LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Topic: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Re: Rejected posting from editor on announce-only list
Ben Parker <[log in to unmask]>
Tue, 25 Jun 2002 19:05:56 -0600
text/plain (86 lines) 
On Tue, 25 Jun 2002 16:56:20 -0500, Christopher Ferraro
<[log in to unmask]> wrote:

>Subscription= Open,Confirm
Good.
>.HH ON
>Validate= No
This allows anyone to forge the Owner= address and send unconfirmed commands to
your list... such as   quiet DEL *@*
I suggest Validate= Yes,Confirm

>Review= Owners
Good.
>Send= Editor,Confirm
Should be  Send= Editor,Hold,Confirm

>Reply-To= [log in to unmask],Ignore
More flexible (works for any list) is either

 Reply-to=Sender,ignore   (automatically same as From:)
or
 Reply-to=none    (you already have a From: why do you need Reply-To:)

>Sender= None
>Errors-To= Owner
>Notebook= No
All good.

>Owner= [log in to unmask]
>Owner= Quiet:
>Owner= [log in to unmask]
There is no need for this repetition.  1 is enough.

>Editor= [log in to unmask]
OK.

>List-Address= LISTSERVE.xxx.ORG

Is your server really a mis-spelled version of LISTSERV or was this merely a
typo in your message?  You do know that LISTSERV is a Registered Trademark.
Just thinking about "litigation" ...  ;-)

You don't have, but I would add

Default-Options= NoPOST, NoACK, NoREPRO
 (prevents any subscribers from posting)
Confidential= Yes
 (keeps the knowledge of your list known only to subscribers, somewhat reduces
  spam attempts, etc.)

>.HH OFF

An alternative way to do this is

 Send= Owner,Confirm  (do not forget the ,Confirm or you will be sorry)

then only the Owner= address can send, all other addresses will be rejected.


However, remember that the From: address in your messages you send out is
necessarily exposed to the world.  For security reasons this is close to leaving
the keys in the ignition in your parked (but not-running) car.  Why expose
potentially sensitive information?

This is why I prefer
.hh on   (hide everything)
Send= Editor,hold,confirm
Editor= [log in to unmask]   (only has approval power)
Owner= [log in to unmask]   (different from Editor=)
...
.hh off

In the messages you send:
From: [log in to unmask]    (this address is not even subscribed to the list, the
                            lowest security exposure is non-subscriber)

Now really clever people may parse the messge headers and find the
 Approved-by: [log in to unmask]
But this address also has no command  privs.  Only can approve messages.  So
Owner= is still preserved.

Finally, you should examine the following contributed file for suggested
modifications to default template messages sent by LISTSERV which can also
inadvertently reveal sensitive information (such as List Owner's address).
See ftp://ftp.lsoft.com/contrib/one-way.mailtpl

ATOM RSS1 RSS2