Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Investigation into the spam

2 views
Skip to first unread message

Rob Clark

unread,
Jan 13, 1999, 3:00:00 AM1/13/99
to
I caught this posted under an anonymous remailer with the Subject: none.

I'm reposting it under a better subject for increased usefulness.

(this investigation was conducted by "Donwulff" and i omit the layer
of ">"s i would have used in a normal followup, as it would trigger my
posting-ratio nazi. all details in this appear correct--the only update
is that the wingates no longer give free logs on port 8010--it appears
the spammers are limiting their searches to open wingates *without*
that added "feature.")

On Mon, 11 Jan 1999, BARRY BOUWSMA IS A PEDOPHILE wrote:
> On Mon, 11 Jan 1999, Douglas Mackall wrote:
> > > :: How many open WinGates does home.com have?
> > > :When I was talking to one of their abuse guys, he estimated 10,000 of them.
> > > They've changed the Message-ID format on the spam-flood.
> > > So, tell me again why all of home.com.POSTED shouldn't end up in my
> > > bit-bucket - or email me another way of nailing flood posts made through
> > > home.com .
> > I didn't say so in the first place.
> > I've had them aliased out for days, and don't intend to change that until the
> > spew stops.
> That's it. Okay, home.com has just been added to my shun list. *All*
> posts from @Home are now under passive UDP by Tele danmarQ Internet,

WRT the UDP, I hope this speaks for itself, details by request:

From e75...@ankkuri.uwasa.fi Tue Jan 12 01:41:21 1999
Date: Tue, 5 Jan 1999 05:35:02 +0200 (EET)
From: Jukka Tapani Santala <e75...@ankkuri.uwasa.fi>
Subject: WinGate spam...

I don't know how far you are, so some of this may be pretty basic, but
anyway, thought I'd bring you up to date... ;) WinGate systems have one
basic vulnerability: Number of connections. Use them up (For example,
connecting to itself), it'll be useless... that's the business-end of
it... However, they do prove much more useless when not shut down,
since...

The admin log access is not secured by default either. At least 2.0 and
2.1 WinGates will talk HTTP on port 8010, and allow querying logs... The
error we did last time is, that it looks like the spammers method from the
beginning has been to first direct WinGate to connect to itself once, so
that the actual spamming seems to be coming from the same host the WinGate
is on. It wasn't obivious at first since the original WinGate I was
looking logs for separated telnet and NNTP access. However, on some of the
later acccounts these have went to the same logs, so I spotted the
pattern.

Here's example of the log entries from 24.54.180.12:

01/04/99 15:14:12 194.6.134.197 Guest 0000000126 Requested:
Telnet: 24.64.180.12

01/04/99 15:14:13 24.64.180.12 Guest 0000000127 Requested:
Telnet: news.rdc1.ct.home.com:119

01/04/99 15:32:56 194.6.134.197 Guest 0000000126 Traffic
5365 191377 191358 5276 1125s

01/04/99 15:32:56 24.64.180.12 Guest 0000000127 Traffic
5276 191358 191329 5168 1124s


194.6.134.197 connects to 24.64.180.12 at a WinGate port, and directs it
then to connect to itself at the WinGate port again. Then, looking like
coming from 24.64.180.12 itself the spammer connects to the news server.
This extra loop is strange, since it's not really required, but seems to
be consistent. Another address that has appeared on recent logs was
194.6.134.45. I have checked the address 194.6.134.197 during the time a
WinGate log showed connect in process to make sure it's not IP-spoofed. At
one time nslookup on 194.6.134.197 seemed to have returned DEVEL1 (Devel
Constructing, Inc, San Jose, CA), but while I was working on it, it
stopped resolving at all. This seems to have been a fluke.

The pertinent details of the traceroute follow:

10 gin-nyy-core1.Teleglobe.net (207.45.202.17) 124.428 ms 122.929 ms
123.979
ms
11 gin-nyy-bb5.Teleglobe.net (207.45.222.10) 124.747 ms 123.784 ms
125.786 m
s
12 Cegetel-gw.Teleglobe.net (207.45.201.130) 123.863 ms 123.405 ms
128.128 m
s
13 nnc1.esplanade3000.net (195.115.0.85) 215.379 ms 199.010 ms 208.653
ms
14 capitole1.esplanade3000.net (195.115.0.8) 208.525 ms 233.659 ms
237.462 m
s
15 Skyworld.esplanade3000.net (195.115.1.14) 213.341 ms 213.733 ms
220.593 m
s
16 194.6.128.17 (194.6.128.17) 235.393 ms 226.338 ms 174.714 ms
17 194.6.134.1 (194.6.134.1) 211.109 ms 253.159 ms 269.007 ms
18 194.6.134.197 (194.6.134.197) 227.551 ms 221.359 ms 314.907 ms

Registrant:
Cegetel Entreprises (ESPLANADE3-DOM)
1, Place Carpeaux
PARIS LA DEFENSE, FRANCE 92915
FR

Domain Name: ESPLANADE3000.NET

Administrative Contact:
Pichon Marc (PM113-ORG) marc....@CEGETEL.FR
33.1.55.68.50.19
Fax- - 33.1.55.68.89.92
Technical Contact, Zone Contact:
ALLEAUME Eric (AE32-ORG) eric.a...@CEGETEL.FR
33.1.55 .17.70.31
Fax- - 33.1.55.68.89.92
Billing Contact:
LE FLOCH Emmanuelle (LFE2-ORG) charlotte.p...@CEGETEL.FR
33.1.55.68.50.56
Fax- 33 1 56 37 30 58
33.1.55 .17.70.31
Fax- - 33.1.55.68.89.92
Billing Contact:
LE FLOCH Emmanuelle (LFE2-ORG) charlotte.p...@CEGETEL.FR
33.1.55.68.50.56
Fax- 33 1 56 37 30 58
Record last updated on 30-Apr-97.
Record created on 21-Apr-97.
Database last updated on 4-Jan-99 03:35:21 EST.

Domain servers in listed order:

DNS1.ESPLANADE3000.NET 195.115.0.1
DNS2.ESPLANADE3000.NET 195.115.0.33

Additionally, I've been working on a fast cancelbot (far too late into the
night, too) and am curious what's the state of the art with
spam-cancelbots? Current plan is have a WinGate capable client that uses
XHDR (if available - if not, I will have to add something else) to request
a list of NNTP-Posting-Host headers (At the moment - same applies here...)
and scans them for wanted entries (In basic case same as the WinGate being
used), extracts the headers and builds the cancels, sending them out. I'm
still ironing out blocking behaviour etc. but am curious for any
tips/comments you might be able to give.

-Donwulff


From e75...@ankkuri.uwasa.fi Tue Jan 12 01:41:36 1999
Date: Sun, 10 Jan 1999 08:05:09 +0200 (EET)
From: Jukka Tapani Santala <e75...@ankkuri.uwasa.fi>
Subject: WinGate stuff...

I'm querying if there's an investigation going on about the current spam
originating from @home, and if so, what the situation is. As some of you
already know, I and some other peopel aquired some logs from the WinGate
sites used by the spammers to inject their messages to Usenet using the
port 8010 HTTP which many WinGate installations leave open to users. On
our first try the NNTP activity logs were in separate file, and the only
notable activity was coming from a number of anti-spam sites and the
WinGate site itself. As the general consesus was that these people
wouldn't be burning down cable-modem sites just for the spamming, this
mystery was left unsolved at the time...

A day or two later, as I've also kept some people informed, I decided to
tackle the problem again, and aquired new logs from some of the more
recent sites. This time NNTP logs weren't going to separate log, and on
guess I checked the telnet-logs, scoring a hit. Not only did these logs
show a lot of traffic from the WinGate site's IP to port 119 of the news
machine, but _in the telnet logs_ were visible connections originating
from several sites to the WinGate machine itself (Remember, these are the
WinGate logs, logging connections taken thru WinGate) just before the
connections to news-server. Cursory inspectation showed this was a
recurring pattern for these addresses, and the transfer-counts for the
incoming and coutgoing connections were same, allowing for the WinGate
handshake itself. In at least one occasion I observed the spam from the
newsgroup, the connection in the logs and was able to ping the IP address
indicated at the same time, demonstrating this address wasn't spoofed.

The addresses using the same connection pattern - looping once over the
WinGate before going out to news - during the first week of 1999 were as
follows:

194.6.134.45
194.6.134.197
24.4.200.3

All three addresses were present on logs from both sites I was able to
aquire them from, 24.64.180.12 and 24.2.101.196, both of which had been
used for spamming. Other addresses in the logs seemed to be involved with
IRC or game-server abuse. The two first addresses are not resolvable.
However, their netblock is owned as follows (according to whois.ripe.net):

inetnum: 194.6.134.0 - 194.6.134.255
netname: THEMATIQUE
descr: ( Provided by SKYWORLD S.A.)
descr: (French corporate ISP)
country: FR
admin-c: CM259-RIPE
tech-c: AK32-RIPE
rev-srv: ns.sky.fr
rev-srv: ns2.sky.fr
notify: akri...@sky.fr
mnt-by: AS5630-MNT
changed: akri...@sky.fr 970205
source: RIPE

route: 194.6.134.0/24
descr: SKYWORLD
origin: AS5630
mnt-by: AS5630-MNT
changed: akri...@sky.fr 960920
source: RIPE

person: Claude Maidenberg
address: THEMATIQUE
address: 102, rue Defrance
address: 94300 Vincennes
address: France
phone: +33 1 43746014
fax-no: +33 1 43742491
e-mail: in...@sky.fr
nic-hdl: CM259-RIPE
changed: akri...@sky.fr 960812
source: RIPE

person: Alexandre KRIVINE
address: 98, rue Barrault
address: 75013 PARIS
address: France
phone: +33 1 53.80.86.00
fax-no: +33 1 53.80.86.05
e-mail: akri...@sky.fr
nic-hdl: AK32-RIPE
notify: akri...@sky.fr
changed: akri...@sky.fr 960830
source: RIPE

A typical traceroute:

1 206.117.161.1 (206.117.161.1) 1.241 ms 1.214 ms
2 isi-acg.ln.net (130.152.136.1) 4.795 ms 3.547 ms
3 CSUWestEd-ISI-GW.LN.NET (204.102.78.2) 4.474 ms 4.240 ms
4 33.ATM3-0-0.GW1.LAX4.ALTER.NET (157.130.226.205) 5.201 ms 4.925 ms
5 121.ATM2-0.XR1.LAX4.ALTER.NET (146.188.248.106) 5.839 ms 6.750 ms
6 193.ATM9-0-0.GW2.LAX1.ALTER.NET (146.188.248.217) 5.610 ms 6.519 ms
7 teleglobe-la-gw.customer.ALTER.NET (157.130.224.78) 8.011 ms 8.454 ms
8 Teleglobe.net (207.45.223.225) 6.477 ms 6.528 ms
9 Teleglobe.net (207.45.222.25) 72.607 ms 72.501 ms
10 gin-nyy-bb5.Teleglobe.net (207.45.222.10) 73.007 ms 75.080 ms
11 Cegetel-gw.Teleglobe.net (207.45.201.130) 73.051 ms 74.602 ms
12 nnc1.esplanade3000.net (195.115.0.85) 170.068 ms 170.319 ms
13 capitole1.esplanade3000.net (195.115.0.57) 172.029 ms 170.636 ms
14 Skyworld.esplanade3000.net (195.115.1.14) 176.297 ms 179.627 ms
15 194.6.128.17 (194.6.128.17) 184.319 ms 182.639 ms
16 194.6.134.1 (194.6.134.1) 333.546 ms 192.826 ms
17 194.6.134.197 (194.6.134.197) 226.070 ms 195.714 ms

The only major activity for the 194.6.134.* netblock apparent on WWW and
Usenet- searches seems to be one (not of the two involved IP's) of the
IP's having hosted a web-site for a French chapter of international "Round
Table International / Club 41" group, listed as:

194.6.134.33/tr-138/
194.6.134.33/tr-138/links.html
Lionel Merlat - L.Me...@univ-mulhouse.fr
France
under construction

The site does not answer at HTTP port. Other than that, altough the group
seems to maintain an admirable web-presence, I could not really find out
what it is about. On a Finnish site I deduced this is some sort of an
international "brotherhood", apparently with an age-condition. Thusly left
out brothers would thereafter be known as "Old Tablers". (OT Brothers!!)
However, as noted, this may not have anything to do with the spam.

In addition the logs of www.psych.westminster.edu have logged one visit
from 194.6.134.241 - this web-server deals with the psychology program at
Westminster.

During our investigation of this address a strange occurence happened. DNS
lookup on one of the addresses returned DEVEL1. A further DNS check
confirmed this to be the ID for "Devel Construction, Inc.", a respectable
construction company in USA. In just a moment this DNS "echo" that was
observed from several sites was gone, and the addresses again refused to
resolve, making it impossible to try to determine why DEVEL1 was first
returned.

The third address is cc510151-b.lwmrn1.pa.home.com - another address
within the home.com network. This one, however, doesn't appear to have
been running a WinGate. Now that the spamming has been going on for almost
two weeks, I'm finding it improbable to belive home.com / @home haven't
aquired this same information thru other routes (Logs from their
subscribers, elementary router monitoring and audit logs etc.)

-Donwulff


From e75...@ankkuri.uwasa.fi Tue Jan 12 01:41:40 1999
Date: Mon, 11 Jan 1999 20:46:47 +0200 (EET)
From: Jukka Tapani Santala <e75...@ankkuri.uwasa.fi>
Subject: Re: WinGate stuff...

On Sun, 10 Jan 1999, Jukka Tapani Santala wrote:
> I'm querying if there's an investigation going on about the current spam
> originating from @home, and if so, what the situation is. As some of you
> already know, I and some other peopel aquired some logs from the WinGate

Reason I'm asking is, somebody already told on alt.religion.scientology
some days back about the port 8010 "hole"... However, they made the very
good observation that (recently, after the logs were aquired) the spammers
seem to be avoiding WinGates with the logs available now... for long time,
they weren't! For some reason, when this was discussed on IRC, the
spammers suddenly ceased using servers which had this route open.
Therefore, I conclude it is possible the spammers know we have this
information, and furthermore, if this link exist, it does suggest away
from Kook Kabal.

Another reason is the thread on ARS where the topic of the day seems to be
who can think (and try out) the most illegal and damaging (to reputation
and net-infrastructure) attack against @home. Or the fact that I'm
genuinely uncomfortable with "spy vs spy stuff" as somebody on IRC put it.
So I would like to publish this information out to the public on ARS
(Altough, note above, it may be "the bird has flew off the nest" as the
saying goes already). I have provided it to those I know to be working on
the issue (you) in advance in case somebody was interested in handling
this discreetly. However, I'm not going to hold that info for weeks,
particularily if nobody's interested in working on it ;)

Few notes:

I haven't posted this information to @home, because in my opinion, they
have _no_ excuse to not have already traced the spam and closed it out.
Any qualified communications engineer wouldn't have taken a hour to do
that. It is also ridiculous to suggest all of their users are clueless
bastards who've enabled logging (I'm told it defaults to off) in their
WinGate's just to be completely unaware of logs existing. @home techs even
said on the phone that _the user had no audit logs_ right after we had
aquired them from the server one time...

They have not simply prohibited posting to a.r.s, stopped posting of
messages with no body, or installed any of the widely available and
acclaimed spam filters, either. Call me paranoid, but I think we (that is,
me;) don't have the whole picture here. Anybody else is free to share this
information with them, if they so degree, ofcourse.

The other thing is I have not contacted the parties involved (sky.fr and
whatever... reminds me of Sky Dayton...) for the simple reason that I
can't speak French, and I believe any attempt from me to do so might cause
more harm than do good. The sites web-pages are all in french, anyway. I'm
mostly an uninvolved party anyway, beyond having been forged a few
(hundred) times. Being in Finland, I seem to be largely off the storm's
eye of the things, and not interested or prepared in tackling the issues
in court if need be like some others have.

-Donwulff

Jukka Tapani Santala

unread,
Jan 13, 1999, 3:00:00 AM1/13/99
to
In alt.religion.scientology Rob Clark <xe...@mindspring.com> wrote:
: I caught this posted under an anonymous remailer with the Subject: none.

I posted this originally, or so I thought, to ARS and net-abuse.usenet, so
the anonymous re-post confused me a bit... I guess there might have been
some propagation problem. In either case, it was soon noted after my posting
that my statement the three sites the @home spam originated from weren't
running WinGates was apparently incorrect... I remember testing only the
ports 1080 and 8010 usually present on WinGates, but as somebody else pointed
out, all of these three sites reply with "WinGate>" at port 23 (normal telnet)

Thus the best recourse seems to be to hope they had logging on, and the
logs from these sites could be aquired. I haven't done this, since I don't
speak french, nor do I hold any special interest in this. Somebody who does,
I hope, will check out this avenue. Unfortunately, I expect at this point
that we will find just a chain on WinGate's until they become untraceable,
or alternatively they point out to another anonymously-paid account. Still
worth a try, I'd say, if for nothign else than to keep them on their toes.

-Donwulff

Jukka Tapani Santala

unread,
Jan 13, 1999, 3:00:00 AM1/13/99
to
In alt.religion.scientology Rob Clark <xe...@mindspring.com> wrote:
: I'm reposting it under a better subject for increased usefulness.

: (this investigation was conducted by "Donwulff" and i omit the layer
: of ">"s i would have used in a normal followup, as it would trigger my
: posting-ratio nazi. all details in this appear correct--the only update
: is that the wingates no longer give free logs on port 8010--it appears
: the spammers are limiting their searches to open wingates *without*
: that added "feature.")

I should read whole message before replying... ;)

Yes, this is true, in fact, I noted it in part of the messages I reposted.
However, what is more interesting is that the spammers were using WinGates
with port 8010 open for well over a week... Until I made it known on IRC
that I had aquired some logs that way. Apparently, at that point, the
spammers stopped using machines with port 8010 open. This further illuminates
the point that ARS isn't target of the spam just because of random choice.
It is even possible this information leaked out from some of the "critics"
on the IRC channel, or then Cbear - I know I never brought the topic up with
known OSA-droids on channel, but I recall having made exception with Cbear
at some time. Other possibility is the spammers used the scary OT-powers to
discover port 8010 had been found out, and started making sure it wasn't
open...

However, we've now already seen that even partial UDP - that many news-abuse
folks called useless, since they'd just change newsgroups - didn't discourage
them from spamming ARS, so this is not exactly news. Also the change to
recipe-spamming came seemingly right after discussion on ARS about jews and
"anti-hate" groups being unlikely to spam more hate... leading to assuming
that the spammers are either the neo-nazis trying to indict "jewish
conspiracy", or then somebody else following the newsgroups decided it'd be
funny to confuse people by suddenly dropping the hate-agenda... Or, once
again, it might have been the famed OT powerz at work. Same thing with the
switch in the Message-ID format seemingly right after filtering on the
Message-ID was explained...

Speaking on which, altough the French sites turned out having been running
WinGate, I still suspect French may be a good candidate-country as source
for the spam, since the original message-ID's followed an European date
format... I think it might be curious to see what timezone, if any, they
correspond to.

-Donwulff

Shy David

unread,
Jan 14, 1999, 3:00:00 AM1/14/99
to
"Donwulff" wrote:

>Additionally, I've been working on a fast cancelbot (far too late into the
>night, too) and am curious what's the state of the art with
>spam-cancelbots? Current plan is have a WinGate capable client that uses
>XHDR (if available - if not, I will have to add something else) to request
>a list of NNTP-Posting-Host headers (At the moment - same applies here...)
>and scans them for wanted entries (In basic case same as the WinGate being
>used), extracts the headers and builds the cancels, sending them out. I'm
>still ironing out blocking behaviour etc. but am curious for any
>tips/comments you might be able to give.

It is best to do "Blocking" mode, so that you do not need to set flags to
keep track of which processes are completed and which are not.

Use:

GROUP alt.religion.scientology

to aquire the high-article value, while retaining on your hard disk
a file that contains the last low-article number since your cancel 'bot
last ran.

XPAT NNTP-POSTING-HOST lowest-highest *

to gather all articles. This will render the article number (not the
article ID, but its associated number--- a long integer) followed
by a space and then the posting host value. Some values will
show up as "(none)" from some originating NNTP servers.

Compare the article table retrieved via XPAT with a list of known
hosts that the OSA has used to inject their forgeries. For matches,
issue the command:

HEAD articlenumber

That will give you all the information required to issue a cancel request.
Once you issue the cancel request, update your low-article count on
your hard disk afterwards--- don't wait until the program shuts down to
do so, because your program could lock up or crash and you would
miscount the low article (beginning) value.

For canceling articles as they are being injected, the cancel robot needs
to be connected to the same NNTP server the OSA is using at the moment.
---
The Truth About "Psychics:" http://holysmoke.org/keene.sht
The Truth About Scientology: http://www.airspeed.com/~shydavid/cos.htm
The Truth About Creationism: http://holysmoke.org/icr-cult.htm
"When you break the silence you break the terror." -- Jesse Prince

Jukka Tapani Santala

unread,
Jan 14, 1999, 3:00:00 AM1/14/99
to
Shy David <shy_...@nospam.org> wrote:
: It is best to do "Blocking" mode, so that you do not need to set flags to

: keep track of which processes are completed and which are not.

I don't follow this. I used non-blocking mode, but went for very simple
buffering. No ring-buffers, no self-growing buffers, altough I could
easily have added those, but I digress...

: XPAT NNTP-POSTING-HOST lowest-highest *


: to gather all articles. This will render the article number (not the
: article ID, but its associated number--- a long integer) followed
: by a space and then the posting host value. Some values will
: show up as "(none)" from some originating NNTP servers.

I would've loved to use this, trouble is the NNTP machines used in the @home
spam didn't support XPAT for NNTP-POSTING-HOST. (In fact, it didn't support
XHDR either, which is much more friendly and useful for getting headers to
all messages. Also the "highest" end-point isn't needed, leave it out and
you get all...) I thought going the lowest-highest thru requesting each HEAD
at time was the next best, but since I was operating on the spamming news-
server, these machines had like a few thousand cancelled messages between
every valid message...

So I had to finally settle for the pretty boring NEXT & HEAD mode - this has
some problems still... You need to first select the message to start from,
like HEAD <saved-lowest> - but if <saved-lowest> has been cancelled on the
meanwhile, the message-pointer is not set! Also, if NEXT returns "No next
message", it's hard to match this "no next message" into anything useful...
Advantage is, a NEXT/HEAD loop would catch a new post as soon as it was made.

-Donwulff

Jukka Tapani Santala

unread,
Jan 14, 1999, 3:00:00 AM1/14/99
to
In alt.religion.scientology Jukka Tapani Santala <e75...@ankkuri.uwasa.fi> wrote:
: Romath, you sure are a lame-ass investigator:

Funny, the originals got SUPERCEDE-attacked..? (195.184.41.66 proxy ...
looks like it's closed, _except_ for the 119 port?)

Well, I said I was aware that the @home spammers started excluding WinGates
with open port 8010 HTTP log after I aquired my initial logs... in fact,
they seemed to not care about it for over a week, until I brought it up on
EFnet #scientology, making sure no known OSA-boogies were around, with an
exception on CBear to my recollection. Which means "whever" is doing the
spamming _probably_ has informants/taps within the #scientology crowd. Not
very surprising, and since the release of that port 8010 information on the
channel wasn't controlled in any way, not very useful. Besides, it might be
the spammers just exercised their OT-powers and received a divine order to
stop using WinGates with open port 8010...

I also noted that unlike most net-abuse folks predicted, the spammers just
switched spamming-site instead of switching newsgroups to spam once the
@home partial UDP went into effect. Bet that was just a coincidence too...
Speaking of which, also the spammers changing spam-content to non-hateful
after the mention on ARS that the "jewish conspiracy of anti-defamation
people" accused by neo-nazis for the spam wouldn't spam with more hate,
and the rapid change in message-ID form after filtering instructions were
posted to ARS were probably just coincidental, too.

And speaking of the Message-ID's, as others noted before, the date-codes
were European type, so even though the french machines having been feeding
the spam to @home turned out to have been running WinGate (Just not on the
standard 1080 and 8010 ports), the message-ID's still indicate it might
have been from somewhere in Europe. It would be interesting to see what,
if any, time-zone the Message-ID's map to. And finally, somebody who speaks
fluent French should contact Skyworld/THEMATIQUE (sky.fr) in French, asking
them to close down the open WinGates hosted there, and provide possible
log-entries. Even though those entries will probably just lead to open
WinGate after another until tracking becomes impossible, or alternatively
to anonymously aquired dial-ups, I think exhausting this lead is vital.

Here again are the three addresses/WinGates used to spew in tens of
megabytes of forged Usenet hate-spam during the first week of 1999:

194.6.134.45
194.6.134.197
24.4.200.3


Now then, what's so bad about the above that somebody had to go and supercede
my posts mentioning it before? Geeze, see, it's not that bad... It didn't
hurt at all... and all that... ofcourse, I'm sure, that was just a coincidence
too! ;)

-Donwulff


Steve A

unread,
Jan 14, 1999, 3:00:00 AM1/14/99
to
On 14 Jan 1999 09:52:50 GMT, Jukka Tapani Santala
<e75...@ankkuri.uwasa.fi> wrote:

> And finally, somebody who speaks
> fluent French should contact Skyworld/THEMATIQUE (sky.fr) in French, asking
> them to close down the open WinGates hosted there, and provide possible
> log-entries. Even though those entries will probably just lead to open
> WinGate after another until tracking becomes impossible, or alternatively
> to anonymously aquired dial-ups, I think exhausting this lead is vital.

Should we ask roger gonnet to pick up the white courtesy telephone?

--
Steve A, SP4++, GGBC, KBM, Unsalvageable PTS/SP #12,
pitiable little Dennie (plD) #1, non-Mintonista.
Banned by Windows 1984 ScienoSitter (2e+isp)
"Where don't they want you to go today?" - http://www.xenu.net

Jukka Tapani Santala

unread,
Jan 14, 1999, 3:00:00 AM1/14/99
to
devil To combine a food with various hot or
spicy seasonings such as red pepper, mustard
or TABASCO sauce, thereby creating a "deviled"
dish.

from THE FOOD LOVER'S COMPANION, 2nd edition,
by Sharon Tyler Herbst, Barron's Educational Services, Inc.

Michael Edelman wrote:

> Jeneen Sommers wrote:
>
> > "Devil's Food" is not the same as "deviled", I believe. Every source
> > I've checked so far says 'deviled' means spicey.
>
> You need new sources ;-)
>
> None of the common "deviled" foods are spicy...but they're all chopped finely. This
> should suggest something ;-)
>
> Folk etymologies abound, and unfortunately people tend to put in books stories that
> sound "reasonable" to them. I checked three dictionaries, none of which lists
> "deviled" or "devilled". But note that "bedevil" and "devil" are common verbs,
> meaning ot harrass or annoy.
>
> The association of the Devil with spicy food seems to be of very recent origin,
> contrary to what you'd think, too.
>
> It's off to the OED at this point.


Shy David

unread,
Jan 15, 1999, 3:00:00 AM1/15/99
to
On 14 Jan 1999 09:26:02 GMT, Jukka Tapani Santala <e75...@ankkuri.uwasa.fi>
wrote:

>Shy David <shy_...@nospam.org> wrote:


>: It is best to do "Blocking" mode, so that you do not need to set flags to
>: keep track of which processes are completed and which are not.

>I don't follow this. I used non-blocking mode, but went for very simple
>buffering. No ring-buffers, no self-growing buffers, altough I could
>easily have added those, but I digress...

My programming skills are probably inferior to yours when it comes to
WinSock API calls. From Mabry's Internet Pack help file:

When your application requests data from a
network connection, it is hard to predict how
long it will take before the data arrives and
the call can complete. As a programmer, you have
to determine whether to wait for the outcome of
the call, or return immediately to your
application and get the data when the data
arrives.

Calls that wait are called blocking calls.
Because the call must complete before the
application continues, blocking calls are also
referred to as synchronous calls.

Calls that return control to your application
immediately are called non-blocking calls. Since
your application can perform tasks while the
call is retrieving the data, non-blocking calls
are also referred to as asynchronous calls.

With non-blocking, one needs to keep track of which processes
have completed before issuing another command. Issuing a
"NEXT" article command with non-blocking means waiting until
a "Done" event is fired; in blocking mode, the program pauses
until the "NEXT" command completes. When I wrote a program to
download NNTP articles, I found blocking mode to be easier.

>: XPAT NNTP-POSTING-HOST lowest-highest *
>: to gather all articles. This will render the article number (not the
>: article ID, but its associated number--- a long integer) followed
>: by a space and then the posting host value. Some values will
>: show up as "(none)" from some originating NNTP servers.

>I would've loved to use this, trouble is the NNTP machines used in the @home
>spam didn't support XPAT for NNTP-POSTING-HOST. (In fact, it didn't support
>XHDR either, which is much more friendly and useful for getting headers to
>all messages. Also the "highest" end-point isn't needed, leave it out and
>you get all...) I thought going the lowest-highest thru requesting each HEAD
>at time was the next best, but since I was operating on the spamming news-
>server, these machines had like a few thousand cancelled messages between
>every valid message...

I've noticed the same with the news server I was assigned to use. XPAT even
works differently on some servers--- the header value (NNTP-Posting-Host)
sometimes needs a colon (":") after it, and some times does not.

>So I had to finally settle for the pretty boring NEXT & HEAD mode - this has
>some problems still... You need to first select the message to start from,
>like HEAD <saved-lowest> - but if <saved-lowest> has been cancelled on the
>meanwhile, the message-pointer is not set! Also, if NEXT returns "No next
>message", it's hard to match this "no next message" into anything useful...
>Advantage is, a NEXT/HEAD loop would catch a new post as soon as it was made.

Using "NEXT" certainly sounds better than what I started with: incrementing the
article number by "1" and trapping errors.

The program you appear to be writing may be much more complex than the
one I wrote. My program just grabbed headers so that I could mail them to
ISPs from which the forgeries were being issued.

For your next trick, let's see you do it in COBOL..... :-)

> -Donwulff

Jukka Tapani Santala

unread,
Jan 15, 1999, 3:00:00 AM1/15/99
to
Shy David <shy_...@nospam.org> wrote:
: My programming skills are probably inferior to yours when it comes to

: WinSock API calls. From Mabry's Internet Pack help file:

Or normal sockets... I don't think I said I used winsocks ;) In fact, I had
to contact an old aquintance from my DALnet days to get a quick recap on
WinSocks api... but it's basically same normal sockets (4.4 BSD) except
some commands have been renamed due to conflicts with normal API calls
that don't support sockets. Additionally there's some Windows message-
passing extensions. I wrote my code to be compilable both under WinSucks and
more traditional BSD socks.

: With non-blocking, one needs to keep track of which processes


: have completed before issuing another command. Issuing a

I understand, but not entirely... ;)

I was feeling sufficiently bored, so what I did was use very simple non-
blocking model... this would allow me to maintain real-time multiple sockets
and operate them, in this case to run what others have referred to as
"shotgun mode of cancels" for multi-site injection. In a sense, at this
level it's mostly only an issue for sending data; in receiving data it's
possible to emulate non-blocking by first querying how much data is ready
and then reading only so much... Beyond reading data one character at time,
burning lots of CPU cycles for nothing, I don't see "pure" blocking mode as
very useful... You would have to know how many characters you're waiting for.

So I went for non-blocking I/O so far... I was writing my routines from
scratch because ... Goddess knows why ... so they turned out pretty crappy,
but at this point (There's lot of improvement I could do, if I bothered,
had the time and was on the machine I left the source on;) I wrote a fnction
that maintains a little buffer at known address & a tail-pointer. Whenever
called, it adds non-blocking the read data at the place pointed by the tail-
pointer and moves it to point to the end of the new data. After that, it
checks if there's a CR and/or LF in the buffer, and if so, it returns the
buffer-head. If there isn't CR or LF, it returns null. Next time the function
is called, it copies the rest of the buffer (from the first CR and/or LF
pair) back to the buffer head, and then you start back up from there what I
wrote.

As any programmer could no doubt tell you, the main improvements to add to
this model are using a buffer head to remove the relatively expensive memory
copy [actually move, due to the areas being overlapping] operation, using a
dynamic buffer-chain to avoid buffer overflows, using select() loop to decide
when there is more data to process, and last but not least [I know many a
software that doesn't use this approach to a drastic CPU waste] intelligent
new-line scanning, preferably already when the data read is being transfered
to the buffer. In some cases the data-flow can come in essentially letter by
letter, and in such a case, on a 80 character line, the code to check for new
line of data can be executed 80 times to no avail before a hit. Unfortunately
the recv() etc. functions do the copying themselves, so unless you want to
read the data in character by time (Again, epxensive in terms of processing
power!) you're bit stuck on Windows. Luckily you can still aquire some cache-
affinity by checking only the bit just read in with a loop for newlines, and
set a flag. Another tricky tip that works at least on BSD socks is using
mmap()'s for fast IO... but that's an advanced topic ;)

: Using "NEXT" certainly sounds better than what I started with: incrementing

: the article number by "1" and trapping errors.

Yes, I used that first as well, like I tried to explain ;) But it wasn't very
good, especially on the server that were used for spamming, since as I said,
they could have even thousands of "invalid" (cancelled) message-numbers
between any existing messages. Reason I thought this was a good idea at
first was this way I could exactly control the range of messages I get,
and know where I was going etc. and need only one line of output per message.
As noted above, it didn't work as well as in theory ;) NEXT/HEAD pairs with
parsing the message-numbers to know where you're going works fine, but you
get lost if the "last message processed" gets cancelled on the meanwhile...

: The program you appear to be writing may be much more complex than the


: one I wrote. My program just grabbed headers so that I could mail them to
: ISPs from which the forgeries were being issued.

This was/is a full-fledged spam-cancelling bot which made decisions on what
is spam on the fly, and then sends cancels to multiple news-servers. It was
pretty quick at stopping propagation before the messages got even out when
ran directly thru the WinGates used for spamming. Well, honestly, if I was
writing a news-server, I'd make it forward new articles immediately,
before doing anything else, so the cancel would only get caught after...
But that's why the other cancels to other sites... so the article gets
squished up between the articles hunting it down from each direction... Umm...

;)

-Donwulff

Jukka Tapani Santala

unread,
Jan 16, 1999, 3:00:00 AM1/16/99
to

ALZELT wrote:

> i think dolly went overboard with cabin fever. i would suggest(as i will do
> next friday nite) two nice size fillets on the grill. lay on very thinly sliced
> lemon slices, as well as some chopped dill. cook with the top down, only on one
> side(skin side). line a serving platter with a light mixture of soy and wasabi.
> place the salmon on the platter. serve with dilled boiled potatoes and lightly
> steamed fresh veggies. if you say please, i will save some of the salmon for
> you, harry.
>
> p.s. hope your blood pressure has fallen since some of my more conservative
> countrymen decided to redo the atlas. musn't let people who walk around in
> sheets get to you. in their zeal to rewrite the constitution, they figured they
> would throw in something about canada, too.
> Alan
>
> The difference between being diplomatic and undiplomatic is the difference
> between saying "when I look at you, time stands still", and saying "your face
> would stop a clock". Anon
>
> Remove "FinnFan" to send mail.

Okay. So I've got cabin fever. Your method of preparation sounds wonderful. But
Cabin Fever Salmon isn't so bad either. If your using Wasabi as a condiment, a
little chili paste in a marinade that is brief, say 15 - 20 minutes and not
designed to drown the fillets as opposed to all night and day, might be okay. Try
it. I got this recipe from a third generation 'fish family' member.

Dolly

0 new messages