Someone sent mail privately asking for more information about the
kind of problem described.

The basic idea is that it's pretty trivial to send a message from an
arbitrary email address -- I can send a message using someone else's
email address in my "From:" header.

Using this technique, someone then could issue commands to LISTSERV
that appear to be from you.  (We recommend Validate= Yes,Confirm for
this reason; without validation turned on, someone could forge a "del
listname *@*" from a listowner address and delete everyone from the
mailing list.)

So it's possible that someone could forge a "SIGNOFF" command from
another user.  By default LISTSERV does not require confirmation of
SIGNOFF commands, so the command would be honored and the subscriber
would be removed.  This is true even with "Validate= Yes,Confirm".

Most of the time this issue doesn't come up--people aren't normally
malicious in this way.  However, if it comes up, the solution is to
use "Validate= All,Confirm", which will require that even SIGNOFF
commands require validation.

The discussion of the "Validate=" keyword in Appendix B of the Site
Manager's Manual includes a handy chart showing which commands
require validation for which values of "Validate=".

Thanks,
--
Jacob Haller, Technical Support, L-Soft international, Inc
  LISTSERV (R) is a registered trademark of L-Soft.
   Support is available 9:00-18:00 ET, Monday-Friday
    except on the following holidays:
     http://www.lsoft.com/products/default.asp?item=holidays