Those are not "addresses", they are URLs. I think the "addresses" you are concerned with are the cllient IP addresses. not the server's address. Also, although
Tomcat is/was part of the Apache project, mailman runs under the Apache http server, not Tomcat.
Normally you can restrict who can obtain a response from a URL in Apache by using the htaccess mechanism. But the mailman
create and
listinfo URLs are administrative functions and it's less important
where you access them from as
who can access them.
Specifically, only designated administrative users should be able to request these URLs. Non-administrators would receive a "403 Forbidden" response. To use mailman you have to log in, and your administrative rights (if any) are tied to your user ID.
So the best place to get the information you need is in the mailman docs at
http://list.org. The administrator's manual is here:
https://wiki.list.org/DOC/Mailman%202.1%20List%20Administrators%20Manual
Some people, when well-known sources tell them that fire will burn them, don't put their hands in the fire.
Some people, being skeptical, will put their hands in the fire, get burned, and learn not to put their hands in the fire.
And some people, believing that they know better than well-known sources, will claim it's a lie, put their hands in the fire, and continue to scream it's a lie even as their hands burn down to charred stumps.