The recent incident where a bugzilla user email address now delivered to a spamtrap would have been preventable if the Bugzilla mail contained a List-Unsubscribe header, ideally one that just disables the user's Bugzilla email delivery. The value in the header should contain a unique token that disables for that account only, and cannot be used to disable another account. I suggest a hmac model. Maybe http://...bugzilla/list-unsubscribe?h=$EMAIL&k=$KEY where KEY = HASH(EMAIL, hashed-password). Any attacker wanting to disable the email for another user would need to know their bugzilla password hash to exploit it, and if they know that, we have larger problems. This also saves having to generate/track any other tokens.
should mix in a limited datestamp too like YYYYMM. bugzilla would then only accept the current & previous months and the rest would expire. seems like a reasonable upstream request too. i don't see any bugs there though.
