locked Re: Unsubscribe link (was More on new subscriptions)


Ok, it appears that I stand corrected, I must have missed the part where we were not talking about unsubscribing via email.

Thanks Shal,


On 2/9/2015 1:19 PM, Shal Farley wrote:

So effectively, you are talking about someone being able to
maliciously unsubbing me from any group by spoofing my email address
in an unsub request,

First, Mark hasn't been talking about the email unsubscribe command. The link in question is carried in a footer to Group.io messages, and it takes one to a web page with the unsubscribe button. For the malicious person to use it you would have to have forwarded a message to them without trimming the footer. As things are today the web site requires you to sign in, the question at hand is whether the sign-in requirement can be removed.

Second, in the case of the email unsubscribe command, my proposal was that the unsubscribe take immediate effect (with an undo email sent) only in the cases where Groups.io knows for a certainty* that the message was not spoofed. If the validity of the message is in doubt then perhaps a confirmation request would need to be sent.

-- Shal
* Many of the most popular email services employ DKIM and/or SPF technologies that make it possible for the recipient to be certain when a message actually came from their system.

Join main@beta.groups.io to automatically receive all group messages.