed. This is generally effective in preventing security
problems, as changing other people's settings is not a common type of security breach.
How ListManager Determines the Identity of the Person
When mail comes into a mailing list for distribution, ListManager looks at the From:
header, extracts the email address and looks the email address up in the list of
members for that list. If the email addresses match, the message is assumed to be
from that member.
If the email address does not match, ListManager looks to see if the From: field
contains a full name of a person. If it does, it looks that full name up to see if they are a
member of the mailing list. If the full name matches, then the posting is assumed to be
by that member. ListManager uses this technique to work around a common problem
with list managers: if only members are allowed to post and the list manager knows
people only by their email address, then people with multiple email addresses will be
continually refused the right to post, because their alternate email addresses are not
listed as members. Since ListManager matches on the email address, and if that fails,
on the full name, in a wide variety of situations it correctly identifies the member and
their posting is not refused as being "not from a member of this list".
We do not see this feature as a security violation, because the From: field is already
insecure. If someone wants to forge their identity, they can easily, with a program such
as Netscape, assume that person's email address for their From: field. Given this fact,
allowing people's posts through because the name matches does not make
ListManager any less secure. When well meaning people try to post and have a slightly
different email address, they are not aggravated by a list manager which refuses to
Steps to Restrict False Impersonations
If you do not require your members to have passwords, then non-members may be able
to get their way into your mailing list and read the archives, if they know just the email
address of a member on your list. The reason for this is that ListManager protects
members with a username/password combination, with the email address as the
username. Thus, if your members have no passwords defined, it is fairly easy to log in
If this concerns you, you can set your mailing list to require member passwords. If you
enable this list setting, ListManager will automatically assign a random password to
subscriptions obtained via email and notify the subscriber of their password. These
generated passwords are built on an easy to remember adjective-noun combination, so
that they do not present an overwhelmingly difficult password to remember. With this
option enabled, subscriptions over the web will require that a password when the
Subscription form is filled out in order to be approved.
How ListManager Decides Who to Unsubscribe
There are four ways to unsubscribe from a ListManager mailing list:
1. Log into the discussion forum interface
, select My Forums, and click Unsubscribe
next to a list.
2. Send the command "unsubscribe listname" to email@example.com.
3. Send the command "unsubscribe listname your-email-address" to lyris@your-server-
4. Forward any posting you receive from a mailing list to the unsubscribe-
If an unsubscribe request is made with the "unsubscribe" command sent to lyris@this-
ListManager-server.com, as in "unsubscribe jazztalk", then the person named in the
From: field is unsubscribed. If the email address named in the From: field is not a
member, ListManager returns a message to that person saying that they could not be
ListManager also provides the option of naming an email address on the "unsubscribe"
command line, such as the command "unsubscribe jazztalk firstname.lastname@example.org". In
such a case, if unsubscribe confirmation are enabled for the list, then a confirmation
message is sent to the subscriber, then ensure that they are same person and not that
someone else is trying to unsubscribe them.
When mail is received at the "unsubscribe-listname@…" address, ListManager tries to
determine who the subscriber is and automatically removes them. In most situations,
this works very well.
The ListManager unsubscribing logic for unsubscribe requests received at the
"unsubscribe-listname@…" is fairly sophisticated, and here is how it works. When
ListManager receives a message to the "unsubscribe-listname@…" address,
ListManager goes through the following steps:
1. First looks for X-Lyris-Member-ID in the header. If it's there, that's who gets
unsubscribed. This catches almost all cases, except when the forwarding program
strips out the headers (such as in this example).
2. Looks for a purgeid tag in the header (X-Lyris-To:) and then in the body. If it's there,
that person gets unsubscribed. Note: purgeid tags are "cleaned up" before they are re-
posted to a list (i.e., in quoted message), by removing the square brackets. In the
example below, the square bracketed email address clearly identifies "wantsoff", so that
who gets unsubscribed. Also note that MS-Mail generated addresses with the text
[SMTP:...] are correctly skipped by ListManager.
3. Looks at the Return-Path (the MAIL FROM:<> sender), and sees if it's a member. If
it is, then this is likely a forwarded message, and unsubscribe that person. Pegasus
Mail does this.
4) Finally, if none of the above is valid, the person named in the From: header is
Security Considerations of the "From:" field
The From: field in email messages is insecure. Many mail programs, such as Netscape
Mail and Pegasus Mail, allow you to tailor the From: field to say absolutely anything you
want. Thus, it is easy for anyone to send mail to someone else and have a forged
Therefore, when messages come into ListManager, it is possible that they are forged
and that the From: is not really who the message was written by. There is no good
solution to this email authentication problem at the current time. There are secure
email standards, but these are not in widespread use, so they cannot be used by
With discussion groups, the insecurity of the From: field is not usually a problem.
People tend not to be malicious.
With announcement lists, we suggest that you implement additional security measures
to prevent unwanted postings.
The two most commonly recommended approaches are:
1. Moderate your mailing list, so that you receive a confirmation request before the
posting is allowed through to the list.
2. Require that the user password be included in the body of the message.
See Utilities: List Settings: Email Submitted Content: Security
for more information.
ListManager can send a "confirmation request" when a person asks to subscribe to a
mailing list. The confirmation request message is sent to the email address that was
subscribed. The person must receive this confirmation request message, and reply to
it, in order for the membership to be activated. With a confirmed subscription,
ListManager has proven that the email address given to it is indeed the email address
of the person who requested the subscription.
Confirmed subscriptions prevent two problems:
1. People sometimes join a mailing list under a fake email address, in order to post
harassing or otherwise inappropriate messages to the mailing list. With a confirmed
subscription, people must use an email address that they can receive email at, which
provides a "paper trail" that points back to a real person.
2. In order to harass other people, some malicious people will subscribe the other
person to mailing lists that the person never asked to be signed up to. If enough
mailing lists are involved, the person may receive a huge amount of email and this can
be a real inconvenience to them. This is especially a problem when a web form is used
to subscribe people, as it is very easy to enter someone else's email address in that
form. Confirmed subscription solve this problem, because the person being abused
gets the confirmation request, and does not confirm, so that they membership is never
You may configure subscription confirmations in Utilities: List Settings: New Subscriber
Documents you may be interested
Documents you may be interested