-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "KPB" == Kendall P Bullen <firstname.lastname@example.org> writes:
>> Relying on just the email headers for verification is way too
KPB> Then why is there a restrict_post feature?
restrict_post is not a security feature. It is nothing more than a
crude attempt at privacy enforcement. It is trivial to bypass. But
bypassing restrict_post is generally a lot less destructive than
bypassing the list administration authentication system. The former
just annoys the list members; the latter can destroy the list. Big
difference between the two.
KPB> Since you'd have to know who is a "trusted" user for
KPB> administrativa, and presumably it would be non-obvious (if you're
KPB> smart), unless someone tried it from every e-mail address they saw
KPB> on a list, it doesn't seem like a big danger to me.
List moderator identities are usually not that big a secret. That
narrows the "address space" to search by quite a bit.
KPB> (And I presume that the attempts that failed would bounce to the
KPB> list owner, so they would know someone was trying to hack the
The problem is that by the time the list owner got to his mail, it would
be too late. The subscriber list will have been damaged beyond repair
(assuming malicious intent, worst case scenario).
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Rich Pieri <email@example.com> | When not in use, Happy Fun Ball
Prescient Technologies, Inc. | should be returned to its special
A Stone & Webster Company | container and kept under
I speak for myself, not PTI or SWEC | refrigeration.