>> Relying on just the email headers for verification is way too
> Then why is there a restrict_post feature?
Because allowing someone to post to the list is a lot less dangerous than
allowing someone access to the list's administration commands.
> Since you'd have to know who is a "trusted" user for administrativa...
Oh yeah, that's a tough one -- figuring out who a list's administrator is.
I don't see that giving people the admin password for your list is such a
difficult thing to manage that it would be preferable to introduce this new
security hole into the code.
::: Lazlo (firstname.lastname@example.org; http://www.swcp.com/lazlo)