On Fri, 14 Nov 2008, Chris Lewis wrote:
Rich Kulawiec wrote:On Fri, Nov 14, 2008 at 12:21:29PM +0000, Ian Eiloart wrote:They needn't require confirmation. It might be better to send a notification, including a mechanism for restoring subscription.A decade ago, I would have concurred with this, but given ensuing events, I think it's now a best practice to require confirmation in order to forestall the inevitable abuse.There are ways to avoid needing confirmation (or worse, passwords) that still protect against malicious unsubscribes. The MAAWG sender BCP talks about saying that unsubs should be a "single action", and not require any additional information (eg: "confirmation cycle" or password).
The unsubscribe URL could contain a cookie in addition to the email address to prevent malicious unsubscriptions, if such a thing became a problem.
_______________________________________________ Asrg mailing list Asrg at irtf.org https://www.irtf.org/mailman/listinfo/asrg