It seems like it would be nice to setup a method of confirmation for *approving* messages that uses a unique token instead of the list password; while (hopefully) in most cases, the moderator will be sending approval messages over SSL or from the same machine the list is on, it seems like a bad idea to make the confirmation token the list password (especially in case you accidentally add the 'Approved:' header to the wrong message, or in case someone spoofed a message appearing to be from Mailman in order to try and scam list passwords)....
How about generating a unique one time password and having people add this to the Approved: header? This would make it much harder for someone to accidentally disclose the list (or worse, site) password.
-- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
participants (2)
-
Barry Warsaw
-
william+mm@hq.newdream.net