[unisog] Recommendation for list management sw

Florian Weimer fw at deneb.enyo.de
Fri Nov 5 11:43:24 GMT 2004


* Ronaldo Vasconcellos:

> The "attacker" has to be a subscriber.
>
> That's all. The malicious subscriber gets the victim's password. Nice for 
> certain kinds of Social Engineering attacks.

Yeah, you should remove the password entry fields from the web
page. 8-)

Fortunately, it's possible to use Mailman 2.1 (as a subscriber)
without bothering about those passwords.  This is a big advantage of
the 2.1.x releases.  In the 2.0.x releases, it was nearly impossible
for a non-skilled subscriber to unsubscribe without help from the list
administrator.  We actually had to route the unsubscribe messages to a
human for processing because there were too many complaints about
official process. 8->

> You should give a try to EZMLM [1], a mailing list manager based in qmail. 

ezmlm (and ezmlm-idx) tends to subscribe all kinds of autoresponders
to its mailing lists.  It might have been a fine choice a couple of
years ago (I've run it for a few months, but I soon started hating
qmail, so I switched back to Mailman 2.0 *cough*), but it doesn't seem
to be a good choice for the current demands of Internet mail.

FWIW, I'm using Mailman 2.1 now, and a special Exim configuration for
small mailing lists whose subscription list is managed by hand (and
should not be exposed because of a stupid Mailman glitch).



More information about the unisog mailing list