Since my last message I've been experimenting on the Walter
Shelby Group WWW server.
 
http://www.tile.net/tile/listserv
 
I've been sending fake subscriptions and postings to EDTECH.
 
Result:  You can subscribe anyone you like at any address and
name the person anything you want.  It the list has open subscriptions,
it goes right through.  From the List Owner's perspective, you can't
tell it didn't come directly from the person (no indicators at all
that I can see.)  The person subscribed gets 3 notifications from
EDTECH -- the Listserv standard, the EDTECH Welcome, and an "output
of your job" notice.
 
From one of my non-owner accounts I subscribed various addresses
at different nodes.  Every one went through, as if the
person had done it him/her self.
 
I also tried a posting (saying it was from someone other than
the account I was using to log into the WWW).  Also went
straight through to the moderator, looked almost exactly as it
it had come from the account I said it had come from. (There
was a reply line buried deep in the header that did give
the correct sender address, but I believe Listserv would
have ignored that.)  I can't express how much I hate this,
as I can see how easy it would be to create trouble.  It appears
that you could also get around moderated lists using this, though
I haven't tested that yet.
 
So certainly our "jokesters" may be using this site for some of
their deeds.
 
Is there any way we could convince the Walter Shelby Group to
put in more security?
 
Vickie Banks
EDTECH Owner -- H-NET Technical Assistance
[log in to unmask]