What makes you think it is Mailman? It does not exist on any of my lists, nor does it exist on the lists I receive from others - including this list. (View this source.) Check you MTA. Maybe that is what is doing it. If Mailman is doing it it is somewhere not mentioned in the documentation and does not do it in all setups.
The problem that the OP is complaining about is that some other member of the list posted a message containing that header, and Mailman did not strip it out. As a result, this header was passed unchanged to the recipients of the list, which could expose the privacy of the users who received the message but who are not publicly advertised as being members of the list (you can control whether or not your subscription is publicly visible).
If the recipient MUA supported this header, then the original poster to the list could get responses back from a wide variety of people, with potentially damaging consequences.
Imagine if the list were an online rape support group, and the person posting was a serial rapist, perhaps posing as someone else. They could easily get a list of potentially vulnerable targets which they could then go after, at least of the people who would be running the common MUA that recognizes this header, and are not computer savvy-enough to know how to turn this "feature" off. That would tend to make them even better potential targets, and those are the only ones a potential serial rapist would be likely to be interested in anyway.
It was probably just a spammer going out of their way to gather more mailing addresses for the mill, but I think you must concede the potential security weakness here.
In this case, the weakness is not the fault of Mailman. The weakness is the fault of the damn bloody stupid MUA and the criminally incompetent company that wrote it.
However, since this is something that Mailman could potentially have protected against, people will expect that Mailman *must* do so, because we all know damn good and well that the unnamed company will never do anything useful when it comes to computer security.
Myself, I can see this becoming a slippery slope, and I'm not sure we'd want to go down that route. On the other hand, I can understand why some mailing list admins might insist on this feature.
I'm beginning to think that Mailman should strip all incoming headers down to the bare minimum (leave "From:", "Subject:", "Cc:", "Received:", and that's about it), at least by default.
-- Brad Knowles, <[EMAIL PROTECTED]>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.SAGE member since 1995. See <http://www.sage.org/> for more info.
------------------------------------------------------ Mailman-Users mailing list [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
