On Tue, 25 Jun 2002 16:56:20 -0500, Christopher Ferraro <[log in to unmask]> wrote: >Subscription= Open,Confirm Good. >.HH ON >Validate= No This allows anyone to forge the Owner= address and send unconfirmed commands to your list... such as quiet DEL *@* I suggest Validate= Yes,Confirm >Review= Owners Good. >Send= Editor,Confirm Should be Send= Editor,Hold,Confirm >Reply-To= [log in to unmask],Ignore More flexible (works for any list) is either Reply-to=Sender,ignore (automatically same as From:) or Reply-to=none (you already have a From: why do you need Reply-To:) >Sender= None >Errors-To= Owner >Notebook= No All good. >Owner= [log in to unmask] >Owner= Quiet: >Owner= [log in to unmask] There is no need for this repetition. 1 is enough. >Editor= [log in to unmask] OK. >List-Address= LISTSERVE.xxx.ORG Is your server really a mis-spelled version of LISTSERV or was this merely a typo in your message? You do know that LISTSERV is a Registered Trademark. Just thinking about "litigation" ... ;-) You don't have, but I would add Default-Options= NoPOST, NoACK, NoREPRO (prevents any subscribers from posting) Confidential= Yes (keeps the knowledge of your list known only to subscribers, somewhat reduces spam attempts, etc.) >.HH OFF An alternative way to do this is Send= Owner,Confirm (do not forget the ,Confirm or you will be sorry) then only the Owner= address can send, all other addresses will be rejected. However, remember that the From: address in your messages you send out is necessarily exposed to the world. For security reasons this is close to leaving the keys in the ignition in your parked (but not-running) car. Why expose potentially sensitive information? This is why I prefer .hh on (hide everything) Send= Editor,hold,confirm Editor= [log in to unmask] (only has approval power) Owner= [log in to unmask] (different from Editor=) ... .hh off In the messages you send: From: [log in to unmask] (this address is not even subscribed to the list, the lowest security exposure is non-subscriber) Now really clever people may parse the messge headers and find the Approved-by: [log in to unmask] But this address also has no command privs. Only can approve messages. So Owner= is still preserved. Finally, you should examine the following contributed file for suggested modifications to default template messages sent by LISTSERV which can also inadvertently reveal sensitive information (such as List Owner's address). See ftp://ftp.lsoft.com/contrib/one-way.mailtpl