Since i'm using ezMLM I've found out several things that should be improved and i've got one question at first:

How can I embed the web-form for subscribing to a specific mailing list at *another* server's webpage than the one where the list (virtually) exists? How does the form-action has to look like?

---

Suggestions:

1. UNsubscribing via email to xxx-unsubscribe@mlm.xxx.xxx should't be a double-opt-OUT-process. - If someone unsubscribes via the web-form, the double-opt-OUT-process is ok. But it's anoying if someone does it directly via email (from his/her email-client!).
Maybe there should be a script that provides an optional one-click-unsubscribe-weblink to every message send via the mailing list as well.

2. In the end it's the same for subscribing: double-opt-in is a necessary feature for subscribing via a web-form. But it's anoying if you subscribe directly via email (from his/her email-client!) to: xxx-subscribe@mlm.xxx.xxx.
This (2.) is something to discus. (1.) should be integrated in some way as soon as possible.

3. There's still no improved security feature for anouncement-only-lists. If you don't change the list-owner-address every time before and after sending to the list everybody (with low technical skills!) is able to send messages to the list as well as you are.

4. If someone enters a wrong email-address at the webbased subscription form he gets an ugly error-page instead of an individual created like the one for success. BTW: the webmaster-email-address at this page isn't correct: webmaster@WWW.xxx.xxx ! There should be an optional redirect-url like the one for the success-page.

5. Site owners should be able to edit the 'From'- and 'Subject'-fields as well as the content of emails for the communication-process with ezMLM. Of course the from-address needs to be fixed ... but it could still *show* something that belongs to the Site where someone wants to subscribe to the list instead of ezmlm-help@mlm.xxx.xxx (!?).

Smile!
Gerrit

1. Without the email address verification process (what you call a "double-opt-OUT-process"), it becomes impossible to prevent an attacker from arbitrarily unsubscribing members from your mailing list.

2. Similarly, without the address verification process, it becomes impossible to prevent an attacker from arbitrarily subscribing either random email addresses to the mailing list (causing your mailing list to spam the victim) or another mailing list (causing mail loops and spam on your list).

3. We are investigating robust solutions to this problem. We are aware the existing solution has severe limitations.

4-5. We will take your recommendations into account as we build the next generation mailing list setup.

Ahoi!

Originally posted by Bruce:
1. Without the email address verification process (what you call a "double-opt-OUT-process"), it becomes impossible to prevent an attacker from arbitrarily unsubscribing members from your mailing list.

I do not understand how this could happen!? There's nobody out there who knows the addresses listed at my ANOUNCEMENT (!) List. Or am I wrong ... and someome else than me does know them???

But if nobody knows them ... nobody than those peopel listed can delete their personal eMail-addresses. And that is what I want them to be able to without any problems.

Smile!
Gerrit

Originally posted by Bruce:
4-5. We will take your recommendations into account as we build the next generation mailing list setup.

That's fine and I hope it won't take too long!

BTW: Here's *another* one: All messages send should optional include the recipients eMail-address ...to let him know which (of his 100.ooo different eMail-addresses ;-) he has to delete from the list.

Smile!
Gerrit

Originally posted by Gerrit:

BTW: Here's *another* one: All messages send should optional include the recipients eMail-address ...to let him know which (of his 100.ooo different eMail-addresses ;-) he has to delete from the list.

Now THAT would be a tough one to implement, and here's why:

Most mailing list programs compose a single message per submission, and use that exact same text for each subscriber, but create a SMTP message envelope that has the e-mail address for each subscriber in it. The SMTP envelope is what tells the mail server software on both the sending and receiving ends, where to deliver the message. SMTP software doesn't look at the actual contents of the message body.

In order to do as you suggest, the mailing list software would have to create a separate message for each list subscriber. That is asking for a LOT more overhead on the system.

At least, I've thought about implementing something like this previously (on a different, non-FQ system), and if there is another way to do it, I couldn't think of it.

It would be easier if the receiving system would insert a message header, such as
Delivered-To: <email@domain.com>
and the recipients could look at the message headers to see which of their addresses it was sent to.

Of course, getting all of the ISPs of all of your subscribers to implement something like this is not too likely, either, is it?

:\

Hi Sheila!

Originally posted by sheila:

Now THAT would be a tough one to implement, and here's why: ... The SMTP envelope is what tells the mail server software on both the sending and receiving ends, where to deliver the message. SMTP software doesn't look at the actual contents of the message body.

Ah, ok. But couldn't the recepients-address be inserted to the "To"-field then?

Smile!
Gerrit

Gerrit:

A link for you to study:
http://www.qmail.org/man/man5/envelopes.html

In short,
Envelope Address != Header Address

Header Address is pretty much a part of the Body, as far as the mailing list software is concerned...

Only *1* Header+Body letter is created, and the mailing list software sends it by feeding the MTA Envelope Addresses...

To do as you suggest, alter the Header Address, is a tremendous amount of overhead and is analogous to:
Envelope Bursting == Kinko's High-Speed Photocopy machine
Header Altering + Bursting == 4-Color CMYK printing press

--
Terra
--I love analogies as sometimes it's the only way to bridge gaps--
FutureQuest

Originally posted by Gerrit:

Ah, ok. But couldn't the recepients-address be inserted to the "To"-field then?

Again, this requires preparing a completely different message for each recipient.

How SMTP protocol works is this:

You SMTP server calls up the one it wants to send a message to. It says (essentially):
"I have mail from <sender>"
If the receiving SMTP says, "OK"
then the sending SMTP says,
"The mail is for <recipient>"
The above information is part of the SMTP envelope and has nothing to do with the message that was composed by your mailing list software.

If the receiving SMTP says, "OK, go ahead and send the message"
Then the sending SMTP says,
"DATA" (which means, "Here comes the data")
and then it sends the message. The message that is sent at that point is the entire message, including all the message headers and the message body. The SMTP servers never examine the message body itself.

To put the "Recipient" information in the To-field of the message, would again, require a completely different send on the "DATA" command for each subscriber, which would require a completely separate message composed for each subscriber.

I've seen some mailing list programs that offer this option, and I'm currently subscribed to a couple of lists that put a footer on each message with my current subscription address. If they aren't making a separate message for each subscriber, then I'd like to know how they are doing it???

To give ezMLM a feature like that would probably be major hacking and would consume quite a bit of resources.

Of course, I'm not expert. I could be wrong. ;)

Originally posted by sheila:
I've seen some mailing list programs that offer this option, and I'm currently subscribed to a couple of lists that put a footer on each message with my current subscription address. If they aren't making a separate message for each subscriber, then I'd like to know how they are doing it???

That is exactly what I've seen in many lists I'm subscribed to. And in my opinion it's very nice for the people who are subscribed.

*How* they are doing it is not exactly what I'd like to know. It's simply a feature someone (technical skilled) should integreate to ezMLM ... if possible. ;-)

---

Overhead: Ok, ok. Terra & Shila: I DO BELIEVE. ;-))

If it's not possible or to hard for the server to integrate the recipients-address to the From- or Body-section (or somewhere else): It shouldn't be listed there!

I'll simply write something like: "Save this message!" to the auto-generated welcome-message of ezMLM. That should help although I know that these "saved" messages get lost very easily.

---

Terra: Maybe you can answer the question from my original post: "How can I embed the web-form for subscribing to a specific mailing list at *another* server's webpage than the one where the list (virtually) exists? How does the form-action has to look like?"

Smile!
Gerrit

"How can I embed the web-form for subscribing to a specific mailing list at *another* server's webpage than the one where the list (virtually) exists?
http://www.aota.net/Mailing_Lists/websublist.php3

Pretty much self-explanatory... :)

Currently, Bruce and I are discussing the goals of our next generation mailing list software - however there is not much that we can publicly talk about...

We do like ideas and suggestions though as some of what is proposed may be meshed into the design of things - though I won't promise that 'suggestion X, Y or Z' will make it past the design or feasibility phase of development...

All I can say is that we are listening...

--
Terra
--Our ear is pressed against the looking glass--
FutureQuest

Terra: +++ Pretty much self-explanatory... :) +++

The form displays the following form-action:

/cgi-sys/ezmlm/SelfServ.pl

But my question is: How can I integrate it to *another* (!) server ... and not mine! I'll need a http://-action. Is it simply: www.mydomain.dom/cgi-sys/ezmlm/SelfServ.pl? I'm not familar with this "cgi-sys"-thing. Does it work exactly like my normal cgi-bin?


Terra: +++ Currently, Bruce and I are discussing the goals of our next generation mailing list software - however there is not much that we can publicly talk about... We do like ideas and suggestions though as some of what is proposed may be meshed into the design of things - though I won't promise that 'suggestion X, Y or Z' will make it past the design or feasibility phase of development... All I can say is that we are listening... +++

Sounds good. In my opinion the most relevant question is the way people can UNsubscribe ... because there's nothing I hate more than having problems with this action on any list I'm subscribed to when I want to leave. That's why I want to provide a list where it's *very* easy to unsubscribe. The current double-opt-OUT-process is not that easy as it should be in my opinion.

Smile!
Gerrit

Gerrit:

The double-opt-in/out procedure must remain the way it is, or else we would be offering an irresponsible product... I have no plans whatsoever of removing this safety net, and is pretty much demanded by most anti-spam groups...

As far as meshing in with our ezMLM subscriptions, you are pretty much on your own since I cannot support *other* server setups... However I will say it's pretty generic CGI style calling methods and with a moment of reflection, it will become apparent...

--
Terra
sysAdmin
FutureQuest

Originally posted by Gerrit:
There's nobody out there who knows the addresses listed at my ANOUNCEMENT (!) List. ...you think.

There are a variety of ways somebody could get parts of this information. If person A refers person B (which might itself be a mailing list) to the mailing list, then person A's address is likely on the list, and person B could take advantage of it.

Only the paranoid survive -- Andy Grove.

Hi ;-}

I would appreciate if:

a. All inbound email through FQ servers inserted a header line "Envelope-to: "

b. Next list manager be configurable to refuse postings from non-subscribers

c. Next list manager be configurable for any subscriber to be designated as list-Moderator by the list owner (me/us)

Thanks for listening!

-Maynard

a. It's already there (in a form). Look at the "Delivered-To:" header lines.

b-c. We will consider them, yes.

HiBruce,

I'm sure that you can appreciate how "Delivered-to" is completely different from "Envelope-to".
Though the lowest/earliest "Delivered-to" (inserted at FQ) may be equivalent to "xdom-$envelope-to", or may not?, ...
there's too many of them to use it usefully in a filter.

While I appreciate and understand your response, I'd ask to leave my request in the queue of considerations.

After all, use of 'xdom-' prefixing may or may not be a part of this next "purple?'8}' mail system, or the one after that.

Thanks,

-Maynard

Originally posted by Gerrit:

I'll simply write something like: "Save this message!" to the auto-generated welcome-message of ezMLM. That should help although I know that these "saved" messages get lost very easily.

LOL. As a fellow list-owner, I commiserate. My list only lets subscribed addresses post. So, I get people writing to me complaining that the list software rejected their message, saying that they were not subscribed, but darn it!, they are subscribed!!!


Terra: Maybe you can answer the question from my original post: "How can I embed the web-form for subscribing to a specific mailing list at *another* server's webpage than the one where the list (virtually) exists? How does the form-action has to look like?"

I would suggest that you think about, how does a subscriber subscribe via their e-mail software and put up a web form that copies that action.

Sheila: +++ ... complaining that the list software rejected their message, saying that they were not subscribed, but darn it!, they are subscribed!!! +++

Exactly! That's why I think it's important to include the eMail-address to every newsletter send to the list.

Sheila: +++ I would suggest that you think about, how does a subscriber subscribe via their e-mail software and put up a web form that copies that action. +++

I think it works with xxx.dom/cgi-sys as well. I'll give it a try lateron. But your idea should work as well. Thanks.

Terra: +++ The double-opt-in/out procedure must remain the way it is, or else we would be offering an irresponsible product... I have no plans whatsoever of removing this safety net, and is pretty much demanded by most anti-spam groups... +++

*That* is why I changed to ezMLM. ;-)

But I still believe that a double-opt-OUT-process isn't necessary. It should be available but as an option for the site-owner (list-owner). I believe it's too much trouble for someone who wants to unsubscribe.

Bruce: +++ If person A refers person B (which might itself be a mailing list) to the mailing list, then person A's address is likely on the list, and person B could take advantage of it. ... Only the paranoid survive. +++

You've seen to many X-files, haven't you? ;-))

---

Another question: How many subscribers can ezMLM handel if used as an a) discussion list, b) anouncement only list?

Smile!
Gerrit

Originally posted by Maynard:
I'm sure that you can appreciate how "Delivered-to" is completely different from "Envelope-to". No, I can't. How is it completely different? The address listed on the "Delivered-To:" line is the effective envelope recipient of the inbound message, which is what you were requesting.

Originally posted by Gerrit: You've seen to many X-files, haven't you? That quote was actually from Andy Grove, the CEO of Intel, not the X-Files. Years of experience with computer security have taught me the unfortunate truth of that statement.

Originally posted by Bruce:
Years of experience with computer security have taught me the unfortunate truth of that statement.

You're right in general. But I can't see the problem in the case of eMail-UNsubscriptions. This should be *easy* that's all.

And the "one-click"-UNsubcription could be an option for those using ezMLM. The user should decide, shouldn't he?

Smile!
Gerrit

Originally posted by Gerrit:
But I can't see the problem in the case of eMail-UNsubscriptions. This should be *easy* that's all.

And the "one-click"-UNsubcription could be an option for those using ezMLM. The user should decide, shouldn't he?

Although I don't use the FQ ezMLM services any more, I do agree with Gerrit (and others) that UN-subscribing should be easy. It is entirely possible to get spamming complaints from people who tried to unsubscribe and didn't manage it correctly because of the double opt-out process. When I was using ezMLM, I found it annoying, too.

One solution might be, instead of making the unsubscribe double-opt-out, send an acknowledgement that says, "You've been unsubscribed...<blah, blah...>..." with instructions on how to RE-subscribe, if and when desired. (That's how Topica.com does it...or at least, how they did it when I used to host my list there.)

Shila: +++ Although I don't use the FQ ezMLM services any more, ... +++

Which service DO you use?

Shila: +++ One solution might be, instead of making the unsubscribe double-opt-out, send an acknowledgement that says, "You've been unsubscribed...<blah, blah...>..." with instructions on how to RE-subscribe, if and when desired. (That's how Topica.com does it...or at least, how they did it when I used to host my list there.) +++

Great idea!

Smile!
Gerrit

Originally posted by Gerrit:

Which service DO you use?

Uh, ... me? (Sorry, I don't outsource.) I run my own mail server off of my home computer with the Mercury/32 (http://pmail.com) mail server. I wanted to have exactly what I wanted, and now I have it.

Another question: If a listed email-address isn't valid anymore and a newsletter bounces back. What exactly happens then? Will this address be automatically removed from the list?

Sorry. Here's the answer: "bounce-probe
After so many messages have bounced from a specific subscriber, ezmlm will send this probe to determine if their address is functioning. If not, that address will be automatically un-subscribed from the list, in order to prevent further bounced messages."

Smile!
Gerrit

The reply will be eventually removed. ezmlm treats all failures as temporary, and gives the address a second (and third, etc) chance. If the address continues to bounce for several days (I've forgotten what the time is), then the address is removed, yes.

Originally posted by Bruce:
The reply will be eventually removed. ezmlm treats all failures as temporary, and gives the address a second (and third, etc) chance. If the address continues to bounce for several days (I've forgotten what the time is), then the address is removed, yes.

Thanx! I found the info at the ezMLM-tutorial. It's a little bit hidden ... but it's there. Sorry.

-> It's time to go to bed! ;-)

Smile!
Gerrit