Just a day ago, a user was able to spoof the listserv into distrbuting
his personal message by bouncing the message back to the listserv using
ELM mailer. The following is the setup of the List [log in to unmask]
 
*  Review= Owner     Subscription= Open,Confirm Send= Editor
*  Notify= Yes       Reply-to= List,Ignore
*  Validate= Store Only                         X-Tags= No
*  Confidential=No   Stats= Normal,Owner        Ack= Yes
*  Safe= Yes         Files= No                  Mail-via= Dist2
*  Errors-To= Owner  Default-Options= ShortBSMTP
*  Auto-Delete= Yes,Full-Auto
 
I believe LISTSERV@PSUVM is using 1.7f version.
 
Somehow Listserv matched the address of the `Editor' from the bounced
message and went ahead with distribution. Is there a way to stop this
from happening in the future?
 
Perhaps by having a confirmation for editors as well, the same say as
the 'Subcription='? Maybe there is such a feature and I'm not aware of
it. Please advise.
 
Asim Mughal
[log in to unmask]
List Owner PNS-L