Computing at UW-MadisonDivision of Information Technology
Students Faculty/Staff Services Services A through D Services E through L Services M through R Services S through Z Help Desk Tech Store About DoIT   

Lists

WiscList : Private Lists

If you are sharing confidential information in your mailing list or you just want a select group to be part of the list, then there are several security features in WiscList you should be aware of. From password managment to approvals, this document will give you several ideas to enhance your list's security. If you are running a public list but want some added security, feel free to browse through this document and pick out features that will work best with your list.

Hiding your list from visitors

This is the most important step to take to make sure your list is private. To hide your list from non-members (visitors), go to Utilities : List Settings : Discussion Forum Interface : Message Reading and change Hide List to "yes". This will prevent your list from being seen on our Public Lists page at https://lists.wisc.edu/read/all_forums. To avoid nonmembers from reading archived messages (if they are enabled), change Allow Visitors to Read Archives to "no". This is important, because even though visitors cannot see your list on the public lists page, they can still access it if someone gives them the list's URL.

To be certain that non-members cannot post to the list, go to Utilities : List Settings : Discussion Group Features : Security and change Reject Posts from Non-Members to "Yes, only members are allowed to contribute to the list". This will allow only members to post to the list.

Disabling message archiving

If your list requires high security due to confidential information, it is recommended you disable message archiving. This will prevent messages from being viewable on the discussion forum interface. Members can still archive the messages in their personal email inboxes, but there will be no central location where the mailings can be seen by everybody. If someone were to obtain one of your list member's login information, having this feature disabled would prevent him or her from being able to read confidential discussions. If you are not sharing confidential information, this feature is safe to enable.

To change this setting, go to Utilities : List Settings : Basic Information, click on the Enable Features tab and change Archive Messages? to either Yes or No, depending on your desired level of security.

Restricting new subscribers

Since your list is to be private, you don't want just anyone joining. There are ways to restrict how users may join the mailing list. Go to Utilities : List Settings : New Subscriber Policy and click on the Security tab. Under Security, select "private" or "closed". (You may also select "password", but we'll get to that further down). "Private" security requires a list administrator to approve each subscriber before he or she may join. "Closed" security does not let anybody join; a list administrator must manually add members to the list. A closed mailing list is good when high security is needed.

Click on the Confirmation tab. Under Confirm Subscribes, choose "no". Since you will be approving or manually entering members, it is slightly redundant to require a confirmation email. However, if you want to make sure that email addresses are valid, select "yes". Either setting should not affect list security to any significant degree.

Keeping your members anonymous

If you do not want other members to know who is on the list, there are some settings you should configure. To start, go to Utilities : List Settings : Email Submitted Content and click on the Header Rewrites tab. Normally, when someone sends a message to the list via email, his or her name and email address will be shown in the From: field of the message. To make sure the user's name and address does not appear, type in "listdesc" <listname@lists.wisc.edu> where listname is the list's official name in ListManager and listdesc is a longer, nicer to read name for the list. You should also change the To: and Reply To: fields to this same value. This way, whenever a message is sent to members' email inboxes, it will appear that it came from the mailing list itself, not from any individual member.

To make sure that this also happens when mailings are submitted via the web interface, go to Utilities : List Settings : Web Created Content and change the Default From and Default To fields to the same value, written above.

Many times mailing lists are configured to have a list of its members available for other members to see. If you want all of your members to be anonymous, go to Utilities : List Settings : Discussion Group Features : Security and change Security of Members List to "Only allow the list administrator to obtain the member listing".

Please note that these features cannot prevent members from disclosing personal information about themselves in their messages. If you wish to moderate messages to watch for these problems, check out our Getting Started guide. Also, please note that most mailing lists do not hide members from each other, and that these settings should be changed only when your members need very high privacy.

Adding password security

For added security, there are multiple ways to use passwords with the list. First, you can require a password when users try to join the list. To enable this, go to Utilities : List Settings : New Subscriber Policy and click on the Security tab. Change Security to "password" and type in a password in the Password field. Because joining a password-protected list via email is difficult, we recommend to change Allow Joining by Email to "Disallow membership requests via email". This way, users must use the web interface, where a password can be given easily, to join. This method of restricting new subscribers is convenient if you do not wish to approve each individual member or manually add each member.

Every WiscList user is required to have a password to login to the discussion forum interface. This protects your list from unauthorized access. For added security, you can require that members include their password in the body of every post they send to the list. You can enable this at Utilities : List Settings : Email Submitted Content by clicking on the Security tab and changing Require Password in Body to "Yes, all members must have a password, and it must be in the body". If the user does not include their password somewhere in the body, the message will be rejected.

Only allowing administrators to post

If you need only one-way communication in a mailing list (such as an announcement list), you can prevent regular members from posting to the list. Only list administrators will be allowed to post. You can change this by going to Utilities : List Settings : Email Submitted Content, cliking on the Security tab and changing Only Admins can Send to "yes". This way, regular members cannot post to the list and perhaps create a fake announcment.

 

WiscList Documentation > List Security > Private Lists