[Mailman-Users] Re: cleartext passwords

Chuq Von Rospach chuqui at plaidworks.com
Mon Oct 2 18:41:45 CEST 2000

At 8:54 AM -0700 10/2/00, alex wetmore wrote:

>Mailman passwords should not be considered secure.

You know that, I know that. Does the average user understand what 
you're saying when you say that? Probably not. can you explain it to 
them? Will they listen?

By my experience, a small percentage don't listen, no matter what you 
do. When I migrated to Mailman, I subscribed everyone in msg mode, 
and sent two (count them, two) messages to the lists explaining the 
migration and warning everyone that if they wanted digests, to go 
turn digest mode back on.

I'm *still* getting messages from people unsubscribing because "I 
liked it better when I just got one message a day" -- sigh.

By the way, one thing I've done, and I recommend it strongly, is I've 
added a note to the unsubscribe notes that says something like "we're 
sorry you're leaving. If you'd like to tell us why, we'd like to 
hear..." and a contact mailto. A fair number do, and while 50% are 
simply letting us know they're changing addresses (Mailman really 
needs an address change function), it's a useful way to get feedback, 
and it's helped me pull back six or seven members who were clueless 
over the digest stuff.

Mailman's subscribe page does a good job of warning folks about the 
passwords. But you can't assume they'll pay attention.

>  They are only a
>minor feature to prevent others from unsubscribing you.

In all my years of running lists, I can only think of one case where 
this happened. And it happened to me, when a dweeb had a fight with 
me as ListAdmin and decided to display some testosterone. He 
regretted that fight.

if the reason you're doing this is to protect from unsubscribe slams, 
I wouldn't bother. Unsubscribe fights are so rare that the complexity 
isn't worth it. We have to protect against subscribe slams and the 
various list-based attacks, but unsubscribe fights generally come 
from fights ON a list, and can be handled by any listadmin who isn't 
comatose. you KNOW who the idiot is if it happens...

>I do wish that Mailman had the option to just have confirmation email
>for any list configuration changes.  This would be simpler for most
>users (especially since most of my users do the "send my password to me"
>to unsub anyway).


Chuq Von Rospach - Plaidworks Consulting (mailto:chuqui at plaidworks.com)
Apple Mail List Gnome (mailto:chuq at apple.com)

You seem a decent fellow. I hate to die.

More information about the Mailman-Users mailing list