Purpose

The purpose of this standard is to define minimum security requirements for the configuration of LISTSERV lists managed by Illinois State University. These measures mitigate risks associated with unauthorized communications, reduce the likelihood of abuse, and ensure accountability by clearly defining administrative control and subscription management.

Scope

This standard applies to all LISTSERV (listserv.ilstu.edu) lists hosted or managed by Illinois State University and all university employees responsible for managing LISTSERV lists.

Standard

To ensure secure and proper usage of LISTSERV lists, the following minimum configuration settings must be established and maintained:

1. Owner Configuration (Owner=rredbird@ilstu.edu):
   1. Each LISTSERV list must have at least one designated owner who is a current, full-time university employee using their official Illinois State University email address.¹
2. Subscription Management (Subscription=By_Owner):
   1. The LISTSERV Subscription parameter must be configured as By Owner.²
3. Message Sending Restriction (Send=Private):
   1. The LISTSERV Send parameter must be set to Private.³

Exceptions

In instances where a LISTSERV list cannot adhere to the minimum configuration settings outlined in this document due to functional necessity or technical limitations, an exception is required. The list owner is responsible for contacting the Information Security Office (ISO) to review the situation and discuss potential alternative controls.

Requests for exceptions can be submitted via ticket direct to the Information Security Office ServiceNow queue or by emailing informationsecurityoffice@ilstu.edu.

Additional Information

LISTSERV lists are increasingly targeted in email-based attacks that exploit misconfigured permissions to distribute phishing, malware, or disinformation. These attacks may come from external actors or compromised internal accounts and often rely on the ability to send to or subscribe to a list without adequate oversight. Proper configuration of ownership, subscription, and sending controls mitigates these risks by limiting the attack surface and ensuring messages originate from known and trusted sources.

Footnotes

The following information provides supporting information referenced in the other sections of this document:

1. This requirement ensures accountability, proper oversight, and reduces the risk of lists becoming orphaned and unmanaged.
2. This requirement ensures that subscription requests are explicitly reviewed and approved by the list owner, enhancing control over list membership and preventing unauthorized access.
3. This requirement restricts the ability to send messages to the list to only those email addresses that are subscribed to the list, mitigating the risk of unsolicited messages, spam, and malware distribution from external sources.

Supporting References

• L-Soft. LISTSERV 17.0 List Owner's Manual. https://www.lsoft.com/manuals/17.0/listovr/ListOwnersManual.pdf
• SMTP Open Relay Vulnerabilities: How to Prevent Security Breaches - DuoCircle
• SMTP Smuggling: New Flaw Lets Attackers Bypass Security and Spoof Emails