Jacky wrote regarding the use of Send= Owner, Confirm: > thanks, I tested it and it works......however, this manual security measure > (as a consequence of some evil persons with no sense of responsibility) can > increase the workload of the owner or editor, especially is an approval is > needed for each message sent to an active mailing list. So far I have had Hi Jacky, I wholeheartedly agree. I've got way too much self-inflicted pain already in dealing with and educating people about off-topics, unedited quoteback replies, useless message subject lines... and all the other newbie subscriber and miscreant behaviors we deal with. IMO, adding more listowner overhead is *not* progress.. > One way to narrow the risks is that LISTSERV automatically searches for the > domain origin (e.g in my case @swipnet.se) or IP nr in the concealed header > of the sent message. This would narrow the ability of such messages to pass > through. I am not a software programme and so I ask - Is this possible ? Interesting idea, but it seems it would be just as easy to insert a bogus IP along with the forged username and domain information. Just verifying the existence of a predefined IP somewhere in the header chain would be pretty much ineffective. In addition, since the actual routing path of messages varies with network loads, systems availablilty, etc., it would not be feasible to check/verify the entire header message path chain. And finally (as Eric periodically reminds us), anything along these lines would add to ListServ processing overhead and result in performance degradation and an increase in cost of delivering our mail. > Thus my question is how can an automatic system within LISTSERV be > developed. Here's the approach I came up with when I suffered such an attack about three years ago. So far (as he furiously knocks on wood), it has been effective in blocking forged owner message submissions: - For yourself as List Owner, set up two different email addresses, both aliased to your list admin mailbox. The first of these addresses should be your standard, publically-known <listname-request> address. The other address should be kept private and never divulged. Let's call that one <Admin-address-private>. - Use <listname-request> as your public listowner address, as the address you use for all Admin messages, list postings, and communications with your subscribers. * Configure your list header with: Owner= listname-request * Subscribe to the list as <listname-request> * Set subscription options for <listname-request> to REVIEW mode. - Use the second address as your list editor address by setting: Editor= Admin-address-private and Send= Editor (with or without Hold) and do *not* advertise or divulge this address. Hide the editor config line from others using the .HH hidden header flag. With this approach, all mail sent from <listname-request> (whether real or forged) will we sent to you at the secret editor address <Admin-address-private>. This way you only need to approve any msgs coming the admin address, and any other subscribers set to Review mode. So far, this has been effective for me. If anyone sees any holes or shortcomings in this strategy, please email me directly and let me know. Do *not* post your comments directly to the list.... keep in mind these are public archives. As Jacky noted, forgeries and other sick behaviors are a rapidly growing reality for all of us. If you see a way to circumvent this suggested approach, please let me know and I'll revise or retract my suggestions. But please, let's not publically provide more information for others bent on trying to add misery to our lives as List Owners. Rgeards, Roland Zuk Merkur-Owners on ease.home.lsoft.com > P.S. I use MS Outlook and unable to view the full header of emails > received. Could someone help me privately. Select the message of interest and do File/Properties/Details (or Message Source, depending on what version of Outlok you have).