When a LISTSERV server receives a command message containing multiple
commands for local execution, or any command(s) which must be forwarded
to another LISTSERV server for execution, the server should send a special
confirmation request to the apparent sender to verify the origin of the
message. If the confirmation response is not received within some specified
time period, the entire request would be discarded. The threshhold number of
commands which trigger this confirmation request should be configurable by the
site administrator.

This confirmation request would precede, not replace, any confirmation
requests which would normally be issued for the individual commands in the
message. There should be an override mechanism to allow the site administrator
to prevent the issuance of the confirmation request for individual messages,
so that site administrators using automated procedures to submit mass
commands may continue to do so.

The LISTSERV network has experienced several incidents in which malicious
individuals used forged email to send a single message containing multiple
subscribe, signoff, info, or query commands in order to cause one or more
LISTSERV servers to mail bomb the individual whose return address was forged.

The requested change will significantly reduce the vulnerability of the
LISTSERV network and individual LISTSERV servers to exploitation in this
manner.

--
Paul Russell
Senior Systems Administrator
University of Notre Dame