I have noticed about 1.5 years ago that the mailman tooling (version 2) has an interesting way about it. There are a few options to make lists more private, you can make lists hidden (even though google still nicely indexes them, so they are really easy to find with some slight google dorking: site:xx.com inurl:listinfo)
Another option is to make every new subscriber to the list to be approved by an admin. Ofcourse this means that someone needs to do this job, but if you don’t I can easily sign up with any mailaddress, and the moment I am on the subscriber list I can also see the entire archive (if it’s turned on). Once subscribed it is often possible to see the entire list of subscribers, one way to gather mailaddresses there, luckily this is also a setting that can be changed.
Recommended settings if it’s a private list:
- Approval by an admin
- No archive unless absolutely needed
- Hidden is a fluke, but won’t hurt
- Member list only visible to admin
In the last 1.5 years I have been able to sign up to loads of mailing lists and have been able to secure many of them by disclosing this to the list managers.
In this way I have been able to see internal communication from a bank, datacenter information, financial information and account information.