I'm posting this from Toronto, and I have no direct knowledge of what took the Cypherpunks list down, but here's my guess: The CP list is run my "majordomo" [MJD], a group of Perl scripts. According to the MJD docs: "If you'd like a list with the absolute minimum of maintenance (but also a minimum of security), you could create an "auto" list. All subscription or unsubscription requests will be honored without any input from the list owner. For example, anyone could unsubscribe anyone else." - unsubscribe list [address] This unsubscribes the user (or "address") from "list". This means that anyone could write a message to majordomo@toad.com, with the following message: unsubscribe cypherpunks user1@some.org unsubscribe cypherpunks user2@some.org unsubscribe cypherpunks user3@some.org ... and so on. Forgery is unnecessary. MJD permits the use of a password by which the list owner can approve unsubscription requests, but Sendmail displays this password. See: telnet toad.com 25 Trying 140.174.2.1... Connected to toad.com. 220 toad.com Sendmail 4.1/Gnu-smail ready at Mon, 9 May 94 22:12:32 PDT VRFY owner-cypherpunks 250 Eric Hughes <"|/u/hughes/.bin/procmail"> VRFY cypherpunks 250 <"|/u/majordom/bin/wrapper resend -p bulk \ -l cypherpunks -f owner-cypherpunks \ -h toad.com -s cypherpunks-outgoing"> *** password would be displayed here *** ==== What it means ======================================================== -l <list-name> list name -h <host-name> host name -f <from-addr> "sender" (default <list-name>-request) -p <precedence> add "Precedence: <precedence>" header -I <file-list> Bounce messages from users not listed in file in colon-separated <file-list> * -a <passwd> approval password ** -s enable "administrivia" checks * Note that majordomo postings can be limited to those on an approved list, but selected posters can not be excluded. This is not appropriate for the Cypherpunk list, due to anonymous remailers, pseudonyms, etc. ** Note that if there WAS an approval password, it would be visible. Fortunately, version 1.90 of MJD, which is now in beta, fixes this problem by putting the passwords in a configuration file. It is available for ftp.GreatCircle.com. What to do about abusive posters? How about reversing the function of the -I switch? === Here's the PERL code for option -I from 1.90 beta: =============== if ( defined($opt_I) && defined($from) && ! defined($approved) ) { local($infile) = 0; @files = split (/[:\t\n]+/, $opt_I); foreach $file (@files) { if ($file !~ /^\//) { $file = "$listdir/$file"; } if ( open (LISTFD, "<${file}") != 0 ) { @output = grep (&addr_match($from, $_), <LISTFD>); close (LISTFD); if ( $#output != -1 ) { $infile = 1; last; } } else { die("resend: Can't open $file: $!"); } } if ( $infile == 0 ) { &bounce ("Non-member submission from [$from]"); } } === Now, with minimal hacking, this can be reversed, so that if the user === name is in the list, the incoming post is bounced to the list owner, === who can approve it or junk it. So here is a technological fix, where we don't have to go bothering system administators if they have a troublesome user. -- Alex Brock