Those are not "addresses", they are URLs. I think the "addresses" you are concerned with are the cllient IP addresses. not the server's address. Also, although Tomcat is/was part of the Apache project, mailman runs under the Apache http server, not Tomcat.
Normally you can restrict who can obtain a response from a URL in Apache by using the htaccess mechanism. But the mailman create and listinfo URLs are administrative functions and it's less important where you access them from as who can access them.
Specifically, only designated administrative users should be able to request these URLs. Non-administrators would receive a "403 Forbidden" response. To use mailman you have to log in, and your administrative rights (if any) are tied to your user ID.