Mailman 2.1.5 uses weak auto-generated passwords for new
subscribers. These passwords are assigned when members
subscribe without specifying their own password (either by
email or the web frontend). Knowledge of this password
allows an attacker to gain access to the list archive even
though she's not a member and the archive is restricted to
members only. [...]
This means that only about 5 million different passwords
are ever generated, a number that is in the range of brute
force attacks -- you only have to guess one subscriber
address (which is usually not that hard).