Date   

locked Re: Unsubscribing others... this seems to be possible

Jeff Powell <jrpstonecarver@...>
 

Well, it can amount to a denial of service attack against the person who posted the link, and so might be viewed as a bit more of an issue.

I could easily write a script using wget that would unsubscribe the person in question every 2 minutes, forever. Or so I think. (The resulting web page does want a confirmation, but I'd just have to parse the return page and wget that as well. Not too hard.)

And that link is out there forever.

If unsubscribe links expired or were tied to an IP address, that would help to some degree.

Removing them entirely would fix it, of course, and the expense of making the system less useful. But maybe an unsubscribe link should take people to a page where they have to login and prove they are who they say they are before unsubscribing them, given this issue?

This is all just thinking out loud, but there was a bit of chaos this morning. It was a moderator who got unsubscribed, and it took him an hour to figure it out. I woke up to find one of my co-moderators had left with no explanation, and it made me more than a little nervous.  (Welcome to the new list... poof, you've lost a moderator!) Yowch!

Anyway, in the words of both Luke (first) and Han, "I have a bad feeling about this."

--jeffp




locked Re: Unsubscribing others... this seems to be possible

 

LOL. In the early days of our group, we had someone who copy/pasted her entire confirmation email, complete with confirm link, to the group, to show someone how to confirm. I don't remember the result (and can't find it because I deleted the message, and possibly the entire thread), but suffice to say it was chaos. I think it's just an occupational hazard, and you just have to tell people not to do it.
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked Unsubscribing others... this seems to be possible

Jeff Powell <jrpstonecarver@...>
 

Hi All,

We just tripped over something, and I think it's pretty general. Thought I'd mention it here and see if others have thought it through.

Person X sends a message to the group. No problem. When each user gets that message, it contains a link to unsubscribe from the list, and that link is apparently unique to their account. If a list has 10k users, there are 10k different links to let each one unsubscribe in response to that message.

Person Y gets the message and replies to the list. Fine. It appears groups.io strips out the links in the footer of any replies, so the link that lets person Y remove themself from the group is gone. All well and good.

But suppose person Y does something odd.  Suppose they copy & paste the message itself - including the unsubscribe link - into the body of their email. In that case, groups.io doesn't remove the link in the message body, and everyone getting the message can click on it and unsubscribe person Y from the list.

And to go with that, suppose person Y forwards the email in question off list entirely, to person Z. Person Z - being malicious - clicks on the unsubscribe link as well and *poof* person Y is unsubscribed.

Now, in all cases Person Y can return to the list easily by clicking on a link in an email they will get when they are unsubscribed, telling them they were removed and giving them a way back in. But in the first case that unsubscribe link is now in the message archives, and in the second case it's "in the wild". Malicious users (either in or out of the list) could unsubscribe person Y at any time - potentially for years - unless that link expires.

We discovered this the hard way this morning. Someone posted to our list asking to be removed. (Not the best action, we know, but humans are involved, so, yeah.) Someone else replied and copied the bottom of a message into their message, showing where the remove link is. And of course, the OP clicked on the link, removing the person who replied.

The immediate situation has been remedied, but the problem can - and no doubt will - occur again.

I can't see any fixes I really like. Remove the unsubscribe line entirely? Tie the unsubscribe link to the IP address of the machine sending the original email? Something else?

Before I report this to support I figured I mention it here and see if others have encountered it, and if there has been any discussion of it.

Thanks!

--jeffp






locked Re: member confirmation - a possible alternative #suggestion

 

This still has nothing to do with confirmation of the email address.
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked Re: member confirmation - a possible alternative #suggestion

Bob Bellizzi
 

For over 15 years we have operated a genetic eye disease support group both here and at Yahoo.

Because I still see occasional idiots (and persons of ill repute) who attempt to join legitimate groups (shades of the old CB Radio H&D people) we set up a mandatory procedure every applicant must complete prior to being accepted.  Doesn't matter how they find us, they must fill in the form on our website prior to being direct joined.

The intent of the form is two fold; to discurage group busters and to collect information for potential scientific study because the genetic makeup of our disease is unknown and may possibly be multi genetic or combinatorial.

We require first and last name, full postal address, telephone number, age, age @ diagnosis gender, and other information.

Applicants are free to decline as we are free to refuse them.

We also have a very tight set of terms and conditions all must agree to.

We did ask Mark for minor changes to groups.io to accomodate us and he obliged.

BTW, all newbies are automatically moderated for (currently) their first 4 postings.'

IMHO no group provider can possibly provide everything everyone wishes to have.  It's better to focus on items that you can

sell to the groups-meister as needful and applicable to any current or future group.

We can't expect groups-meister to make every change we can think up.  Give the guy a break

Bob Bellizzi, The Corneal Dystrophy Foundation & group FuchsFriends


locked Re: member confirmation - a possible alternative #suggestion

 

jeffp,

Found it. Oddball route... still no base link anywhere I know of, but I
found links to cards in trello, and from there got to the base. For the
record, it seems to be here:

https://trello.com/b/qu3WgzVq/beta
The link's in the Group Description, on beta@'s Home page.


Shal
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


locked Bounce-track the Confirm "Your Groups.io Account" message #suggestion

 

Mark,

Relating to the recent discussion of trouble with members confirming their email addresses...

I noticed that in a test I made in February the "Confirm Your Groups.io Account" notice sent to the supplied address does not appear to include bounce tracking. In particular, rather than an encoding such as seen in a group message, it has:

Return-Path: <noreply@groups.io>
I recommend that these messages (all notifications, actually) be bounce tracked the same as group messages.

In the case of confirming an email specifically this would give the group moderators an opportunity look in the NC member's Email Delivery History to see what happened to the confirmation messages.

That might not resolve all mysteries, but it could help when the problem is evidenced by a bounce from the email service - particularly in the case where the wrong address was supplied.

Shal
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


locked Re: member confirmation - a possible alternative #suggestion

Jeff Powell <jrpstonecarver@...>
 

On Sun, Sep 25, 2016 at 12:36 pm, Jeff Powell wrote:

OK, I'll bite. I've seen mention of this "Trello List" a couple of times now, but I haven't found any information on where I might see it, a link to it, or anything else.

Given me, it's probably something really obvious that I am missing, but I should know where it is to avoid duplicated messages and effort.

Help?

Found it. Oddball route... still no base link anywhere I know of, but I found links to cards in trello, and from there got to the base.  For the record, it seems to be here:

https://trello.com/b/qu3WgzVq/beta


 


locked Re: member confirmation - a possible alternative #suggestion

 

Just got offlist message from Mark. THANK YOU, MARK, FOR CONFIRMING THIS MEMBER! 
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked Re: member confirmation - a possible alternative #suggestion

 

On Sun, Sep 25, 2016 at 12:41 pm, Jeff Powell wrote:
The approval process to join our group is ... Are we talking about different things?

Yes. Approval is different from confirmation.

Moderators approve subscribers for membership in their groups according to whatever criteria they set. (Currently, some send out questions in the pending notice and require that they be returned via email. Later, this process may be automated, as you suggest - see Trello.)

Groups.io, in conjunction with the account/email, "confirms" the subscriber's email address, which means that the person proves to and tells Groups.io that the email they requested membership under is the correct one and is legitimately theirs. To do that, they must respond to the "confirmation email" coming from Groups.io. It's a system-wide thing and it's not specific to a particular group. A moderator has no control over it beyond continuing to re-send the confirmation email (by instructing the system to do so) and then sit around hoping for the best..

which means, in this case:.checking the member constantly to see if they've finally confirmed (because it is currently not logged) .... emailing back and forth with the member for days (as I have now been doing with this one particular member) and praying that she finally gets or finds the email...wondering where the email went and whether Comcast is also a "bad actor"....begging Mark offlist to confirm her anyway and forwarding him as proof  her personal emails to me asking fo be confirmed... etc. etc. etc. HINT HINT!     
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked Re: messages hanging

 

Yep, a hung search node, for a few minutes. Should be fixed now.

Thanks,
Mark

On Sun, Sep 25, 2016 at 11:51 AM, J_Catlady <j.olivia.catlady@...> wrote:
I think there's another misbehaving search node this morning. Messages are hanging within "send."
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu



locked Re: member confirmation - a possible alternative #suggestion

Jeff Powell <jrpstonecarver@...>
 

On Sun, Sep 25, 2016 at 12:01 pm, J_Catlady wrote:
Also, I don't think it's relevant to the email confirmation problem. The email confirmation is a Groups.io-wide thing. A moderator can't confirm someone. Only Groups.io can, once they receive whatever proof they need that the person owns the email address they signed up with.
--
J

This really confuses me. Our group has a "Pending Subscription" email setup in Admin | Settings | Member Notices.  And the group is restricted, so that moderators or owners must approve members. (And that is NOT a groups.io wide thing... that's a per group thing, and it's the one I'm specifically making the suggestion about.)

The approval process to join our group is

  • possible new group member visits groups.io and searches for (and finds) our group (there are other things possible here, but I am keeping it simple)
  • person reads group description and decides they want in
  • person clicks on "Join This Group" button
  • Pending Subscription email is sent to them
  • They reply with answers to the questions we ask in the Pending Subscription message
  • Moderators get that reply and review it
  • Moderators approve (or deny) their membership

That's the process I am trying to address, and the one where a form in the middle would eliminate 2 possibly lost or delayed emails.

Are we talking about different things?

--jeffp


locked Re: member confirmation - a possible alternative #suggestion

Jeff Powell <jrpstonecarver@...>
 

OK, I'll bite. I've seen mention of this "Trello List" a couple of times now, but I haven't found any information on where I might see it, a link to it, or anything else.

Given me, it's probably something really obvious that I am missing, but I should know where it is to avoid duplicated messages and effort.

Help?


locked Re: member confirmation - a possible alternative #suggestion

 

Also, I don't think it's relevant to the email confirmation problem. The email confirmation is a Groups.io-wide thing. A moderator can't confirm someone. Only Groups.io can, once they receive whatever proof they need that the person owns the email address they signed up with.
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked Re: member confirmation - a possible alternative #suggestion

 

Jeff, I think all of that has been discussed and is on the Trello list. Currently our group (and some others) send out a questionnaire as part of the automatic "pending member" notification.

--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked Re: member approval, confirmation, welcome letter, and viewing content - sequence

 

On Sun, Sep 25, 2016 at 11:07 am, Jeff Powell wrote:
This should probably just be sent as a bug to support@groups.io.

I sent it here because I think it needs a redesign. I'm all over Mark with support messages on this, trust me. The member has not been able to get in for three days. It's a wonder she has not givenup. 
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked messages hanging

 

I think there's another misbehaving search node this morning. Messages are hanging within "send."
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked member confirmation - a possible alternative #suggestion

Jeff Powell <jrpstonecarver@...>
 

I've been reading another thread or two here with questions about how the member approval works - confirmation messages and all. It occurs to me that there might be another way to do this, one that might be more user friendly to both potential new group members and moderators.

What if there was an optional form for a potential new group member to fill out?

They click the "Join This Group" button and, if the moderators/owners want it, instead of sending out a confirmation email, the member is taken straight to a form, where they are presented with questions and ways to answer them. Those questions and answer areas (or types) would be defined by the mods/owners, and each group would have it's own set of questions.

In our case, the questions would be "What is your name?" and "What street do you live on, or what neighborhood do you live in?" Both answers would be free form text input fields, and both would be required. One can imagine additional question types that might have a set of radio buttons to given an answer, perhaps. But nothing much more complicated than that.

Whatever they answer, assuming they fill in or select all the required fields, the data is bundled up in an email and sent off to the moderators so they can approve the membership request, or not.

No emails sent to the potential new member... just data collection and then it's sent off to the decision makers.

The potential user gets a one-stop visit to apply for membership, and the moderators don't have to wade through additional emails, or wait for them to arrive, or remember which ones haven't arrived, or have them go missing somewhere. Seems like a win for all involved.

Thoughts?

--jeffp


locked Re: member approval, confirmation, welcome letter, and viewing content - sequence

Jeff Powell <jrpstonecarver@...>
 

On Sat, Sep 24, 2016 at 11:27 pm, J_Catlady wrote:

I've been having some trouble tonight with yet another new member who can't seem to find the confirmation email despite it being sent and re-sent several times, and checking her spam. I don't know what's going on there, but meanwhile there are some other issues.

I finally tested with an unconfirmed (virgin) email address, having it apply to my test group. I approved the membership before having the email address confirm. I then went back to the browser and email in which the email address applied. It had received the welcome message before confirming; it also was able to view all the group contents (messages, etc.), despite it being a private group. That was alarming and interesting, since my understanding has always been that this content is unavailable to members until they confirm.

I then went back out of that browser and back in, and presto-chango, the content access was gone, and there was a banner reading "you haven't confirmed" and a link to "send confirmation email."

Questions: (1) why was this account able to see the group content once, before confirming? (2) I didn't test this (although I wanted to, I forgot, and now the email is confirmed and I'd have to find that old unconfirm link to do so): Does the welcome message go out immediately after approval but before confirmation, or is it not sent until confirmation? If it goes out immediately after approval, that seems to be violating the idea that an unconfirmed email should not be able to see group content. (3) Why does it happen, every so often, that someone absolutely can't confirm their membership? I've got it going on now in two separate groups. I send and re-send the confirmation email, I tell them to check their spam, and nothing. I've been afraid in these cases to send an invitation on top of it, because the few times I've done that, things get even more bolixed up, most likely because the member has already been approved, So the only recourse seems to be to wait until the person figures out how to confirm and just hope they don't give up entirely.

--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu

This should probably just be sent as a bug to support@groups.io. The stuff I highlighted above might be a security hole. There could be session ID reuse, cookie issues, or something similar. If you had a situation in which someone who was not yet a member could view the contents of the message archive, that's a security problem.

--jeffp



locked Re: member approval, confirmation, welcome letter, and viewing content - sequence

 

add

(5) a log entry for "confirmed their email address"
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu

18741 - 18760 of 29708