On 3/21/07, Jennifer Oxelson <[EMAIL PROTECTED]> wrote: > The issue is I can send the 'who' email command with the admin password > from /*any*/ email address (not even subscribed) and get the roster... > is this right? Wouldn't it be better if the 'who' command only worked > for email addresses corresponding to list admins/moderators when the > list roster is configured to be only available to these privileged > users? (Or am I being overly paranoid?)
Checking the email address would only add a sense of security, not any real security. Email addresses are *easily* forged. Trivially forged, even. So, this might actually even be a bad thing, since it will give a false sense of security while actually adding none. -- - Patrick Bogen ------------------------------------------------------ Mailman-Users mailing list [email protected] http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp
