Mass unsubscription via List-Unsubscribe and &jo=1

[gregoa]

[ I originally filed this issue on 8 April as https://github.com/phpList/core/issues/336 which was the wrong repository apparently, so copying here now …]

Last week I started to send out a new issue of our newsletter, and I could see unsubscriptions pouring in in droves a minute later. So I suspended the queue run and looked around. What was happening seems to be:

• phplist sets a List-Unsubscribe header with &jo=1, cf. https://github.com/search?q=repo%3AphpList%2Fphplist3%20jo%3D1&type=code (I don't know which of the two files is reponsible).
• Microsofts email machinery (all IPs for the unsubscription requests are from MSFT) seems to have started to send HEAD requests for all URLs also in the mail headers since a couple of weeks (this did not happen at the end of February).
• And boom, unsubscription happens via the !empty($_GET['jo']) codepath in https://github.com/phpList/phplist3/blob/main/public_html/lists/index.php#L852

Potential ways to fix the issue:

• Don't set jo=1 in the List-Unsubscribe header.
• At least not unconditionally (UNSUBSCRIBE_JUMPOFF could be used).
• Don't honour HEAD requests in index.php (my rusty php knowledge doesn't know how).

Cheers,
gregor

[michield]

Interesting. Have you checked the forums to see if more people have encountered that? If it's true that MSFT does this, it would happen more often.

I think the last option is the best one, I will see how easy it is.

The reason to have the jo=1 in the header is to make it easy for people to click "Unsubscribe" in their client. It shouldn't be done with spidering though, I agree.

[gregoa]

On Wed, 28 May 2025 14:50:16 -0700, Michiel Dethmers wrote: Interesting. Have you checked the forums to see if more people have encountered that? If it's true that MSFT does this, it would happen more often.

Yes, I did some search in early April, when I encountered this problem, but didn't find anything at this time. As this didin't happen ~4 weeks before, I was not too surprised, it looked like a quite recent change in MSFT email handling to me at this time. (But I haven't looked into this since.)

I think the last option is the best one, I will see how easy it is.

Makes sense, thank you!

The reason to have the jo=1 in the header is to make it easy for people to click "Unsubscribe" in their client. It shouldn't be done with spidering though, I agree.

Sure, I understand and like the original idea, but if the result is "automatic unsubscription" it's probably counter-productive nowadays :) Cheers, gregor

…

-- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `-