Questions about new mailing lists setup on

Erik Huelsmann ehuels at
Fri Apr 26 20:16:39 UTC 2013

On Thu, Apr 25, 2013 at 8:07 PM, Erik Huelsmann <ehuels at> wrote:

>>> >  From what I understand now there is no password associated
>>>      with a subscription to a list, nor is there any password
>>>      associated with the owner/admin role of a list.
>>> Can you tell me what you have read that makes it seem like very very
>>> insecure? Also, what are you talking about "password associated
>>>      with ..."?
>>> > Am I wrong
>>> in believing that now someone simply has to send emails
>>> with a forged From: field to hijack control of the list/subscription?
>>> Well, what made you believe that? Is there a simple way that folks can
>>> easily hijack a list over email?
>>> As far as I know, it was audited by a company that worries about such
>>> things, , and does not have a
>>> problem... can you please show me how/where/when you are able to hijack a
>>> list? mlmmj-test at is a great place to start, and please
>>> feel free to hijack it.
>>> Let me know if I have answered all the questions, and let me know the
>>> security holes you have discovered.
>>>  -- drewc
>> Indeed you have answered all the questions I asked and this does clarify
>> the current situation.
> You did write comments on each of his questions, but could you explain how
> you think mlmmj addresses the security risks put forward regarding
> establishing sender identity related to e-mail? I'm not finding an answer
> to that in your comments. (The fact that the software doesn't contain any
> security glitches doesn't mean its authentication model is flawless, so the
> pointer to the security readme isn't the answer I'm looking for.)

Drew responded to me off-list over IM yesterday. The summary of the
reaction is: every moderation request uses a unique and randomly generated
reply-to address, making it hard(er) to just spoof admin mails.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the clo-devel mailing list