How Lyris Determines the Identity of the Person Posting
When mail comes into a Lyris mailing list for distribution, Lyris looks at the From: header, extracts the email address, and looks the email address up in the list of members for that
list. If the email addresses match, the message is assumed to be from that member.
If the email address does not match, Lyris looks to see if the From: field contains a full name of a person. If it does, Lyris looks that full name up to see if they are a member of the mailing list.
If the full name matches, then the postings is assumed to be by that member. Lyris uses this technique to work around a common problem with list servers: if only members are allowed to post, and the
list server knows people only by their email address, then people with multiple email addresses will be continually refused the right to post, because their alternate email addresses are not listed
as Lyris members. Since Lyris matches on the email address, and if that fails, on the full name, in a wide variety of situations Lyris correctly identifies the member, and their posting is not
refused as being "not from a member of this list".
We do not see this feature as a security violation, because the From: field is already insecure. If someone wants to forge their identity, they can easily, with a program such as Netscape, assume
that person's email address for their From: field. Given this fact, allowing people's posts through because the name matches does not make Lyris any less secure. What it does do, is when
well-meaning people try to post, and have a slightly different email address, they are not aggravated by a list server which refuses to recognize them.