On Sat, 25 Aug 90 04:59:47 EDT Mignon Erixon-Stanford said:
>Hi. Seems only users on our node (SIVM) can signoff automatically. Anyone
>else's requests get sent to the owner. I have things set as:
>
>* Discussion on Biological Conservation
>*
>* Review= Public Subscription= Open Send= Public
>* Notify= Yes Reply-to= Sender,Respect Files= Yes
>* Confidential= No Validate= All X-Tags= No
>* Stats= Normal,Private Ack= No
>* Notebook= Yes,A5,Monthly,Public
>* Owner= NZPEM001@SIVM (Michael Stuwe),Postmaster
>* Errors-to= NZPEM001@SIVM (Michael Stuwe)
On Sat, 25 Aug 90 18:58:22 O Eric Thomas said:
>Well, you explicitly requested this behaviour with "Validate= All". This
>tells LISTSERV that it should not act automatically on any request whose
>origin could have been faked by a hacker. Unless you have privileges on
>the local system, in which case you can edit the file on LISTSERV's 191,
>you cannot fake the origin of a CP MSG command. Anybody can send mail
>"from" any origin, and a lot of people can send network messages with the
>origin of their choice, therefore the request is forwarded to the list
>owner for verification.
>
> Eric
Once again, it's time for me to complain about this ridiculous
"Validate= All commands" behavior.
If I were a hacker, what could I do with Mignon's list? I could easily send
mail that looks like it comes from ERIC@SEARN, and it would be automatically
be distributed to all list members. I could subscribe to the list (and 100
other lists as well) as "Stubborn Mule" <ERIC@SEARN> so that Eric would be
flooded with mail. Now what would happen when Eric tries to get off the
list? He can't do it; only Mignon can (who might be away for a month, or
busy, or who might purge the request without acting on it). And Eric will
continue to get all that unwanted mail.
If I were a hacker, what would I be unable to do with Mignon's list? Well,
IF Eric was already subscribed, then I wouldn't be able to change his name
from "Eric Thomas" <ERIC@SEARN> to "Stubborn Mule" <ERIC@SEARN>. Big deal.
By the way, Mignon, what you want to do (I hope!) is to change the Validate
parameter to: "Validate= Store only".
If this parameter is necessary at all (and I have my doubts), then validation
should be possible with the user's personal Listserv password as well.
David
|