Hi Stephen, Thank you a bunch for looking into this.
I was trying to say that ReplyTo: works fine, for just the reasons you mention. No problem there. At first. ;-) But Apple Mail puts the mangled address To: into the ‘Previous Recipients’ list to help with auto-completion later. Here are the steps. I’m avoiding real addresses, as my mail client further mangled them with the auto-inserted ‘mailto:’ command confusing my message. Here goes: a. Subscriber receives message from the list. The From: is a mangled From: as recommended, and the ReplyTo: is the author’s emal address: From: Author Name (author.address) via list <list.address> ReplyTo: author.address b. Subscriber replies to author. Sees correct To: address (the author.address) from the ReplyTo: header. So far all is apparently OK. However, to be ‘helpful’ with auto-completion later, Apple puts the mangled string “Author Name (author.address) via list <list.address>” into the mail client’s ‘Previous Recipients’ list!! To: author.address c. Subscriber much later tries to send a private message to the author and starts typing "Autho...". Apple at this point retrieves the mangled string from the ‘Previous Recipents’ list, but in their infinite wisdom, they hide the actual address, which is the list address. The subscriber does not suspect that things have gone awry because it looks fine. Well, not completely fine, but enough so. So he/she hits ’Send’ while seeing this and only this in their To: field: To: Author Name (author.address) via list d. People on the list receive a private message that was intended for the original author. Result: red faces all around and possibly private data exposed to the entire list. I just now happened to receive such a message from one of my lists! No real disaster this time, luckily, but confusing for the lists members. I do tell people to clean up their ‘Previous Recipients’ list, they eventually forget and this happens again. If this can’t be solved somehow, I will have to unsub all my AOL and YAHOO subscribers (a lot), as it’s too dangerous to have the mangling causing these privacy mishaps. They don’t really have to change their main email, just get another one that they use only for the lists. By the way, I have asked Brian to help with installing Mailman 3 and look forward to working with him and with the new system. Yours, Allan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
