Hi Daniel Our use case is that most (but not all) of our lists are internal and so the archives are not public. However the listinfo pages are public for the few public lists that we run and to allow of campus staff and students to access the list management screens.
So for us, hiding the list administrator email on the list info pages effectively cuts off the ability to get a prospective list of possible administrators. But I agree that for public lists with public archives the benefit is minimal, but I don't think it does much harm Jon On 17 May 2017 at 15:57, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > On Wed 2017-05-17 09:20:21 +0100, Jonathan Knight wrote: > > The attack we're trying to defend against is a scripted one which grabs a > > list of all the mailing lists, then harvests the administrator email and > > then tries to spam each list using the administrator as a sender address. > > > > If the archives are public then I guess you could write a reasonable > > algorithm to try and guess an unmoderated address but I don't think its > as > > easy to hit thousands of mailing lists using that approach. > > i'm not convinced that these two scripts are significantly different in > difficulty, though i acknowledge that the former is marginally easier. > > it sounds to me like the real underlying concern is about allowing > submissions to bypass moderation based on forgeable data like the From: > header. fixing it in the display side seems likely to trigger a game of > whack-a-mole. > > --dkg > -- Jonathan Knight IT Services Keele University _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9