I think the consequences of allowing mail with the command "who <password>" containing the list admin password to go to the list if inadvertently sent to the list posting address are more serious than the consequences of a false positive administrivia hold. The "who <password> address=<address>" form is probably less used and less likely to contain the list password, since the address= option is irrelevant if the password is the list admin or moderator password. Since the argument count range was (0, 0) prior to Mailman 2.1.10, I think changing it to (0, 1) is OK, but I think (0, 0) has too much risk. Also, note that any message that contains more than DEFAULT_MAIL_COMMANDS_MAX_LINES non-blank body lines prior to any '-- ' signature separator is not administrivia, so reducing DEFAULT_MAIL_COMMANDS_MAX_LINES from the default 25 can also reduce the false positives. ** Changed in: mailman Importance: Undecided => Low ** Changed in: mailman Status: New => Triaged ** Changed in: mailman Milestone: None => 2.1.15 ** Changed in: mailman Assignee: (unassigned) => Mark Sapiro (msapiro) -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/739524 Title: Administrivia 'who' matches too much