[Mailman-Users] listname-request who command
Patrick Bogen
pdbogen at gmail.com
Wed Mar 21 23:34:25 CET 2007
On 3/21/07, Jennifer Oxelson <oxelson at unidata.ucar.edu> wrote:
> The issue is I can send the 'who' email command with the admin password
> from /*any*/ email address (not even subscribed) and get the roster...
> is this right? Wouldn't it be better if the 'who' command only worked
> for email addresses corresponding to list admins/moderators when the
> list roster is configured to be only available to these privileged
> users? (Or am I being overly paranoid?)
Checking the email address would only add a sense of security, not any
real security. Email addresses are *easily* forged. Trivially forged,
even.
So, this might actually even be a bad thing, since it will give a
false sense of security while actually adding none.
--
- Patrick Bogen
More information about the Mailman-Users
mailing list