Lyris User's Guide
[previous] [next] [contents]
How Lyris Determines the Identity of the Person Posting
Table of Contents
Lyris Email Commands
Web Interface for Users
Server Administrator
Site Administrator
List Administrator
Other Topics
Security Considerations
Security Issues Relating to Members
Access to the list archives
Access to the list of members
Access to Subscribe to the Mailing List
Steps to restrict false impersonations
Security Features for Posting Messages
Access to unsubscribe and change settings
Visibility of the existence of the mailing list
Web Interface Access
Overview of Lyris Posting Security
Security Considerations of the From: field
Security Recommendations for Announcement lists
How Lyris Determines the Identity of the Person Posting
Lyris Mail Merge
The Lyris command line
Modifying lyris.plc
Add-On Packages
Installing and Upgrading
Frequently Asked Questions

How Lyris Determines the Identity of the Person Posting

When mail comes into a Lyris mailing list for distribution, Lyris looks at the From: header, extracts the email address, and looks the email address up in the list of members for that list. If the email addresses match, the message is assumed to be from that member.

If the email address does not match, Lyris looks to see if the From: field contains a full name of a person. If it does, Lyris looks that full name up to see if they are a member of the mailing list. If the full name matches, then the postings is assumed to be by that member. Lyris uses this technique to work around a common problem with list servers: if only members are allowed to post, and the list server knows people only by their email address, then people with multiple email addresses will be continually refused the right to post, because their alternate email addresses are not listed as Lyris members. Since Lyris matches on the email address, and if that fails, on the full name, in a wide variety of situations Lyris correctly identifies the member, and their posting is not refused as being "not from a member of this list".

We do not see this feature as a security violation, because the From: field is already insecure. If someone wants to forge their identity, they can easily, with a program such as Netscape, assume that person's email address for their From: field. Given this fact, allowing people's posts through because the name matches does not make Lyris any less secure. What it does do, is when well-meaning people try to post, and have a slightly different email address, they are not aggravated by a list server which refuses to recognize them.

Other pages which link to this page:
  • Security Issues Relating to Members
  • Page 398 of 556