On 17 Jun 98 at 10:47, Erich L. Markert wrote: > My $0.02. Requests for passwords should be sent to either the list owner or the site > owner. The confusion here is in the nature of LISTSERV passwords. Passwords have nothing to do with any particular list. The password is used by LISTSERV to determine that the email address that a person enters is really and truly that person's email address. In your scenario, I could look at your list and find an email address that I know belongs to someone you trust. Then I request a password using that person's email address -- you see the confirmation and say "yeah, that's an ok person, I'll ok his password". Now I can go in and pretend to be that person and spam your list in his name. The personal password only authenticates that the person coming in through the interface is indeed the person that owns that email address. It is not related to any list -- the password is the same for that person whatever list they are trying to access. Once the email address has been authenticated through the password, then the email address is checked against the list security -- if the email address is owner, that person can perform owner functions, if the email address is a subscriber and perform subscriber functions, if that address has no rights whatever on the list, then having a password will not do him or her a bit of good. Francoise