Subscription Security

Who May Join?

By default, ListManager lists are "open", meaning no administrator needs to approve a member. You may make individual lists private, closed, or password protected in Utilities: List Settings: New Subscriber Policy: Security.

Furthermore, you may wish to restrict your mailing list to only allow subscription requests performed using the web interface. For instance, you could put your web interface on an Internal-access only web server, so that outsiders cannot get to it. This would allow you to have an "open" mailing list, where people in your company could join by getting to the web interface form, but outsiders could not. Subscription options may be selected in Utilities: List Settings: New Subscriber Policy.

ListManager also supports explicit banning of members, and the "reverse banning". The ban member feature would allow you, for instance, to ban someone who was an employee of a competing company from joining your mailing list.

Reverse banning is a setting which allows you to ban everyone except those that match your pattern. An excellent use of this feature is to have a corporate mailing list that is open, so that anyone in your company can join easily and automatically, but that nobody from the outside can join. To do this, you would tell Aurea List Manager to ban all addresses not having your corporate domain name on their email address, for example "acme.com".

Private Lists

A private mailing list is a list where only List administrator can allow members to join the list and also approve sending from the list

With a private mailing list, people can request to join the mailing list, by filling out the Join web page or sending in an email request. With a private list, people who request to join are not enabled until the list administrator approves them. Whenever someone requests to join, the list administrator(s) receives notification of the join request, and approve or reject them.

To create a Private mailing list, create a mailing list using the Create Mailing List web page. Then, in Utilities: List Settings: New Subscriber Policy: Security, select Private.

After you have created your list, you may want to create a member who is a list administrator, and who receives the email notifications of the join requests. Go to Utilities: Administration: Administrators: List Admins to create additional list administrators.

Now, whenever someone asks to join the mailing list, you receive an email notification of their request. You can then approve or reject them with an email command, and the notification message tells you which commands to send back to approve or reject the person.

Confirmed Subscriptions

Aurea List Manager can send a "confirmation request" when a person asks to subscribe to a mailing list. The confirmation request message is sent to the email address that was subscribed. The person must receive this confirmation request message, and reply to it, in order for the membership to be activated. With a confirmed subscription, Aurea List Manager has proven that the email address given to it is indeed the email address of the person who requested the subscription.

Confirmed subscriptions prevent two problems:

• People sometimes join a mailing list under a fake email address, in order to post inappropriate messages to the mailing list. With a confirmed subscription, people must use an email address that they can receive email at, which provides a "paper trail" that points back to a real person.
• To harass people, a malicious person may subscribe some unwilling people to mailing lists who never wanted to be signed up. If a large number of mailing lists are involved, the person may receive a huge amount of email and this can be a real inconvenience to them. This is especially a problem when a web form is used to subscribe people, as it is very easy to enter someone's email address in that form. Confirmed subscription solves this problem as the person being subscribed gets a confirmation request, and if he does not confirm, the membership is never activated.

You may configure subscription confirmations in Utilities: List Settings: New Subscriber Policy: Confirmation.

Unsubscribing

There are many ways to unsubscribe from a ListManager mailing list:

• Log into the discussion forum interface, select My Forums, and click "unsubscribe" next to a list.
• Send the command "unsubscribe listname" to listmanager@your-server-name.com.
• Send the command "unsubscribe listname your-email-address" to listmanager@your-server-name.com.
• Forward any posting you receive from a mailing list to the unsubscribe-listname@your-server-name.com address.
• Click on an unsubscribe link provided in an email message.

If an unsubscribe request is made with the "unsubscribe" command sent to listmanager@this-ListManager-server.com, as in "unsubscribe jazztalk", then the person named in the From: field is unsubscribed. If the email address named in the From: field is not a member, Aurea List Manager returns a message to that person saying that they could not be unsubscribed.

Aurea List Manager also provides the option of naming an email address on the "unsubscribe" command line, such as the command "unsubscribe jazztalk bob@example.com". In such a case, if unsubscribe confirmation are enabled for the list, then a confirmation message is sent to the subscriber, then ensure that they are same person and not that someone else is trying to unsubscribe them.

When mail is received at the "unsubscribe- listname@…" address, ListManager tries to determine who the subscriber is and automatically removes them. In most situations, this works very well.

The Aurea List Manager unsubscribing logic for unsubscribe requests received at the "unsubscribe-listname@…" is fairly sophisticated, and here is how it works. When Aurea List Manager receives a message to the "unsubscribe-listname@…" address, Aurea List Manager goes through the following steps:

1.  It first looks for X-Lyris-Member-ID in the header. If it is there then it gets unsubscribed. This catches almost all cases, except when the forwarding program strips out the headers (such as in this example).
2.  It lLooks for a purgeid tag in the header (X-Lyris-To:) and then in the body. If found, the person gets unsubscribed.
   Note

   Purgeid tags are "cleaned up" before they are re-posted to a list (i.e., in quoted message), by removing the square brackets.

   In the example below, the square bracketed email address clearly identifies "wantsoff", so those are the ones who get unsubscribed. Also note that MS-Mail generated addresses with the text [SMTP:...] are skipped by Aurea List Manager.

3.  It checks the Return-Path (the MAIL FROM:<> sender), and sees if it is a member in Aurea List Manager. If found to be a member, then it is likely a forwarded message, and the person is unsubscribed. Pegasus Mail does this.
4.  Finally, if none of the above is valid, the person named in the From: header is unsubscribed.

You may have Aurea List Manager always send unsubscribe confirmations, or only when the unsubscribe request is questionable (e.g., when the address being unsubscribed is different from that in the email header).