ARCHIVED: How can I prevent mail spoofing on my LISTSERV mailing list?
Mailing lists have become a prime target for spam (unwanted solicitation) and hate email. If you maintain a mailing list, you can take steps to protect your subscribers from these unwanted advertisements and harassing email messages. Except for the personal password, the following are LISTSERV keywords that you can use in your list header to help reduce the risk of being spammed.
Use a personal password
Every list owner should be set up with a personal password. This will prevent a hacker from making changes to your list by spoofing your email address. It is important to use a password since it is easy to find a list owner's email address and spoof an email address.
The Validate keyword
The Validate keyword sets the level of password validation that is required for list maintenance commands:
| Validate=No: | Password required only for storing the list on the server |
|---|---|
| Validate=Yes: | Password required for all protected commands (default) |
| Validate=Yes,Confirm: | Validation with the OK mechanism required, but passwords will be accepted where appropriate |
| Validate=Yes,Confirm,Nopw: | Passwords will no longer be accepted for protected commands |
Control subscription requests
The Subscription keyword controls who can subscribe to the list. UITS highly recommends that you use either Subscription=By Owner or Subscription=Open,Confirm.
When a subscription request is processed, the Confirm flag means that LISTSERV will send an email confirmation request to the subscriber. This verifies both that the email address is correct, and that the individual really wants to subscribe to your list.
| Subscription=By Owner: | All subscription requests are sent to the list owner (default) |
|---|---|
| Subscription=Open: | Anyone may subscribe to the list |
| Subscription=Open,Confirm: | Subscription requests must go through the OK confirmation mechanism |
| Subscription=By Owner: | All subscription requests are sent to the list owner (default) |
|---|---|
| Subscription=Open: | Anyone may subscribe to the list |
| Subscription=Open,Confirm: | Subscription requests must go through the OK confirmation mechanism |
You can also specify a Service area (e.g., Service=*.indiana.edu). This example would limit subscriptions to accounts from hostnames that end with ".indiana.edu". Subscription requests from anything other than "*.indiana.edu" would be rejected.
Control who may view the list of subscribers
The Review keyword controls who may view the Internet addresses and names of the subscribers on a list. To protect your subscribers, it is best to set this keyword to Review=Private or Review=Owner.
| Review=Private: | Only the list subscribers can view the names and addresses (default) |
|---|---|
| Review=Owner: | Only the list owner can view the names and addresses of the subscribers |
| Review=Public: | Anyone may view the subscriber information |
Control who may post mail to the list
The Send keyword controls who may post mail to the list. UITS recommends that you use Send=Private, Send=Owner, or Send=Editor.
| Send=Public: | Anyone may send mail to the list (default) |
|---|---|
| Send=Private: | Only the subscribers can post mail to the list |
| Send=Owner: | Only the list owner can post to the list |
| Send=Editor: | Only the list editor can post mail to the list |
The Confidential keyword
By setting the keyword Confidential=Yes, you will prevent your list from appearing in the global list of lists. The global list of lists is available to the general public, and is advertised on the web. Of course, if you want the general public to be able to find your list, you do not want to use this keyword. The default value is Confidential=No.
When new lists are created at Indiana University Bloomington, they are confidential unless the owner specifically requests that the list be public.
To learn more about spamming and LISTSERV, see L-Soft's information at: http://www.lsoft.com/info/default.asp?item=spamorama
Last modified on July 20, 2005.
