How Lyris List Manager Determines the Identity of the Person Posting
When mail comes into a mailing list for distribution, Lyris List Manager looks at the From: header, extracts the email address and looks the email address up in the list of members for
that list. If the email addresses match, the message is assumed to be from that member.
If the email address does not match, Lyris List Manager looks to see if the From: field contains a full name of a person. If it does, it looks that full name up to see if they are a member of the
mailing list. If the full name matches, then the posting is assumed to be by that member. Lyris List Manager uses this technique to work around a common problem with list managers: if only members
are allowed to post and the list manager knows people only by their email address, then people with multiple email addresses will be continually refused the right to post, because their alternate
email addresses are not listed as members. Since Lyris List Manager matches on the email address, and if that fails, on the full name, in a wide variety of situations it correctly identifies the
member and their posting is not refused as being "not from a member of this list".
We do not see this feature as a security violation, because the From: field is already insecure. If someone wants to forge their identity, they can easily, with a program such as Netscape, assume
that person's email address for their From: field. Given this fact, allowing people's posts through because the name matches does not make Lyris List Manager any less secure. What it does do, is
when well meaning people try to post and have a slightly different email address, they are not aggravated by a list manager which refuses to recognize them.
|