On Wed, 13 Dec 2000 21:48:43 -0500, Paul Karagianis <[log in to unmask]> wrote: >There's a proposal under discussion in SPAM-L to establish a MAPS-like >blacklist for "open-loop" lists. What this really means is anybodies >guess, but I've confirmed with the author that a Listserv list with >"subscribe=open" qualifies... *even if send= [log in to unmask]* >because a subscription could be forged and the valid postings would be >UBE to the victim. This is one of the primary reasons we always suggest one-way lists be set to Send= ...,Confirm. Then even if the authorized sending address is forged, the request for approval message will still come to the Authorized Editor(s) (which should not be the same address for better security) who will presumably know the proper schedule for postings and be smart enough not to approve the forged message. If the (forged) message is not approved, it will not go to the list and there is no exposure. >What I'm unclear of is, what are the effects of the >DISTRIBUTE mechanism in all of this? Do Backbones (in the worst case for >this scenario) distribute to regions/domains outside of themselves? In the first place participation on the backbone is voluntary, and the section in the Site Manager Manual and on our registration webform covers this in good detail. i.e. the site PM should have a good idea what their risk might be before joining the backbone. Sites need not participate. Generally sites do not route/re-mail outside their own domain so this isn't very likely anyway. Of course if the owner of an academic mail account has some kind of automatic forwarding setup to an off-campus (out-of-network) account... This is fairly common. And when the person objecting to the mail conveniently forgets that the mail he is getting now at [log in to unmask] is actually subscribed as [log in to unmask] it can lead to all kinds of brou-ha-ha. >In terms of _risk_ could an inept postmaster see [log in to unmask] being >delivered via some IP of a regional backbone outside his own domain and >accidentally cut off all lists distributed through that site to his own >domain? Based on the problems we see on a daily basis, I would (sadly) think that more and more people with the title of 'postmaster' seem to know less and less about how mail works.