Justin,

this is getting worse and worse now dada is unsusbcribing me every day I'm enclosing the 4 unsubscription messages I got complete with headers for you to watch

Other thing when I re-subscribe (via the web form), I get not one, but three identical messages I tried to subscribe from another address and the same thing happens

What I'm thinking is that the uniqness of the pin is probably too weak it is always the same for the same address (even the same for subscribe/unsubscribe) maybe it should have a clock-dependent salt?

Maybe someone has guessed (calculated?) the pin corresponding to my address?

Are you able to check that?

Now that I make a couple of tests (with another address) and take a peek at the source, I see that the whole subscribe/unsubscribe confirmation process is completely stateless I think this should be avoided it will obviously complicate the algorithm but the point is, now that someone knows my pin on the current configuration of http://mojo skazat com/cgi-bin/dada/mail cgi it is simply a matter of loading http://mojo skazat com/cgi-bin/dada/mail cgi/u/dadadev/el baby/gmail com// or http://mojo skazat com/cgi-bin/dada/mail cgi/n/dadadev/el baby/gmail com// (and manually doing the captcha thing) to unsubscribe me or subscribe me without I being involved in the transaction

-- Mariano Absatz - El Baby el (dot) baby (AT) gmail (dot) com el (punto) baby (ARROBA:@) gmail (punto) com

Dada Mail (Justin Simoni) escribió el 03/09/06 20:33: > >

On Sep 3, 2006, at 4:30 PM, Mariano Absatz wrote: >

wtf???

Yesterday again something (someone?) decided to unsubscribe me from the list I got a message confirming my unsubscription, and this time I didn't even started an unsubscription process Is something wrong with dada?

Hmm,

Not sure,

Does anybody want to try to crack the pin creation algorithm?

It's not the most comples scheme in the world - it's rather simple, but should generate a unique (ish) pin that's different for every install of Dada Mail But it may be easy enough to look at two example of pin number and the email addresses they're generated from and figure out what any email address's pin would be

--Justin Simoni

: Dada Mail "Write Once - Distribute Everywhere" Email Communication Software

url: http://mojo skazat com aolim: leaddadaist

On Sep 3, 2006, at 4:30 PM, Mariano Absatz wrote:

>

wtf???

Yesterday again something (someone?) decided to unsubscribe me from the list I got a message confirming my unsubscription, and this time I didn't even started an unsubscription process Is something wrong with dada?

On 2 Sep 2006 13:53:56 -0000, Mariano Absatz el.baby@PROTECTED wrote: >

Hi Justin,

yesterday I "started" a removal for myself from the list, only to answer properly to this message: http://mojo skazat com/cgi-bin/dada/mail cgi/archive/dadadev/20060830102506/

I received the confirmation e-mail and properly ignored it in order to stay subscribed

However, a few hours later, I received a message from the list confirming that I was effectively unsubscribed

Is this a feature or a bug?

That is are you using a script to "auto-confirm" unsubscriptions (so that people who can't understand 3-way confirmations es eventually unsubscribed)?

If that is so, the "unsubscription confirmation message" should also include a link for actively not confirming unsubscription otherwise, what states the unsubscription message is false

I don't think someone else would've clicked my unsubscribe confirmation, since, as you can see in http://mojo skazat com/cgi-bin/dada/mail cgi/archive/dadadev/20060901094002/

I didn't publish it