[Mailman-Users] listname-request who command

Patrick Bogen pdbogen at gmail.com
Wed Mar 21 23:34:25 CET 2007

On 3/21/07, Jennifer Oxelson <oxelson at unidata.ucar.edu> wrote:
> The issue is I can send the 'who' email command with the admin password
> from /*any*/ email address (not even subscribed) and get the roster...
> is this right?   Wouldn't it be better if the 'who' command only worked
> for email addresses corresponding to list admins/moderators when the
> list roster is configured to be only available to these privileged
> users?  (Or am I being overly paranoid?)

Checking the email address would only add a sense of security, not any
real security. Email addresses are *easily* forged. Trivially forged,

So, this might actually even be a bad thing, since it will give a
false sense of security while actually adding none.

- Patrick Bogen

More information about the Mailman-Users mailing list