You Run the List. You Own the Risk.

By William Weiner July 5, 2026

If you run a group email list, you own the risk for everyone on it. Every address your members handed you, every message that flows through, every threat that rides in with it – that is yours to protect now, whether you signed up for the job or not.

I learned this the hard way. For about twenty-five years I have run the email list for my extended family, and it has taught me more about email privacy than any specification ever did. Eventually it made me write my own email system.

Run a family or group email list? You own the risk for every address on it?

A favor that became a responsibility

I started our family list around the year 2000, on GNU Mailman. The family is large – well over 250 people – and the list grew past a hundred members without much fuss. For a long time it was exactly what it looked like: a convenient way to reach everyone at once.

I took the privacy of it seriously, or at least I thought I did. I ran it as a closed group so outsiders could not post. I hid the recipient list so a message did not arrive with everyone’s address stapled to the top. Later I hid the senders too, showing a display name instead of a real address, and I set Mailman to reject the file types that commonly carried viruses. Each of these felt like progress. The obvious doors were locked.

The feedback told me it was not enough. New members would say their spam went up after joining. Someone would report a virus that looked like it came through the list. Not every complaint was real – people blame the most recent change for whatever went wrong – but there were enough of them, often enough, that I could not wave them away. Something about the way group email works was leaking, and my locks were not stopping it.

The day it stopped being theoretical

Then my father’s email account was completely hacked. Not skimmed – taken. His entire contact list was downloaded, along with at least some of his mail.

I saw the aftermath in my own filters. Phishing messages started showing up around the list, and when I looked at who they were addressed to, the pattern was unmistakable: our list address was in there, and so were the personal addresses of other members. My father’s stolen address book had become a target map, and a good part of that map was our family. I sent out warnings – watch for these senders, do not click – and I kept catching them. What I could never know was who I had missed. Somewhere across a hundred inboxes, a message that looked like it came from a trusted relative was landing, and I had no way to be sure it had not worked.

That was the lesson that reorganized everything for me. I had spent years hiding addresses, and hiding addresses had not protected anyone here. The danger did not need to read a member’s address off a header. It rode inside the message – in a hacked relative’s next email, in an attachment, in a tracking pixel that quietly reported who opened what. One compromised member could expose the whole group even when every address was hidden, because the threat was in the content, not the envelope.

The leaks I did not design for

The other thing I learned is that people, given a goal, will route around the very protections built to help them. Relatives wanted to talk in smaller circles – one branch of the family, a couple of cousins planning a surprise – so they did the natural thing and swapped personal addresses to set it up. In a single move, the privacy I had maintained for years was undone by good intentions.

And people quote. They hit reply or forward, and the previous message comes along, addresses and all, pasted into the body where no header-hiding setting can reach. Nobody thinks about what they are exposing when they do it. They are just answering a message.

None of this was carelessness. It was ordinary human behavior meeting a tool that assumed everyone would be careful. That is a bad assumption to build a hundred people’s privacy on.

Why I finally wrote my own

By 2019, after nearly two decades of patching Mailman, I had run out of room. I had bolted on every protection the platform allowed, and I had reached the limits of both the tool and my own ability to bend it further. The thing my family actually needed did not exist, so I sat down and built it. That system became EMail Parrot.

Starting from scratch let me fix the problems at the layer where they actually lived. Pseudonyms became the default, not a setting to remember – members see each other as names, and only I, the administrator, ever hold the real addresses, in a dashboard, never in anyone’s inbox. There is no stored archive to breach. Every message is scanned at the relay instead of being left to each member’s inbox: virus and malware scanning through AWS and ClamAV, tracking pixels and remote content stripped, dangerous attachments removed. When someone quotes a message, the addresses buried in that quoted text are redacted automatically, because I already knew people would not do it themselves. And for the smaller-circle problem, there are sublists and pseudonym direct messages, so a cousin can reach a cousin without either of them ever trading a real address.

Where it stands now

There are 148 people on the family list today. Every one of them has a direct-message address, and there are sublists for each branch of the family. The complaints about viruses and attacks that used to trickle in have simply stopped. I would like to say that is entirely because the problem is solved. Part of it may be that people have quietly come to expect email to be dangerous, which is its own sad commentary. I did not want my family to have to expect that.

My biggest problem now is that people reply-all too much. After twenty-five years, “too much email” is the kind of problem I am glad to have.

Here is what I would tell anyone who runs a list for their family, their congregation, their team, or their neighbors: you are the custodian of every address on it, whether you meant to sign up for that or not. And doing right by those people cannot depend on all of them – or on you – remembering to be careful every single time. The protection has to be built in, on by default, doing its job whether or not anyone is thinking about it. That is the entire reason EMail Parrot exists.

If you are holding other people’s information in a list right now, you can hand that responsibility to a system designed to keep it. Start a free trial – 30 days, no credit card required – and give your members the protection you would want for your own.