On Tue, 7 Jan 1997 15:19:58 -0500 Mark London said:
>Because of the relative ease in people be able to set their email address,
>I am worried about someone setting their email to one of the owners of
>my listserv mailing list, and then sending commands to listserv to modify
>the list.  I would like to be able to protect it more.  Is there a way to do
>this?  If not, is there a way to at least make it not possible to get the
>header of the list so as to see what the owner addresses are?  Thanks.
 
Let's consider a couple of things:
 
1. LISTSERV <always> requires a password for a list PUT.
 
2. LISTSERV <always> requires either the old password or an "OK" to
   change or reset your password.
 
So if Joe Random User sets up his POP mail client to forge mail from your
list owner address, he needs your personal password or the list password
to effect any PUT operation.  OK, so what happens if he's smart enough to
know that he can use a personal password to do this kind of thing, and
sends a "PW CHANGE newpassword" command to LISTSERV?  Well...the "OK"
confirmation request goes to <you>, not to him, because he's forging mail
from <your> address...:)
 
Therefore I think you'll find that the security for your list header is
pretty tight.  The only way to hide the list header completely would be
to set the list "Confidential= Yes", which of course hides the list from
the global list of lists and from the CataList.
 
The hole in this, of course, is your password.  If you keep your password
secret, or change it every so often as most computing people would advise
you, you shouldn't have a problem.  On the other hand, if you use a
password that's easy to guess or if you accidentally send a password-
protected command to the list (I did that once...:), then you leave
your list open to the kind of attack you are concerned about.
 
Nathan