Q: How can I prevent content inspection services from triggering LISTSERV confirmation links?
By Jacob Haller Senior Support Engineer, L-Soft
In recent years, some mail gateways and service providers have started to automatically access all links in email messages to ensure that they don't lead to malicious sites with viruses or other harmful content. While this may seem like a valuable security measure, it can actually cause problems when interacting with software like LISTSERV, which sometimes asks users to click links to confirm that they sent a message or issued a command. If these confirmation links are accessed by an automated service, then messages or commands can be confirmed without the user's knowledge or permission.
We consider these automated link-following services inherently unsafe and strongly recommend not using them whenever possible. However, it may not always be feasible for you and your users to disable them, so in these situations, it's possible to modify a few templates to prevent this problem from occurring.
Since the changes described below make confirming messages and commands less convenient for the end user, you may want to implement some of the changes, or only implement them for certain mailing lists. You can access and customize the sitewide default versions of the templates under "Server Administration" > "Mail Templates" using the LISTSERV web interface, or you can customize them for a specific mailing list under "List Management" > "Mail Templates".
Templates Related to Message Approval
Messages being distributed without being confirmed is the most common problem related to automated link-following. A previous tech tip (Why did spam get through to my list without editor confirmation?) contains specific details on how to troubleshoot this situation.
To address automated confirmation of messages, there are two templates that must be customized.
MSG_POSTING_CONFIRM_EDITOR
This template is used when a moderation request is sent to a mailing list's moderators. There are two ways you can change it to address the problem with link-following services.
First, you can replace the confirmation link with a link to the list's moderation page instead. Since accessing that page requires a login and some additional steps to approve a message, a link-following service won't be able to inadvertently trigger the approval.
Locate this section in the template:
To APPROVE the message: &OK_URL
|
And change the above lines to:
To APPROVE the message: &WA_URL;?MOD=&LISTNAME;
|
LISTSERV will now insert a link pointing to the list's moderation page, replacing the direct click-to-approve link. Moderators can then approve (or reject) messages using the web interface.
Alternatively, you could remove the link from the MSG_POSTING_CONFIRM_EDITOR mail template altogether and instead have the moderators approve the messages via email. To take that approach, replace the contents of the template with instructions along these lines:
This message was originally submitted by &FROMID to the &LISTNAME list at &MYHOST. You can reply to this message with the single word OK in the body of the message to approve it. No other text should appear in the body of the message, and you should leave the subject line as is when you reply.
|
MSG_POSTING_CONFIRM_SENDER
This template is used when senders are confirming their own message (as opposed to MSG_POSTING_CONFIRM_EDITOR, which is used when a moderator is sent an approval request for someone else's message).
Find this section of the template:
.BB &OK_URL ^= '' message, or click on the link below. .ELSE message. .EB
|
And change it to this single line:
Then find and completely remove this section:
.BB &OK_URL ^= ''
To APPROVE the message: &OK_URL
.EB
|
Templates Related to Command Approval
Automatic approval of commands is another scenario where content inspection services can cause problems. To address this, here are a few templates that can be customized.
CONFIRM1
This template is used for most situations where an action or command has to be confirmed. Note that new password requests will always use the sitewide version of the CONFIRM1 template, so if you customize the list-specific version of CONFIRM1, then that will not be used for password-related requests.
To remove the confirmation link, find this section of the template:
.BB &WA_URL ^= '' To confirm the execution of your &C, click on this link:
.SE MOREOPT .BB &DEFINED(&LISTNAME_ENCODED) = 1 .SE MOREOPT &MOREOPT&&L=&LISTNAME_ENCODED .EB .BB &DEFINED(&REQADDR) = 1 .SE MOREOPT &MOREOPT&&Y=&URLENCODE(&REQADDR)&&X=- .EB &WA_URL;?OK=&CODE;&MOREOPT .ELSE To confirm the execution of your &C, simply reply to this message and type OK as the text of your message. If you receive an error message, try sending a new message to &MYSELF and type OK &CODE as the text of your message. .EB
|
Replace the entire section quoted above with:
To confirm the execution of your &C, simply reply to this message and type OK as the text of your message. If you receive an error message, try sending a new message to &MYSELF and type OK &CODE as the text of your message.
|
SUBSCRIBE_CONFIRM1
This template is specifically used to confirm requests to join a mailing list. To update it to no longer include a confirmation link, first, find this line:
.SJ Confirm your subscription to the &LISTNAME list
|
and replace it with:
.SJ Confirm your subscription to the &LISTNAME list (&CODE;)
|
Next, find this section:
.BB &WA_URL ^= '' To confirm that you want to subscribe, please click on this link:
.SE MOREOPT .BB &DEFINED(&LISTNAME_ENCODED) = 1 .SE MOREOPT &MOREOPT&&L=&LISTNAME_ENCODED .EB .BB &DEFINED(&REQADDR) = 1 .SE MOREOPT &MOREOPT&&Y=&URLENCODE(&REQADDR)&&X=- .EB &WA_URL;?OK=&CODE;&MOREOPT .ELSE To confirm that you want to subscribe, simply reply to this message and type OK as the text of your message. If you receive an error message, try sending a new message to &MYSELF and type OK &CODE as the text of your message. .EB
|
And replace it with:
To confirm that you want to subscribe, simply reply to this message and type OK as the text of your message. If you receive an error message, try sending a new message to &MYSELF and type OK &CODE as the text of your message.
|
SIGNOFF_CONFIRM1
This template is specifically used to confirm requests to leave a mailing list. Since most mailing lists don't require confirmation of such requests, you will probably not need to customize this template, and, in general, we recommend making the process to leave your mailing lists as streamlined as possible.
With that said, if you want to remove the confirmation link, replace this line:
.SJ Confirm your request to unsubscribe from the &LISTNAME list
|
With:
.SJ Confirm your request to unsubscribe from the &LISTNAME list (&CODE;)
|
Then, find this section:
.BB &WA_URL ^= '' To confirm that you want to unsubscribe, please click on this link:
.SE MOREOPT .BB &DEFINED(&LISTNAME_ENCODED) = 1 .SE MOREOPT &MOREOPT&&L=&LISTNAME_ENCODED .EB .BB &DEFINED(&REQADDR) = 1 .SE MOREOPT &MOREOPT&&Y=&URLENCODE(&REQADDR)&&X=- .EB &WA_URL;?OK=&CODE;&MOREOPT .ELSE To confirm that you want to unsubscribe, simply reply to this message and type OK as the text of your message. If you receive an error message, try sending a new message to &MYSELF and type OK &CODE as the text of your message. .EB
|
And replace it with some version of these instructions:
To confirm that you want to unsubscribe, simply reply to this message and type OK as the text of your message. If you receive an error message, try sending a new message to &MYSELF and type OK &CODE as the text of your message.
|
Next Steps
|