How can a LISTSERV list be protected against forged messages? Some background information: A malicious person visits a web site that has a tell-a-friend (hereafter TAF) service. A TAF service allows users to recommend a product, service, or web site to other users via e-mail. TAF services often don't confirm the identity of the user or validate the e-mail addresses being provided to the automated mailer. The TAF service asks the person for hir friend's e-mail address, for hir own e-mail address, and for a brief message to accompany the auto-generated TAF e-mail. The person supplies the posting-address of a LISTSERV mailing list as the target address, the e-mail address of a current subscriber or list owner as the source address, and a brief inflammatory message, then submits the message to be sent by the TAF e-mail service. The message reaches the LISTSERV list server, which checks the From header against the subscriber roster of the list named in the To header, sees that the From address is a current subscriber without NOMAIL, and posts it according to the current moderation policy. Again, for the question: How do I reasonably protect my LITSSERV list against this kind of attack? My goal is to prevent forged messages from being posted to the list. I understand that some moderation might be necessary, but what is the most painless way to implement it? My goal is not to identify the culprit -- sites that host TAF e-mail are unwilling to disable the service, claiming that there are too few complaints about it and no way to identify the malicious users even if they wanted to -- but your advice in that regard is also welcome, as long as it goes beyond simply tracerouting the IP addresses that appear in the e-mail headers. Here's my list's configuration: long name of mailing list Review= Owners Subscription= By_Owner Ack= Msg Language= NOHTML Notify= Yes Reply-to= List,Respect Validate= No Default-Options= Repro,Review Files= No Stats= Normal,Private Confidential= No X-tags= No Safe= Yes Attachments= No Filter= Also,*@*.remarq.com,*@remarq.com Filter= *@virgilio.it,*@tin.it [...] Filter= LISTSERV@*,*@LISTSERV.BROWN.EDU Notebook= Yes,/srv/listserv/archive/***,Weekly,Public Daily-Threshold= 100 Mail-Via= Dist2 Auto-Delete=Yes,Full-Auto,Delay(4),Max(100),Probe(28) Owner= owner1 (owner1's name) Owner= owner2 (owner2's name) Owner= owner3 (owner3's name) Owner= Quiet: Owner= owner1's alternate e-mail address Owner= owner2's alternate e-mail address Owner= owner3's alternate e-mail address Errors-to= Owners Send= Private Moderator= ALL,owner1,owner2,owner3 Editor= owner1,owner2,owner3 Some ideas I've thought of already: * Close down the list. Pro: The malicious posts would stop. Con: All posts would stop. Undesirable; the list still has useful content and a healthy amount of traffic. * Step down as list owner. Pro: Because the malicious person is conducting an attack against me and several subscribers standing up for me against the aggressor, removing the target should mollify hir. Con: Well behaved, responsible subscribers should not be obligated to leave the list to restore peace. This action only meets the terrorist's demands; it deoes not prevent the terror from recurring. Will consider as a last resort. * Move the list to another site using different list-management software. Pro: The other list software might support features such as confirmation of one's own posts (self-moderation), oor content filtering (for known TAF service substrings). Con: Other software does not necesarily have searchable archive and web interfaces, or they aren't as convenient to use. Considering this option if solutions involving LISTSERV are not cost-effective compared to solutions involving the other software. * Manually moderate all posts. Pro: Unless self-moderation can be spoofed, this should work. Con: Impractical due to effort required and delays inherent in manual moderation. I have briefly tried this and the list's reaction to delays of up to 3 days between submission and approval was very negative; conversations could not flow properly or timely. The list is already set to Send= Private Moderator= ALL,owner1,owner2,owner3 Editor= owner1,owner2,owner3 Undesirable. * Prevent e-mail harvesting by restricting access to the archives. Pro: This limits the number of current subscriber addresses available to the impersonator. Con: The impersonator only needs one victim to terrorize the whole list, and it appears that the impersonator was/is a subscriber long enough to collect many e-mail addresses of active subscribers. It is therefore too late to restrict access to the subscriber list via the archives. The list is already set to Review= Owners. Not a solution. * Require all subscribers to confirm their own posts. Pro: Seems to be the ideal solution to block someone who does not have control of the forgery victim's e-mail inbox and can't anticipate the necessary confirmation ticket to send to LISTSERV. Con: Active subscribers are encumbered by learning and applying the self-moderation feature. Learning to self-moderate seems to be a small price to pay for preventing this kind of abuse. This is the best solution yet. Is changing my Send, Moderator, and Editor headers from Send= Private Moderator= ALL,owner1,owner2,owner3 Editor= owner1,owner2,owner3 to Send= Private,Editor,Hold,Confirm Moderator= ALL,owner1,owner2,owner3 Editor= owner1,owner2,owner3,(LISTNAME) sufficient to achieve the following? * Non-subscriber posts are held for review by Moderators. * Subscribers not set to REVIEW have to confirm their own posts. * Subscribers set to REVIEW require Moderator confirmation to post. I don't fully understand the interaction between Moderator and Editor keywords. Other sources of information: * "Molotovs and mailing lists", a 13 Mar 1999 post to LSTOWN-L by Bob Kosovsky. http://peach.ease.lsoft.com/scripts/wa.exe?A2=ind9903&L=lstown-l&P=R3278&I=-3 Pro: Describes a very similar situation. Con: Presents no practical solutions, other than patience. * "Re: Changing Headers", a 15 Dec 1996 post to LSTOWN-L by Gary VanderMolen. http://peach.ease.lsoft.com/scripts/wa.exe?A2=ind9612&L=lstown-l&P=R5397&I=-3 Pro: Warns that list-owner commands can also be forged. Con: Not specific about the xact means for enabling this feature, but I'll research http://www.lsoft.com/manuals/. * "List Keyword reference for LISTSERV 1.8e" - Access keywords http://www.lsoft.com/manuals/1.8e/sitemgr/listkeyw.html#keyAccess See above question re: Send, Moderator, and Editor keywords. * "List Keyword reference for LISTSERV 1.8e" - Security keywords http://www.lsoft.com/manuals/1.8e/sitemgr/listkeyw.html#keySecurity Just in case, I'm changing Validate from No to Yes,Confirm. Pro: Protects more list-owner commands from spoofing. * "List Keyword reference for LISTSERV 1.8e" - Subscription keywords http://www.lsoft.com/manuals/1.8e/sitemgr/listkeyw.html#keySubscription I'll change Subscription from By owner to By_Owner,Confirm. Pro: Implements double opt-in with list-owner review. -- Thank you in advance for any advice you can offer, Michael