I just noticed on a MUUG Round Table e-mail today, the following at the bottom:
Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
Regarding the second line (the unsubscribe), I sure hope MUUG at least does SPF/DKIM verification before acting on such an incoming e-mail, because otherwise, a rogue actor out there could unsubscribe any or all of us! Even so, SPF/DKIM verification would only fully protect those of us (like me) who use our own domain name. Hartmut
Conversely, failing to immediately unsubscribe someone on the first notification of their attempt, regardless of any authentication or lack thereof, can be considered illegal now. So… pick your poison. (CANSPAM is a *very* badly-written law IMO.) -Adam From: Hartmut W Sager <hwsager@marityme.net> Sent: Thursday, August 14, 2025 1:06 PM To: MUUG - Round Table <roundtable@muug.ca> Subject: [RndTbl] MUUG e-mail/subscriptions security I just noticed on a MUUG Round Table e-mail today, the following at the bottom: Roundtable mailing list -- roundtable@muug.ca<mailto:roundtable@muug.ca> To unsubscribe send an email to roundtable-leave@muug.ca<mailto:roundtable-leave@muug.ca> Regarding the second line (the unsubscribe), I sure hope MUUG at least does SPF/DKIM verification before acting on such an incoming e-mail, because otherwise, a rogue actor out there could unsubscribe any or all of us! Even so, SPF/DKIM verification would only fully protect those of us (like me) who use our own domain name. Hartmut
On 2025-08-14 Hartmut W Sager wrote:
Regarding the second line (the unsubscribe), I sure hope MUUG at least does SPF/DKIM verification before acting on such an incoming e-mail, because otherwise, a rogue actor out there could unsubscribe any or all of us!
Muug does not do any strict-mode DKIM/SPF on incoming. However, we do use spamass and it may (does, probably) take DKIM/SPF into account and may drop the email before MM3 ever sees it. (Though there would probably have to be other things "wrong" with the email too.) Many things on the net are like this, where malicious actors can mess with people's things. Lots of things let you sign up without verification. Many things let you unsub. Luckily, there's really no profit in it other than general mischief, so it's unlikely to happen unless you've made a particular "enemy" who just wants to mess with you. That said, check out the new MM3 web interface and make sure your "account" has a password, and perhaps you can enable some sort of verification for unsub... Regardless of what canspam may say, software makers do whatever.
When you send an email to unsubscribe, the list replies requesting a verification that contains a unique key so it isn't possible to unsubscribe other people. John On Tue, Aug 19, 2025 at 12:29 AM Trevor Cordes <trevor@tecnopolis.ca> wrote:
On 2025-08-14 Hartmut W Sager wrote:
Regarding the second line (the unsubscribe), I sure hope MUUG at least does SPF/DKIM verification before acting on such an incoming e-mail, because otherwise, a rogue actor out there could unsubscribe any or all of us!
Muug does not do any strict-mode DKIM/SPF on incoming. However, we do use spamass and it may (does, probably) take DKIM/SPF into account and may drop the email before MM3 ever sees it. (Though there would probably have to be other things "wrong" with the email too.)
Many things on the net are like this, where malicious actors can mess with people's things. Lots of things let you sign up without verification. Many things let you unsub.
Luckily, there's really no profit in it other than general mischief, so it's unlikely to happen unless you've made a particular "enemy" who just wants to mess with you.
That said, check out the new MM3 web interface and make sure your "account" has a password, and perhaps you can enable some sort of verification for unsub... Regardless of what canspam may say, software makers do whatever. _______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
-- John Lange
participants (4)
-
Adam Thompson -
Hartmut W Sager -
John Lange -
Trevor Cordes