The link looked like this:

 
    http://www.mathsjam.com/cgi-bin/MathsJamUnsubscribe.py?EmailHash=<random_code>

The idea is that the code gets saved to a file, and then the entries in the file are checked against the email address in my list. This provides at least a small amount of protection, and is easy enough both to implement, and run.

Bizarrely, though, some people have clicked on a related, but different, link. Or they've clicked on that link, and their browser or email client have done something semi-random. Here's an example of something that got saved.

 
    14s5p2200186no5qr0r42193qq43s8n5p11745

That's not in my list - that never got sent. In particular, it's not an md5 hash.

For reference ... I've now changed the program so that it removes any characters not in the range of (lower case) hex digits, and then only saves the result if it's exactly 32 characters long. That will prevent people from believing it got saved when it didn't, and it should mean that only valid codes get saved at all.

However, ... if we take the rot13 of it we get

 
    14f5c2200186ab5de0e42193dd43f8a5c11745

and that's almost what I expect - it just has a few extraneous digits scattered throughout the interior.

How is this happening? Why is it that some people are happily clicking on the link and their hashes are being saved unmolested, while others get this bizarre mutation?

If anyone is interested and has an idea, let me know, because I'd love to get to the bottom of this mystery.

Please - email me.

Quotation from Tim Berners-Lee