Questions about new mailing lists setup on

Erik Huelsmann ehuels at
Thu Apr 25 18:07:15 UTC 2013

>> >  From what I understand now there is no password associated
>>      with a subscription to a list, nor is there any password
>>      associated with the owner/admin role of a list.
>> Can you tell me what you have read that makes it seem like very very
>> insecure? Also, what are you talking about "password associated
>>      with ..."?
>> > Am I wrong
>> in believing that now someone simply has to send emails
>> with a forged From: field to hijack control of the list/subscription?
>> Well, what made you believe that? Is there a simple way that folks can
>> easily hijack a list over email?
>> As far as I know, it was audited by a company that worries about such
>> things, , and does not have a
>> problem... can you please show me how/where/when you are able to hijack a
>> list? mlmmj-test at is a great place to start, and please
>> feel free to hijack it.
>> Let me know if I have answered all the questions, and let me know the
>> security holes you have discovered.
>>  -- drewc
> Indeed you have answered all the questions I asked and this does clarify
> the current situation.

You did write comments on each of his questions, but could you explain how
you think mlmmj addresses the security risks put forward regarding
establishing sender identity related to e-mail? I'm not finding an answer
to that in your comments. (The fact that the software doesn't contain any
security glitches doesn't mean its authentication model is flawless, so the
pointer to the security readme isn't the answer I'm looking for.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the clo-devel mailing list