LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Automatic Signoff

David Sitman <[log in to unmask]>

Sun, 26 Aug 90 09:36:58 IST

text/plain (46 lines)

On Sat, 25 Aug 90 04:59:47 EDT Mignon Erixon-Stanford said:
>Hi. Seems only users on our node (SIVM) can signoff automatically.  Anyone
>else's requests get sent to the owner.  I have things set as:
>
>* Discussion on Biological Conservation
>*
>*   Review= Public   Subscription= Open        Send= Public
>*   Notify= Yes      Reply-to= Sender,Respect  Files= Yes
>*   Confidential= No Validate= All             X-Tags= No
>*   Stats= Normal,Private                      Ack= No
>*   Notebook= Yes,A5,Monthly,Public
>*   Owner= NZPEM001@SIVM (Michael Stuwe),Postmaster
>*   Errors-to= NZPEM001@SIVM (Michael Stuwe)
 
On Sat, 25 Aug 90 18:58:22 O Eric Thomas said:
>Well, you explicitly requested this  behaviour with "Validate= All". This
>tells LISTSERV that it should not  act automatically on any request whose
>origin could have  been faked by a hacker. Unless  you have privileges on
>the local system, in which case you  can edit the file on LISTSERV's 191,
>you cannot  fake the origin  of a CP MSG  command. Anybody can  send mail
>"from" any origin, and a lot of people can send network messages with the
>origin of  their choice, therefore the  request is forwarded to  the list
>owner for verification.
>
>  Eric
 
Once again, it's time for me to complain about this ridiculous
"Validate= All commands" behavior.
If I were a hacker, what could I do with Mignon's list? I could easily send
mail that looks like it comes from ERIC@SEARN, and it would be automatically
be distributed to all list members. I could subscribe to the list (and 100
other lists as well) as "Stubborn Mule" <ERIC@SEARN> so that Eric would be
flooded with mail. Now what would happen when Eric tries to get off the
list? He can't do it; only Mignon can (who might be away for a month, or
busy, or who might purge the request without acting on it). And Eric will
continue to get all that unwanted mail.
If I were a hacker, what would I be unable to do with Mignon's list? Well,
IF Eric was already subscribed, then I wouldn't be able to change his name
from "Eric Thomas" <ERIC@SEARN> to "Stubborn Mule" <ERIC@SEARN>. Big deal.
By the way, Mignon, what you want to do (I hope!) is to change the Validate
parameter to:  "Validate= Store only".
If this parameter is necessary at all (and I have my doubts), then validation
should be possible with the user's personal Listserv password as well.
 
David

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM