On Sat, 25 Aug 90 04:59:47 EDT Mignon Erixon-Stanford said: >Hi. Seems only users on our node (SIVM) can signoff automatically. Anyone >else's requests get sent to the owner. I have things set as: > >* Discussion on Biological Conservation >* >* Review= Public Subscription= Open Send= Public >* Notify= Yes Reply-to= Sender,Respect Files= Yes >* Confidential= No Validate= All X-Tags= No >* Stats= Normal,Private Ack= No >* Notebook= Yes,A5,Monthly,Public >* Owner= NZPEM001@SIVM (Michael Stuwe),Postmaster >* Errors-to= NZPEM001@SIVM (Michael Stuwe) On Sat, 25 Aug 90 18:58:22 O Eric Thomas said: >Well, you explicitly requested this behaviour with "Validate= All". This >tells LISTSERV that it should not act automatically on any request whose >origin could have been faked by a hacker. Unless you have privileges on >the local system, in which case you can edit the file on LISTSERV's 191, >you cannot fake the origin of a CP MSG command. Anybody can send mail >"from" any origin, and a lot of people can send network messages with the >origin of their choice, therefore the request is forwarded to the list >owner for verification. > > Eric Once again, it's time for me to complain about this ridiculous "Validate= All commands" behavior. If I were a hacker, what could I do with Mignon's list? I could easily send mail that looks like it comes from ERIC@SEARN, and it would be automatically be distributed to all list members. I could subscribe to the list (and 100 other lists as well) as "Stubborn Mule" <ERIC@SEARN> so that Eric would be flooded with mail. Now what would happen when Eric tries to get off the list? He can't do it; only Mignon can (who might be away for a month, or busy, or who might purge the request without acting on it). And Eric will continue to get all that unwanted mail. If I were a hacker, what would I be unable to do with Mignon's list? Well, IF Eric was already subscribed, then I wouldn't be able to change his name from "Eric Thomas" <ERIC@SEARN> to "Stubborn Mule" <ERIC@SEARN>. Big deal. By the way, Mignon, what you want to do (I hope!) is to change the Validate parameter to: "Validate= Store only". If this parameter is necessary at all (and I have my doubts), then validation should be possible with the user's personal Listserv password as well. David