On Thu, Feb 25, 2021 at 12:28 AM, Andy wrote:
So if person A forwards a group email to person B, and person B clicks on the "unsub" link in the footer of that email, person B should not be able to unsubscribe person A, unless person B also knows person A's login password -- right?No. The Unsubscribe link in the email footer is personalised, in common with so many other mailing lists. So if person A forwards an email with an unsubscribe link at the bottom, they are effectively giving away their credentials for that group and there is no need for person B to login to unsubscribe person A. When the unsubscribe is completed in this way, Groups.io sends one further email to the unsubscribed account address with a resubscribe link.
As I said, personalised unsubscribe links are used in many mailing lists and very commonly in advertising emails so it is not a specific feature of Groups.io. People either don't think or don't realise what they are sending when they forward these types of emails to others. I make a habit of editing out any unsubscribe links if I forward an email to someone else.
That was one of the concerns I had too. Also if person B fakes person A's "from" email address and sends an email to the +unsubscribe address, there is a confirmation email that only goes to person A, so person B should not be able to confirm.If Groups.io receives an unsubscribe request via email (that apparently comes from person A), Groups.io sends a confirmation email to the account address. The 'From' address of the confirmation email contains the group name and two strings of numbers (which is personalised information for 'A'), and when a message is sent to that address, Groups.io unsubscribes the account from the group. The message sent to that address would typically come from person A sending a reply but if person B has access to person A's email account then they could reply instead. However, if person A forwards the confirmation email to person B (effectively giving away their credentials), then person B could send an email to that 'From' address and unsubscribe person A. When someone unsubscribes via email, no email from Groups.io with a resubscribe link is sent.
From my limited testing over a short period of time, the 'From' address on a unsubscribe confirmation email is unique to a person and group and may not be time limited so any message sent to that address at any time would unsubscribe that person/group combination. Why they would come back into a group with different subscription options is a mystery to me. I believe (and someone correct me if I'm wrong) that using a re-subscribe link should keep the same settings but just going through a 'standard' join process, they should end up with the group defaults (those in Default Sub Settings).