On Fri, 22 Sep 89 09:43:53 EDT Michael R. Gettes said:
>On Fri, 22 Sep 89 14:00:09 GMT Eric Thomas said:
>>Fine, now any  self-respecting hacker can send  an AFD FOR *@* DEL  * * *
>>from the postmaster userid to your server, and zzzap, all AFD's gone in a
>>matter of seconds. But then, who cares about security?
>>
>>  Eric
>
>So, are you saying that it is trivial for a hacker to look like the postmaster
>to listserv without actually getting onto the postmaster account or listserv?
>If this is so, that is security whole that should certainly be fixed.
>If it is necessary for someone to actually get on to listserv or get on
>to a postmaster account to do this then I do not see this as a security
>breach.
 
 
It's the same old problem that has always existed with NJE.  Anyone, anywhere
with sufficient privs, or with enough smarts to figure how to bypass local
security can send interactive messages which appear to be from any userid
and any node.  It's easiest to do from a UNIX system, and as far as privs
go, what about those thousands of work stations, where the root password
is available to almost anyone.
 
You mean you have never gotten a message from [log in to unmask]  I have, and didn't
take it to be devine intervention.
 
Harold