phplist3 icon indicating copy to clipboard operation
phplist3 copied to clipboard
verified publisher icon phpList

Mass unsubscription via List-Unsubscribe and &jo=1

Open gregoa opened this issue 7 months ago • 2 comments

[ I originally filed this issue on 8 April as https://github.com/phpList/core/issues/336 which was the wrong repository apparently, so copying here now …]

Last week I started to send out a new issue of our newsletter, and I could see unsubscriptions pouring in in droves a minute later. So I suspended the queue run and looked around. What was happening seems to be:

  • phplist sets a List-Unsubscribe header with &jo=1, cf. https://github.com/search?q=repo%3AphpList%2Fphplist3%20jo%3D1&type=code (I don't know which of the two files is reponsible).
  • Microsofts email machinery (all IPs for the unsubscription requests are from MSFT) seems to have started to send HEAD requests for all URLs also in the mail headers since a couple of weeks (this did not happen at the end of February).
  • And boom, unsubscription happens via the !empty($_GET['jo']) codepath in https://github.com/phpList/phplist3/blob/main/public_html/lists/index.php#L852

Potential ways to fix the issue:

  • Don't set jo=1 in the List-Unsubscribe header.
  • At least not unconditionally (UNSUBSCRIBE_JUMPOFF could be used).
  • Don't honour HEAD requests in index.php (my rusty php knowledge doesn't know how).

Cheers, gregor

gregoa avatar May 28 '25 09:05 gregoa

Interesting. Have you checked the forums to see if more people have encountered that? If it's true that MSFT does this, it would happen more often.

I think the last option is the best one, I will see how easy it is.

The reason to have the jo=1 in the header is to make it easy for people to click "Unsubscribe" in their client. It shouldn't be done with spidering though, I agree.

michield avatar May 28 '25 21:05 michield

On Wed, 28 May 2025 14:50:16 -0700, Michiel Dethmers wrote:

Interesting. Have you checked the forums to see if more people have encountered that? If it's true that MSFT does this, it would happen more often.

Yes, I did some search in early April, when I encountered this problem, but didn't find anything at this time.

As this didin't happen ~4 weeks before, I was not too surprised, it looked like a quite recent change in MSFT email handling to me at this time.

(But I haven't looked into this since.)

I think the last option is the best one, I will see how easy it is.

Makes sense, thank you!

The reason to have the jo=1 in the header is to make it easy for people to click "Unsubscribe" in their client. It shouldn't be done with spidering though, I agree.

Sure, I understand and like the original idea, but if the result is "automatic unsubscription" it's probably counter-productive nowadays :)

Cheers, gregor

-- .''. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 . ' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe -

gregoa avatar May 28 '25 22:05 gregoa

this should be resolved with version 3.7.0-RC2

If you can verify and report on #1087 that would be great

michield avatar Jun 23 '25 20:06 michield