Mass unsubscription via List-Unsubscribe and &jo=1

[gregoa]

Last week I started to send out a new issue of our newsletter, and I could see unsubscriptions pouring in in droves a minute later. So I suspended the queue run and looked around. What was happening seems to be:

• phplist sets a List-Unsubscribe header with &jo=1, cf. https://github.com/search?q=repo%3AphpList%2Fphplist3%20jo%3D1&type=code (I don't know which of the two files is reponsible).
• Microsofts email machinery (all IPs for the unsubscription requests are from MSFT) seems to have started to send HEAD requests for all URLs also in the mail headers since a couple of weeks (this did not happen at the end of February).
• And boom, unsubscription happens via the !empty($_GET['jo']) codepath in https://github.com/phpList/phplist3/blob/main/public_html/lists/index.php#L852

Potential ways to fix the issue:

• Don't set jo=1 in the List-Unsubscribe header.
• At least not unconditionally (UNSUBSCRIBE_JUMPOFF could be used).
• Don't honour HEAD requests in index.php (my rusty php knowledge doesn't know how).

Cheers, gregor