FutureQuest, Inc. FutureQuest, Inc. FutureQuest, Inc.
Knowledgebase: Mailing Lists/ezmlm
Announcement List allows others to send to list?
Posted on 24 January 2004 12:40 AM
Question:

I've discovered that even though my ezmlm list is set up to be announcement only from this address, someone was able to post to the list by sending to the list address!

How can I be sure that no one except for the list owner can send to my announcement lists?

Answer:

The answer below is intended for legacy ezmlm lists, not ezmlm-idx lists. ezmlm-idx Announcement lists are automatically protected from unauthorized postings as all list messages require moderator approval before being sent to the list. As older mailing lists (legacy ezmlm) do not have the moderation feature and are not as easy to secure, it is recommended to convert those lists to ezmlm-idx. Your ezmlm lists can be easily converted to ezmlm-idx using the Mailing List Manager in the CNC.

The verification with ezmlm is not 100% secure... What it does is check for a "From" address to be the address that you entered in the CNC. However, the "From" email address is easily forged, and many spammers and viruses do forge the "From" email address.

The best way to ensure that unauthorized users cannot send mail to your list is to change the "List Owner" email address within the CNC after sending the emails. This way, once the mails are sent out, the authorized address is changed and replies will not be accepted.

An additional solution, that allows for more secure control of your mailing lists, has been developed by a FutureQuest Site Owner and is described here:
http://www.FutureQuest.net/forums/showthread.php?postid=92502#post92502