[Mailman-Users] non-subscriber managed to post to a subscriber only list

Lindsay Haisley fmouse-mailman at fmp.com
Mon Jan 26 22:42:31 CET 2009

On Mon, 2009-01-26 at 14:34 -0700, Steve Lindemann wrote:
> Lindsay Haisley wrote:
> > Is it possible that the list mod or admin password got out?  I believe
> > than anyone can post to a moderated list by putting an "Approved:
> > <password>" header or pseudo-header in a post.
> I'm on one of the lists that accepted the message (which is how it came 
> to my attention) and I just rechecked the message header and didn't see 
> anything resembling that...  would mailman remove it from the header for 
> final delivery to the list members?

Yes, absolutely.  Not only in the text/plain part but in every part of a
multipart message in which it occurs.  Otherwise it would be the
equivalent of serving up your list security on a silver platter to the
world and passing out carving knives :(

>   Regardless, I'll see to getting 
> passwords changed, thanks.

Good idea.  Check your full headers on these posts.  Mark's note is
probably relevant here.

Lindsay Haisley       | "The difference between |     PGP public key
FMP Computer Services |  a duck is because one  |      available at
512-259-1190          |  leg is both the same"  | http://pubkeys.fmp.com
http://www.fmp.com    |       - Anonymous       |

More information about the Mailman-Users mailing list