List-Managers: Re: I think-this is.BIG secucrity HOLE

List-Managers
(April 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: I think-this is.BIG secucrity HOLE
From:	Tom Limoncelli <tal @ dnrc . bell-labs . com>
Date:	Wed, 23 Apr 1997 17:07:28 -0400 (EDT)
To:	bonnie @ staff . prodigy . com (Bonnie Scott)
Cc:	list-managers-outgoing @ greatcircle . com
In-reply-to:	<199704231959.PAA76848@mail1w-int.prodigy.net> from "Bonnie Scott" at Apr 23, 97 03:59:28 pm


Yes, if you want to override the moderator on a moderated mailing list
don't email to LIST@SITE, but mail to LIST-outgoing@SITE

To defeat this, the admin should replace "LIST-outgoing" with
"LIST-secretword" and make sure that people can't find out what
"secretword" is.  For example:

	1.  Configure Sendmail to not display it in the Received: headers.
	2.  Make sure your /etc/aliases file can't be accessed by
		untrustworthy users. (this may mean running your
		mailing lists on a machine that only lets you in)
	3.  Disable EXPN and VRFY (this should be done anyway).

--tal

-- 
    Tom Limoncelli -- tal@dnrc.bell-labs.com (work) -- tal@plts.org (play)

                "A bend in the road is not the end of the road
                      unless you fail to make the turn."

Follow-Ups:

Re: I think-this is.BIG secucrity HOLE
From: Brent Chapman <Brent@GreatCircle.COM>

References:

Re:I think-this is.BIG secucrity HOLE
From: Bonnie Scott <bonnie@staff.prodigy.com>

Indexed By Date	Previous:	Re: I think - this is a BIG secucrity HOLE From: "Gary Klass" <gmklass@acadcomp.cmp.ilstu.edu>
Indexed By Date	Next:	Re: SparkNET - List Central - what's up. From: "James B. Byrne" <byrnejb@harte-lyne.ca>
Indexed By Thread	Previous:	Re:I think-this is.BIG secucrity HOLE From: Bonnie Scott <bonnie@staff.prodigy.com>
Indexed By Thread	Next:	Re: I think-this is.BIG secucrity HOLE From: Brent Chapman <Brent@GreatCircle.COM>