GNU Mailman

privacy issue with subscribers on deferred status

Bug #266242 reported by Wheeltrish
2
Affects Status Importance Assigned to Milestone
GNU Mailman
New
Medium
Unassigned
GNU Mailman 2.1-stable

Bug Description

I own a mailman listserver which is hosted on
Dreamhost and they are currently running ver. 2.1.5 of
mailman.

My list is set to require approval of membership
requests, which sends the requesters into a "deferred"
status in the "Tend to Pending Moderator Requests"
area.

I've discovered recently that individuals on "Deferred"
status CAN in fact post to my list, and their postings are
seen by all approved members. The individuals
on "Deferred" status do not receive the postings
themselves, however.

Is this right? Shouldn't an individual who is
marked "Deferred" not be able to post until being
approved? This prevents me from ever stopping
individuals who would send malicious posts to my list
from allowing them to do so.

My list is a high volume list and increasing the level of
moderation would be cumbersome.

Is there a way to ensure that members can't post to a
list until they are approved, or is this problem an actual
bug in the software?

Thanks.

[http://sourceforge.net/tracker/index.php?func=detail&aid=1221451&group_id=103&atid=100103]

Revision history for this message
Barry Warsaw (barry) wrote :

People waiting to be approved are not members, so the
non-member posting policy is what applies to them. They
become members only when approved. Perhaps you are not
holding non-member posting for approval?

Revision history for this message
Wheeltrish (wheeltrish) wrote :

When a person requests to subscribe to my list, they go on
"deferred" status and are not approved until I click
approved in the administrative interface.

SINCE posting this message I had another individual post to
my list without even trying to subscribe. All she needed was
the e-mail address for posting to my list and she was able
to post. (Incidentally, my list is not listed in the
directory of mailman lists either, so how she even found the
information page with the "post to list" address on it is
still a mystery, and WHY THE POST WAS NOT REJECTED is
baffling me even further. I'm growing concerned about
protecting the privacy of my members and I've done what I
can to do that, but apparently there are holes in the system
somewhere.

ideas?

Thanks.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.