[Mailman-Users] problem with Mailman address security?

[jm-mailman-users at jmason.org]

Here's a wierd one.  I run a mailing list which is set to "subscriber
list visible only to administrator", and it seems that some addresses
(if not all) have leaked onto a spam list.

- I'm (reasonably) certain the user did not simply use the same address
  elsewhere -- the user uses sneakemail.com, which generates one-time
  addresses randomly, and assures me that the addr was used only for my
  list.

- the user has never *posted* to the list, it's an announce-only one.

- the /roster/ page is definitely set to "admin only" visibility, and
  always has been.

- the headers of the message the user received, indicate the spam was sent
  direct from spammer to user, not via the list itself.  Anyway, the list
  is moderated ;)  .  Also, I got a copy of the spam to my own address
  used for that list.  So I'm pretty certain the address was scraped
  somehow.

Can anyone suggest a way this is possible with MailMan, without a spammer
needing the admin password to scrape the list?  Or without them hacking
the box in general?

--j.