[Mailman-Developers] Mailing lists exploited
Stephen J. Turnbull
turnbull.stephen.fw at u.tsukuba.ac.jp
Sat May 20 12:45:38 EDT 2017
Jonathan Knight writes:
> I think the real name if its available and the list owner address if not.
> If you use the local part (e.g. j.knight) would still make it possible to
> guess the @keele.ac.uk if the mailing lists are all hosted on
> maillists.keele.ac.uk.
I agree with Barry. More precisely, I think we should more or less
hard-code the $LIST-owner address in the mail-to URL, allow the
display name (presented in the HTML) to be specified (defaulting to
"$LIST-owner", maybe), and document that the list-owner address should
NOT be given any special permissions (specifically, should not be
subscribed to the list), and that a subscribed address should NOT be
mentioned in that text. I believe the $LIST-owner address is handled
by Mailman, so we can require that be configured when setting up the
list.
This setup is just a BCP anyway in the "modern" Internet.
Steve
More information about the Mailman-Developers
mailing list