Posted by MichaelAtOz on Oct 26, 2019; 2:38am
URL: https://support.nabble.com/Mailing-list-DMARC-changes-tp7604436p7604473.html

Further, Mailman (for some reason yet to be found) started munging DMARC affected addresses and sending them to Nabble from 10 June, with the mailing-list address as From:
Nabble, not finding a matched user with the mailing-list address, created a new unregistered user with that address, and posted the email, regardless of the Permissions.
Subsequent munged emails (from a range of users) all got posted against that new user, regardless of Permissions.

Is that an intended design choice, incoming emails get posted without checking Permissions (hopefully - but I think not -  checking the address matched the configured mailing-list address and so assuming they are legitimate)??

I see that as a spam vulnerability.