The mailing list for listmasters using Sympa

[address@concealed]

Ward, Michael wrote:
> Hi,
>
> The concern has been raised here about the fact that anyone (as our 
> sympa site is exposed to the internet) is able to create accounts, 
> even though they won’t be able to join any lists as none are public. 
> I’m not so concerned about this as there is little they can do (other 
> than trying to hack the site!) with the account, but I was wondering 
> if accounts that are not members of any lists are automatically purged 
> from Sympa after a set time?
Yes they are removed monthly.
> We have to allow anyone to create accounts as our lists aren’t 
> restricted to just people within our organisation.
>
> Also, to reduce the risk of bots automatically creating accounts, can 
> Sympa be set up with a confirmation system? Something along the lines 
> of: user creates account via the Sympa website, an email is sent to 
> the user with a link in the email that the user is required to click 
> before the account is activated.
That not usefull because when a user request a first login, nothing is 
stored in the user database unless the user subscribe to a list or 
change some preferences. The password is a constructed using the secret 
cookie parameter (sympa.conf) in this way look like 
$password='INIT'.&md5($cookie,$email) . The same function is applied to 
verify password so nothing need to be stored.

As Sympa 5.5 devel is started, we are changing this according to 
project_direction 
https://www.sympa.org/wiki/dev/project_direction#authentication_architecture

Regards
Serge