Creating a LISTSERV user account and associated password is as simple as going to the LISTSERV web interface, clicking the "Log In" link at the top right, and then clicking on the "Register Password" link in the login box.  Anyone with a valid email address can perform this operation.

Why this is not a security issue


Here is what happens when a random user creates a LISTSERV user account:  Such accounts do not in and of themselves grant any access to any feature or subsystem within LISTSERV.  In order to have access, the owner of the account must have one or more of the following roles:


Subscriber to a mailing list with private or otherwise restricted archives and/or files

List owner of a mailing list (a sub-role is that of "editor" or "moderator", someone who is authorized to approve postings but may or may not have control over the list itself)

Maintainer (administrator/postmaster) of the LISTSERV site


There are no other roles within the LISTSERV universe.  Either one is subscribed to a list which requires a login to view its archives and files, or one is a list owner who must log in to manage his or her list, or one is a LISTSERV maintainer who is required to log in to manage the entire LISTSERV operation.


If a random user creates a user account and password but does not belong to any of those three access groups, the user account created is effectively null and grants zero access to the LISTSERV site (other than to resources that are explicitly set to public access, e.g., public list archives, for which no account is actually needed in the first place).


While it could be (and often is) argued that the very act of creating a LISTSERV user account by a potentially malicious user could be considered a security breach, the fact is that creating the account without having any other access to LISTSERV is a null operation that provides, in and of itself, no access whatsoever.


L-Soft does not consider the mere creation of a LISTSERV user account to be a security breach and will not entertain requests to change how this works.  Moreover, while it is possible for a random user to pick an address that might have access and maliciously attempt to change that address's associated password, such password change attempts require a confirmation "handshake" from the actual user, which is simple enough for the actual user to ignore (and/or report to the LISTSERV maintainer(s)).


We should also note that it is possible to integrate your favorite directory server (Active Directory, OpenLDAP, what have you) with LISTSERV and do away with the LISTSERV registration/password system altogether, though this is probably unwise unless all of your LISTSERV users are registered in your directory.  (There is also a hybrid mode which forces directory users to authenticate via your directory, but also allows non-directory users to log in via LISTSERV's native registration system.)


But the bottom line is that a LISTSERV user account does not provide any access to LISTSERV features that the user does not already have.