>>>>> "TG" == Thomas Gramstad <email@example.com> writes:
TG> The impression I got from the original posting was that the spammer had
TG> discovered that by forging the From:-field to show the list-owner's
TG> name and address, the spammer was able to bypass the checks, posting
TG> spam in the list-owner's name.
Of course, this works only for restrict_post-style semimoderation, not for
true moderation. To bypass the latter, you really must have the password.
TG> That would of course be technically possible.
Trivial, actually. There isn't any easy away around it, short of
cryptographically signing all message and having the list server verify the
signature (possible, and essentially awaiting a good Perl cryptographic
module) or requiring confirmation of all messages by the poster (which is
possible with Majordomo2 alpha).
The outgoing alias is still the most problematic hole, but it's only there
if you don't do something about it. None of my lists have outgoing
aliases, and I have EXPN and VRFY enabled.