Anthony R. Thompson wrote: > >Is there something I'm missing here - is this normal behavior? > >It doesn't seem to me like someone should be able to post a message to a >private list just by changing the Reply-To field to an address they know >is on the private list.
As I implied but didn't explicitly state in my initial response in this thread <http://mail.python.org/pipermail/mailman-users/2010-June/069770.html>, the places in an incoming message that are checked for a member address to determine if a post is from a member are controlled by the Defaults.py/mm_cfg.py setting SENDER_HEADERS. The default setting checks the following in order: - the From: header, - the envelope sender, - the Reply-To: header and - the Sender: header. Order is significant because the first member address found (if any) will determine if the post is from a moderated member. If you have write access to mm_cfg.py, you can set SENDER_HEADERS to a list which doesn't include Reply-To (see the documentation in Defaults.py), but as Stephen said, it is almost as easy to spoof the From: or even the envelope sender as it is to set the Reply-To:. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
