[Mailman-Users] Approved: header (was: Batch member attributes)

Mark Sapiro msapiro at value.net
Tue May 23 08:12:02 CEST 2006

Jim Popovitch wrote:
>This is a question that has been bugging me for a while.  If a moderator 
>adds an "Approved: xxxxxx" header but misspells "Approved", then their 
>password goes on to the list for all to see.  Without setting filters 
>for each and every password (esp., moderator passwords which I prefer 
>admins to not know, and vice versa) is it a good idea to add a feature 
>to Mailman that would automatically hold emails that contained an admin 
>or moderator password in the first few lines of the email body?

Well, we already accept "Approve:" and are case insensitive. Beyond
that, it might be difficult in general because we don't have a plain
text password to look for, so we would need to check every 'word'
against the admin and moderator passwords and maybe the site password
just in case someone thought it could be used here, and we still
wouldn't catch a misspelled password or one with an extra space in it.

Consider the possibility that someone had a hand shifted on the
keyboard and mistyped both Approved: and the password. It would be
fairly easy for a human to figure out what happened and decode the
password, but I don't know how to program it's detection in advance.

There are some possibilities to consider. We could hold any post with a
"header like" line in the body that wasn't Subject: or Keywords:, but
is this necessary? Presumably, if approve(d) is misspelled, the post
will be held anyway. If not, why are we putting an approved line there
in the first place?

Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list