An interesting mis-communication was revealed in private email discussing
security issues with a list-manager version of InfoMagnet.
 
Just in case there is the same communication problem, let me clear up:
 
The security issue exists with user-maintenance, not with list-maintenance.
I would never do something to bypass LISTSERV list-maintenance security.
 
The problem we are facing is the same one created with Eudora.  With Eudora,
any user can say they are so-and-so and subscribe to 10,000 lists.  There is
no way to confirm that the email address put into Eudora is that person's
real email address.
 
Likewise, in InfoMagnet, there is no way to confirm that the user-entered
email address is theirs.  Netscape has the same problem--and it opens up
internet email to abuse.
 
However, given that people don't seem to be abusing this security hole, this
has not become a major concern.
 
What I'm proposing is a list-manager InfoMagnet which would let the owner
be, say 10 email addresses at once, and set all 10 of their memberships to
"nomail"  Given that we can limit who gets this software and can track how
they use it, I don't see this as a big security risk.  I plan to include the
user's serial number in the email header as:
 
X-Mailer InfoMagnet LM 1.0 serial #: 'IMR-JBUCKMAN-YRP' contact
[log in to unmask] to report abusive use of this product
 
Since we maintain a database of serial #s along with their owners, abusers
would be quickly traced.  The product will also bear a disclaimer that this
header message is being embedded in every command to discourage malevelont
people.
 
This strikes me as fairly secure.
 
Now: if it so happens list-managers don't want the functionality of
InfoMagnet LM, then we won't bother developing it and that'll be all. :)
 
John
 
John Buckman - [log in to unmask] - (301) 718-7840
Walter Shelby Group Ltd. - Internet Software Publishers
http://www.shelby.com/pub/shelby/ - ftp://ftp.shelby.com/pub/wsg