Those are not "addresses", they are URLs. I think the "addresses" you are concerned with are the cllient IP addresses. not the server's address. Also, although Tomcat is/was part of the Apache project, mailman runs under the Apache http server, not Tomcat.
Normally you can restrict who can obtain a response from a URL in Apache by using the htaccess mechanism. But the mailman create and listinfo URLs are administrative functions and it's less important where you access them from as who can access them.
Specifically, only designated administrative users should be able to request these URLs. Non-administrators would receive a "403 Forbidden" response. To use mailman you have to log in, and your administrative rights (if any) are tied to your user ID.
Some people, when well-known sources tell them that fire will burn them, don't put their hands in the fire.
Some people, being skeptical, will put their hands in the fire, get burned, and learn not to put their hands in the fire.
And some people, believing that they know better than well-known sources, will claim it's a lie, put their hands in the fire, and continue to scream it's a lie even as their hands burn down to charred stumps.
Every snowflake is perfect and unique. And every snowflake contains a very tiny ad.
SKIP - a book about connecting industrious people with elderly land owners