>I clicked on "get a new LISTSERV password first" link on the "Login Required" page, filled >in the email address and both fields for the password. Much to my chagrin the >confirmation request for a list management password wasn't sent to the site owner email >address or even the list owner address - the confirmation was sent back to the email >address of the requestor. Passwords are individual and, well, private. Their sole function is to confirm that you are who you claim to be, they do not grant any kind of privileges. The list owner should not know your password any more than you should know his! Anyone can request a LISTSERV password to authenticate future commands. >Now while the this new user cannot manage the list (I'm assuming because the email address >isn't one of the listed owners) it does cause me a bit of concern because the person can >get to the list management form for managing subscribers, edit headers and templates,etc. I assume you mean the LMGT1 screen. This screen allows you to select a list to manage, and then move on to various screens if you have owner privileges for the selected list. Until you have selected a list, LISTSERV cannot know whether you are the owner! Well, I guess it could check all lists, but there are sites with thousands of lists. At any rate, you cannot do anything without owner privileges, the web interface does not manipulate lists directly but sends off requests to LISTSERV through a channel that will only accept commands authenticated by a valid password (which as you know is cookie confirmed). Any user could install an evaluation copy of LISTSERV on his PC (where he would be the owner), navigate the screens, note the URL and/or form fields, and construct a web page that would submit the same thing to your server. However it wouldn't work, because he wouldn't have owner privileges on your server, and if he used your e-mail address, he wouldn't know your password. Eric