Please forgive my naivety—why are mailing lists forging from addresses in the first place? Have they just been fragilely dependent for years on the exploitation of an authentication vulnerability?
Fair question. The basic internet email spec has virtually no security features whatsoever, and is completely unauthenticated. Mailing list management software doesn't forge sender information, but rather often retains it and generally trusts incoming headers. Back in the old days, some folks even referred to discussion lists as "reflectors."
The proper usage of SMTP mail headers is outlined in RFC2822 (originally RFC822), and the definition of the headers From, Sender, Resent-From, etc. The rules for specifying sender information are spelled out in 3.6.2. [0]
That said, system behavior also depends on if the MLM software is running behind a mail transport agent that enforces authentication protocols for incoming emails, scans for viruses, etc.
When discussion list owners are concerned about receiving forged posts, they usually use list moderation features so they can ensure emails do not get distributed that haven't been reviewed first. But the biggest problem for MLMs isn't usually dealing with impostors, but rather blocking email-borne viruses and misconfigured auto-responders that could cause bogus emails to get reflected out to subscribers.
The behavior of the outgoing From header from MLM software typically depends on the configuration of the list. Some lists (especially digests) are configured so outgoing messages are "From" the list itself. But most discussion lists are configured to retain the original From line, while clarifying their role as an email proxy through other headers.
