LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: CHANGE REQUEST: Archives menu should not include lists with 'confidential=service'

Roger Fajman <[log in to unmask]>

Tue, 2 Mar 2004 11:45:11 -0500

text/plain (53 lines)

>By definition, a list configured with 'Confidential= Service' is supposed
>to be
>hidden from users outside the list's service area, however, its inclusion
>in the
>publicly accessible archives menu effectively provides anyone anywhere
>with the
>ability to learn of the list's existence. The archives menu page on a LISTSERV
>server is an appealing target for spammers or malicious mailers who want to
>harvest list names for their own purposes. The only effective way to prevent
>this would be to restrict access to the archives menu, however, this
>effectively
>disenfranchises list owners who want their lists to be accessible to the
>public.
>
>As I see it, the ideal solution to this problem would be the creation of
>separate archives menu pages for public and semi-private lists. Access to the
>menu of semi-private lists would require authentication with an email
>address in
>the server's local service area. In the interim, I believe semi-private lists
>should be removed from the public archives menu.
>
>I would like to see some feedback from other sites. Are we the only site
>concerned about this issue? Is everyone else satisfied with the current
>behavior?

Back in 1998, when I was in charge of the LISTSERV administration team at
NIH, we also became dissatisfied with Confidential=Service lists showing up
on the web archives pages.  NIH has hundreds of internal lists that should
be visible on the archives pages to internal users only, while public lists
should be visible to the entire Internet.  We discussed this issue with
Eric Thomas at L-Soft (Bronna probably remembers).  Perhaps partly as a
result of our requirement, L-Soft soon added a feature allowing service
areas to be defined in terms of IP addresses, as well as email
addresses.  This allowed the LISTSERV web interface to determine if the
client is in a service area and act accordingly.

The IP address for a service area took care of a lot, but it did not handle
the initial list of lists page.  So we decided to take care of that problem
on our own.  We wrote a CGI program that replaces the LISTSERV list of
lists page.  Our program displays a web page to the client that varies
according to the client's IP address.  In our program, the pages are
static, but you can envision a program that generates pages as needed,
depending on the various service areas that the client's IP address fell
into.  The pages could be cached too, to lower overhead.  In our case we
also had another program that would run periodically to update the list of
list pages, in order to pick up changes to the lists.

Because we had so many lists, we added some tools for navigating through
the lists.  You can see those at http://www.list.nih.gov.  If you want the
programs, write to [log in to unmask]

Roger Fajman

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM