How can one trace the source of a NG post when there is NO NNTP Host
listed in the Header?

Additionally, what is meant by a DNS?

                        Alan

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

You should go to the site of links I mentioned when you were asking
about using a whois on an IP http://spamlinks.net/index.html

Additional sites designed more for the frequently fruitless pastime of
newsgroup message tracking

  Margie Arbon, previously of MAPS, on usenet headers
http://home.att.net/~marjie1/usenet.htm

  Ed Falk, How to track netnews spam to its source, 2 local links
http://www.rahul.net/falk/#howtos  a tutorial and a practical example

  Sputum tutorial has moved from its original site, but a copy is held
at newsguy http://member.newsguy.com/~sputum/sputools.htm - it contains
some useful strategy

In my opinion there are quite a number of reasons why you shouldn't be
trying to track the source of a newsgroup message, depending upon why
you are doing that.  It is very common that you will not be able to
track the source of a newsgroup posting, and it is often unlikely that
you should be notifying a provider about spammish or trollish behavior
in a newsgroup message

The wikipedia is one of many places that has a good discussion on DNS
related issues http://en.wikipedia.org/wiki/Dns

--
Mike Easter

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

Tried that, but it wasn't very useful.  Perhaps because I don't have
sufficient background information, but, then again, that's why I posted
this question, I guess.

thanks for your other sources.  I'll try them.  I realize that you're
trying to be helpful, but sources without explanation of how to use them
really don't help me much.  A bit more thorough explanation would be
appreciated.

I understand that perhaps I may need a better understanding of how
things work and the terms used in their operation.  Every time I access
a site, the terms used raise more questions.  maybe i should start at
the beginning with some elementary primer and work from there.

Can you recommend something?

                        Alan

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

First read what's been put on your plate, grasshopper.

Good idea.

You haven't yet said what you are trying to do and why you are trying to
do it.

Are you trying to learn how to be an identity sleuth?

--
Mike Easter

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

I did.  It wasn't very helpful.

What I am trying to do is educate myself.  My question grew out of an
earlier post about interpreting headers.  I got a lot of web sites which
required that I was familiar with terminology, and on a higher level,
familiarity with how systems which comprise Usenet work.  I got several
Acronyms for registration agencies, yet I don't know what those agencies
are, their purpose and what they do.  Perhaps what i am looking for is
fundamental knowledge on a very basic level.

Jon Bell posted s basic primer and that was a good start.  i need to go
on from their into the specifics of they systems.  I need to have
definitions of terms.  I need to know how things have evolved.

After each post and based on the information I get, I can ask better
questions.  I don't doubt that my questions are  poorly phrased.  but
that is due to my ignorance in being unable to phrase the questions in a
specific manner.  I would have hope my fundamental ignorance would have
been recognized, and a basic response, on which I could build, provided.
  I guess that was not the case.  I hope I have clarified my needs
somewhat better.

No; merely to understand how things work.

                        Alan

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

<reposted;  non-appearance in 15 mins>

The reason I ask about the identity sleuthing business is because there
are all different types of newsgroup personalities participating in all
different types of 'personality of the newsgroup'.  That is, some
newsgroups are full of trollish types which feed on each other;  and
some ng/s are full of hostility and antagonism and ad hominem attacks.
Those conditions lead to a desire to cross over the chasm between
cyberspace and what is called 'meatspace' or the actual identity of some
individual cyber-personality.

An example of the types of ng/s in which trollish behavior abounds are
those in which the 'standard' or normal posting behavior is to crosspost
to multiple groups and to behave churlishly.  The same types of groups
and personalities very often find themselves in contentious arguments
and ad hominem attacks.  In fact, the very 'meaning' of an ad hominem
attack is the concept of attacking the person rather than the argument;
and when the emotions associated with that run high, there's a certain
frustration to considering that the 'person' being attacked is simply
the cyberperson.  Or to wonder 'who' this is who is attacking you.

As a result of that frustration and for other reasons, it is very common
for some ng participants to derive an interest in 'exactly' /who/ is
this person I'm fighting with;  or talking to;  or whatever.  Or perhaps
the opposite;  to be attracted to an individual.  That leads to the
practice of identity sleuthing.

Identity sleuthing might start with just looking 'back' at whatall the
cyberidentity has had to say in the past;  or what kinds of arguments or
discussions they have found themselves in;  or what their interests are.

Then, that might transition over to trying to figure out what country or
what state they live in;  or what community;  or what is their address
or telephone number;  or social security number or date of birth or
mother's maiden name.  It is a sport for some.  Rarely it results in
cyberstalking.

So learning about a cyberpersonality's 'handwriting' as I call it, is
one step.  Deriving the maximum information from their news server's
header lines, including NNTP posting host is another step.  Learning how
to separate the wheat from the chaff including bogus information in the
header is another step.  Tracking them into the meatspace is another
step.

You've been ng posting for several years as your current persona.  Some
of the newsgroup postings and people you have been involved with
discussing and arguing points of view involve the kinds of contentious
and ad hominem attacks which invite identity sleuthing -- and then/now
you start getting interested in how to use newsgroup header information
such as the nntp posting host to track or identify the poster to the ng.

That's why I asked.  For example, I like to lurk in the alt.locksmithing
ng because I find the topics of lock picking and security penetration to
be interesting.  That group is populated by everyone from
professional locksmiths to amateur hobbyists to wannabe safe cracking
burglars or bicycle or school locker thieves.  Naturally the
professional
locksmiths and skilled hobbyists are concerned about what the 'students'
are planning on doing with the information.

There are many newsgroup posters who find that this condition of
identity sleuthing is an infringement on their privacy;  so they choose
to use newsservers which don't leave an nntp posting host trail.  They
may also engage anonymous remailers thru' which to make their posts to
make the identity sleuthing process significantly more difficult if not
impossible.

--
Mike Easter

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

In article <nnq.NuidnYJHOr9dL-HfRVn...@rcn.net>,
Alan Lichtenstein  <a...@xyz.com> wrote:

OK, now that you've made an honest effort to do the research yourself,
it's completely appropriate to ask specific questions.  This is probably
as good a place as any, unless Mike or somebody else can suggest a better
place.

So, what specifically are you having trouble with?  If it relates to
deciphering something you've read somewhere, it would be helpful to
provide a link to it, along with your question(s), so we can see where
you're coming from.

--
Jon Bell <jtb...@presby.edu>                        Presbyterian College
Dept. of Physics and Computer Science        Clinton, South Carolina USA

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

On Fri, 06 May 2005 15:09:22 GMT, "Mike Easter" <Mi...@ster.invalid>
wrote:

Seconded with the proviso that "depending upon" is altered to "no
matter".

Waste of time and effort. Go do something productive like changing the
tide. :)

--
Rodger Whitlock
Victoria, BC, Canada
to send email, change atlantic to pacific
and invalid to net

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

Studying email headers including their bogosity is a educational
experience in smtp tech.  Studying newsgroup headers is much more like a
waste of time, depending upon what kind of pastimes you like.

Of the links I posted, Margie's is a good graphical representation that
shows a mostly honest set of newgroup headers, with only a bogus From,
but which had 'sufficient' newsserver factual information, including the
nntp posting host.  Her graphics show which of the header elements are
the least reliable and most easily forged, compared with which are the
most reliable.  It is a nice presentation.

Ed Falk's tutorial does the same thing textually rather than
graphically, and goes into some nice details about trying to analyze
Path forgeries when they are present before the honest path information.

At his site he also includes a step by step analysis of a dissection of
an item with considerably more bogosity in it than Margie's example or
his preliminary tutorial.  In that case he dissects a spammish one which
doesn't have an nntp posting host and which has a path line which does
*not* contain any preliminary bogosity.

The last link, the sputum one, has the highest level of training of the
three;  as he includes examples which he typifies in the following way:

  Type 1: Stupid Clueless Newbie, posting in the clear
  Type 2: Careful clueless spammer/warez kiddie, attempting pseudonymity
  Type 3: Professional SpamDude, posting pseudo-anon from rogue ISP

The problem with trying to 'simplify' something like analyzing newsgroup
headers, which is much more difficult and complex and less reliable than
analyzing email headers even emails with bogus headerlines, is that it
has to get very complicated before it starts becoming any clearer.

--
Mike Easter

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

For starters, how does one decipher the path a message took?  It appears
to be just a bunch of abbreviations to me.  I have not found any text
material that instructs one how to do this.

Next, what is meant by MIME?

                        Alan

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

I don't know of a place that is going to help identify the agents or
elements in the path, but it is educational to look at a bunch of them.

Headers need to be looked at in the context of the whole header,
realizing that some parts may be bogus and some parts may be true.  By
'integrating' the complexion of the entire header and disregarding any
items which can easily be forged and 'don't fit', a picture begins to
emerge.

In the case of the path, we look at/ see/ the path from one news server
to the other, backwards.  This newsgroup's headers are more awkward to
deal with because of the moderation effect, but if we look at the path
of one of your messages in a different newsgroup from your provider's
newsserver to my provider's newsserver, we see this, with me adding some
spaces after the bangs so that the line will wrap.

Path: newsspool2.news.pas.earthlink.net! stamper.news.pas.earthlink.net!
elnk-nf2-pas! newsfeed.earthlink.net! newshub.sdsu.edu!
border1.nntp.dca.giganews.com! nntp.giganews.com!
local01.nntp.dca.giganews.com! nntp.rcn.net! news.rcn.net.POSTED!
not-for-mail

This is a header with no forgery - so that is an important consideration
to begin with.  We see your provider rcn to giganews to San Diego
State's hub to earthlink.  If I look at that same message on a different
newsserver it takes a different path to the alternate newsserver.

Path: authen.white.readfreenews.net! green.octanews.net!
news-out.octanews.net! canary.octanews.net!
border2.nntp.dca.giganews.com! border1.nntp.dca.giganews.com!
nntp.giganews.com! local01.nntp.dca.giganews.com! nntp.rcn.net!
news.rcn.net.POSTED! not-for-mail

There we see your provider rcn to giga to octanews to readfreenews,
whcih is in the octa family.

MIME is an 'official' RFC sanctioned/defined message format which stands
for Multipurpose Internet Mail Extensions, the MIME line is stamped by
your newsreader which calls itself User-Agent: Mozilla/5.0 (Macintosh;
U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2

In the case of news 'protocols' or good practices, the general behavior
is plaintext with no attachments, so the mime business isn't usually an
important or useful tag.  And, I've only seen mime 1.0.

--
Mike Easter

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

A good way to become acquainted with paths is to just look at a 'bunch'
or a few dozen different paths which do not include any forgery.  Start
with looking at the honest or unforged ones on your own provider's
newsserver.  After about the first 2 or 3, you will realize that the
first [which is chronologically the last] 'half' of the path is always
the same, because it represents the feed that your provider's newsserver
gets.

So, then, for the first dozen or so that you are looking at on your rcn
newsserver, you would just focus on the 2nd half of the path, from the
poster's newsserver to the poster's newsserver's backbone feed.
Typically you will see some transition from one backbone to another --
that makes sense.

Before you start trying to look at bogotic headers, you should spend
some time with legitimate ones.

Then, after you examine some honest headers on your own provider's
newsserver, you should access some alternate newsservers, ie free or
nearly free ones, so that you can see the other half, 'your'
newsserver's half when 'your' newsserver isn't rcn's newsserver.

So, then you will begin to recognize how the 'halfs' look.  After some
dozens of doing that, then you can start tinkering with the amateurish
attempts to forge headers, so that you can discern where the forgery
begins.  You can't start cutting your teeth on bandsaw grade forged
headers.

--
Mike Easter

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

In article <nnq.t5Jje.4050$X92.2...@newsread2.news.pas.earthlink.net>,

It's common for servers to have incoming feeds from more than one other
server.  In fact, it's almost a necessity for a server that aims for
"completion" in any particular newsgroup.  My college's server, for
example, receives feeds from four universities.  So even if you look at
postings that were made on the same server, it's quite possible for them
to take different routes to get to your server, if they were posted at
different times.

--
Jon Bell <jtb...@presby.edu>                        Presbyterian College
Dept. of Physics and Computer Science        Clinton, South Carolina USA

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

That's good for your news, and shows that old friendly cooperation
between universities.

'Always' wasn't a good choice of words - depending on the newsserver.  A
lot of newsservers would have much better performance if they had that
kind of redundancy you describe -- but with more and more feeds becoming
overwhelmed, more and more newsservers are not stepping up to the plate
with significant redundancy.

I'll bet the rcn only gets fed by giganews.  Now, maybe/ likely/ giga
has redundancy.

--
Mike Easter

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

In article <nnq.xeSje.4665$Lc1.1...@newsread3.news.pas.earthlink.net>,

Looks like it.  In another window, I'm running a search on the article
spool on my server, for "Path:" headers that contain ".rcn.".  All of the
ones that I've noticed so far originated at rcn, and went through giganews
next.

So far I've seen glorb.com (mostly), syr.edu, and sdsu.edu, after a few
dozen postings.

Google exchanges with at least glorb.com and stanford.edu.

--
Jon Bell <jtb...@presby.edu>                        Presbyterian College
Dept. of Physics and Computer Science        Clinton, South Carolina USA

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

An obvious question is, "how does one know that they don't fit?"  But
let's table that for a minute to go on to the examples you posted below.

I see the general path.  But if I didn't have your analysis, I never
would have been able to interpret this on my own.  For example, you say
the post went from rcn to giganews.  But if I look at the post,
beginning with the last, I see:

"...nntp.giganews.com!
 > local01.nntp.dca.giganews.com! nntp.rcn.net! news.rcn.net.POSTED!
 > not-for-mail"

Now why are there two identifications for rcn, and why are there two
identifications for giganews?  Does the fact that the first( last rcn )
indicate the originating news server, and the second reference to rcn
headed by the nntp. merely indicate that the post was transferred from
rcn according to the nntp?  And ditto for giganews?  If that
interpretation is correct, that would be an explanation.  If not, an
explanation is required.

And next question:  Why do some of the notations in the path end with a
"!" and others not?

Additionally, what is meant by dca.?  What is meant by local101,
border1, border2, elnk-nf2-pas?

Your previous explanation didn't cover those.

How would one tell if something doesn't belong?  Based on what I know
right now, the portion of the path elnk-nf2-pas! doesn't seem to belong
either?

You used the term wrap?  What is meant by that?  I note in my edit box a
'rewrap' command.

Also, you mention people can edit their headers.  Is that a common
practice with all news readers?  I don't seem to have any control over
what my headers say?  I see nothing in the help instructions regarding
those.

Any assistance, and the simpler the better( considering the fundamental
nature of my questions ) would be appreciated.

                        Alan

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

I appreciate the reply, however, it still raises a question:  How does
one forge a header?  My news reader does not apparently permit me to
alter their composition?  do others?  Does mine( but I just don't know
how to do it )?

And I see that my comments have initiated a developing discussion that
appears to be going in additional directions.  Hopefully, I'll be able
to learn something from it.

                        Alan

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

Remember the earlier links about forgery detection and which elements
are easier and harder to forge.

Yes.

They all do except for the one attached to POSTED and the end.

I don't know - except that the news server feeds, backbones, borders,
and such are free to name themselves.  There is a lot about news servers
and feeds and backbones that I am just now learning.

In an unforged header, everything 'belongs' in the sense that no one put
it there 'nefariously'.  In a possibly forged header, one with evidence
and/or suspicion of forgery - anything can be forged.  In this case I
picked your headers and assumed they were not forged.

In the one extreme sense, headers are either forged or they are not.
But that doesn't tell the story very well.  Maybe obfuscated would
sometimes be a better or another term.  For example, I might choose to
use a news server that is configured to leave a different kind of
'trail' for my posts than my EL one does.  That isn't forgery.  It is
just choosing a newsserver which provides less identification of me by
my post.  If we choose to 'forge' our From line to avoid spam, that is
one form of obfuscation ie forgery that is mostly acceptable, but not by
everyone's philosophy.

Someone else might choose to derive their anonymity for a news post
without performing any forgery at all by using an anonymizing service or
remailer.  Somewhere in here we need to get back to the question of why
it is you are trying to learn how to interpret newsheaders.  Mostly it
should be none of your business whether or not someone chose to forge
their headers or otherwise obfuscate them of if they used an anonymizer.
When you interact in a newsgroup, you are interacting with a
cyberpersona.  Figuring out where the post came from doesn't really have
anything to do with that interaction.

OTOH, some other people might feel that they don't choose to interact
with anyone who has chosen to anonymize themselves.  Dif'rent strokes
for dif'rent folks.

Our newsreaders wrap the length of our lines to about 72-74 chars for
readability and make those wraps in the spaces between words, not right
in the middle of the words;  so if there's a line which has no spaces in
it, like a Path: line, my newsreader has a hard time wrapping the line,
so when I post Path lines I put in a space after the bang to help with
the wrap.  Wrapping is the end of a line EOL and the beginning of
another line.

I don't recall using those words - just implying that people can forge
headers.

You can edit your From line and your Reply-To line and you can make your
date be funky.  You can indirectly influence other elements which show
up in your headers.  Some people have more control than others,
depending upon their newsreader.  The same is true for your mailuser
agent.  Healthy normal mua/s don't allow the same kind of 'manipulation'
of header information that ratware or spamware permits.

Mostly our newsreaders are not designed for header forgery.

--
Mike Easter

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

Surely you aren't interested in learning how to forge headers!?

If your wish is to anonymize yourself better for newsgroup postings,
let's change the subject to that.

If your wish is to identify those who are trying to anonymize
themselves, let's ask why.

--
Mike Easter

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

In article <nnq.mcSdnRSCQ_BWqgzfRVn...@rcn.net>,
 Alan Lichtenstein <a...@xyz.com> wrote:
[...]

Some headers are easier to forge than others, and some newsreaders
provide greater control over what is in various headers than others.

There is also some fuzziness in the term 'forge' because that implies
that manual arbitrary modification is always incorrect. For example,
many people have multiple email addresses that are perfectly valid, and
don't always want to post using the same one, so some newsreaders allow
them to enter anything at all as their From and/or Reply-To headers.

Or someone may think some domain like "xyz.com" is funny, and use an
address they do not own in it as a way to avoid getting spam to their
real address without consideration for the fact that there really IS a
xyz.com with actual users, maybe even one thought up out of thin air. On
that level, virtually ANY newsreader supports header forgery, as the
newsreader has to trust whatever a foolish user enters as their email
address.

Path headers are actually one of the easier things to forge, because
there can be legitimate reasons to 'preload' a Path header and a server
cannot generally tell that such a preload is necessarily bogus. Many
newsreaders provide direct control over header content including the
capacity to add an arbitrary Path header, but it looks like you are
using Netscape 7.2 for MacOS, whose features I cannot speak to. Last I
bothered looking, the Netscape newsreader piece was rather weak.

The bottom line is always that a newsreader does not really limit such
behavior, because news is sufficiently simple that a human can rather
easily do everything a newsreader does to post a message using simple
tools like telnet. Some news servers impose some controls in narrow
areas over what can be posted, but but there is no universal enforcement
of anything in headers by all news servers so you really cannot know
which headers are fake and which can be trusted in a particular message.

--
Now where did I hide that website...

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

In article <nnq.VcednTF0rOnwqwzfRVn...@rcn.net>,
Alan Lichtenstein  <a...@xyz.com> wrote:
[in response to Mike]

Probably because both giganews and rcn use separate servers for incoming
and outgoing feeds, to distribute the workload.

The "!" is the separator between names, so each name is followed by a "!"
except the last one.  The entire "Path:" header is one long line, with
just a single blank space, after "Path:".  Mike added spaces by hand so
the line would wrap in a readable fashion on display.

Path names can be whatever the server's admins configure them to be, in
their server software.  Usually (not always!) they are the actual Internet
domain names of the servers.  The last two components of the name
(rcn.com, earthlink.com, presby.edu, etc.) are usually easily recognizable
as company/university/whatever domains.  Other components are entirely up
to whatever naming convention each company uses for subdomain and host
names.

You have to know by some other means (or at least make an educated guess)
that the named servers don't actually feed each other.  For example, any
path that contains something like "jtbell.presby.edu!newshub.sdsu.edu" has
to be bogus because we don't get a feed from sdsu.edu.

If you don't have that kind of information, it's hard to come to any
conclusions from looking at a single posting's "Path:" header, or even a
bunch of postings on the same server.  However, if you have several
copies of the same posting, as seen on different servers, then you can
compare their "Path:" headers and look for suspicious patterns.  Usually,
in o normal posting the paths to different servers will start to "diverge"
quickly, after passing through only one or two servers (not counting
multiple servers run by the same company).  If all the paths have a longer
"matching" sequence of components at the end, it *may* indicate that most
of them were "pre-loaded", with the first "matching" component being the
actual originating server.  For example, if you have paths of

a:q:n:d:e:f:g
c:w:x:d:e:f:g
m:r:s:d:e:f:g

on three copies of the same posting, from servers a, c and m, one might
suspect that "e:f:g" was preloaded and that the postings actually
originated at d.  (Again, you have to allow for multiple servers operated
by the same company.)

I just noticed in this one, "news.rcn.net.POSTED".  I think some companies
add the a "POSTED" component to the path name of a server that actually
receives postings directly from their own users.  If you see one of these
in the middle of a "Path:" line, that should probably be treated as a
warning flag that the following names might have been preloaded.

I just did some searching and came up with a bunch of examples similar to
this one:

Path: jtbell.presby.edu! newsfeed.stanford.edu! headwall.stanford.edu!
newshub.sdsu.edu! elnk-nf2-pas! newsfeed.earthlink.net!
stamper.news.pas.earthlink.net! stamper.news.atl.earthlink.net!
newsread1.news.atl.earthlink.net.POSTED! 6f5b67f4! not-for-mail

The third-from-last component had "POSTED".  The next-to-last one is new
to me (at last this this is the first time I've paid attention to it).  
It's probably some kind of code that Earthlink uses to track
which of their customers, or subsidiaries, or something, originated the
posting.

And the last one, "not-for-mail" is pretty universal.  I think your
news-posting software puts it there, or else your originating server puts
it there if it doesn't find one.  I think it goes back to the days when
Usenet wasn't part of the Internet, and people who weren't on the Internet
sent e-mail using addresses that explicitly indicated how to route the
message to its final destination.  Those addresses used a format that
looked just like the "Path:" lines on Usenet postings: a list of mail
servers separated by "!" ("bang-path addressing").  Here, the
"not-for-mail" (I think) traditionally indicates that *these* paths are
*not* to be used for e-mail.  (Most of this is a semi-educated guess, and
I'd be delighted if someone can confirm or correct it!)

--
Jon Bell <jtb...@presby.edu>                        Presbyterian College
Dept. of Physics and Computer Science        Clinton, South Carolina USA

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

On news.newusers.questions, in

You have interesting headers, "Alan".

To start with, host (a dns tool) reports
that rcn.net, which your post originates
from (allegedly), has no A record.
No IP can gotten for rcn.net with the
normal tools.

$ host rcn.net
rcn.net A record currently not present

Interestingly, I couldn't ping your IP (no response),
but another tool at my disposal revealed that it was up
and running on the Internet.

Here's what a whois search reveals about
rcn. net:

$ whois rcn.net
Registrant:
Residential Communications Network
   105 Carnegie Center
   Princeton, NJ 08540
   US

   Domain Name: RCN.NET

   Administrative Contact:
      RCN               ab...@RCN.COM
      7921 WOODRUFF CT
      SPRINGFIELD, VA 22151-2108
      US
      703-321-8000 fax: 703-321-8316

   Technical Contact:
      RCN               ab...@RCN.COM
      105 Carnegie Center
      Princeton, NJ 08540
      US
      800-746-4726 fax: 999 999 9999

   Record expires on 03-May-2011.
   Record created on 02-May-1995.
   Database last updated on 23-May-2005 05:24:19 EDT.

   Domain servers in listed order:

   AUTH1.DNS.RCN.NET            207.172.3.20
   AUTH3.DNS.RCN.NET            207.172.3.21
   AUTH4.DNS.RCN.NET            207.172.3.22
   AUTH2.DNS.RCN.NET            207.172.11.14

And here is what host reports about your NNTP-Posting-
Host IP:

$ host -a 192.168.253.29
Name: mid2.eng01.mindspring.net
Address: 192.168.253.29

And what whois has to say about that IP:

$ whois 192.168.253.29

OrgName:    Internet Assigned Numbers Authority
OrgID:      IANA
Address:    4676 Admiralty Way, Suite 330
City:       Marina del Rey
StateProv:  CA
PostalCode: 90292-6695
Country:    US

NetRange:   192.168.0.0 - 192.168.255.255
CIDR:       192.168.0.0/16
NetName:    IANA-CBLK1
NetHandle:  NET-192-168-0-0-1
Parent:     NET-192-0-0-0-0
NetType:    IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment:    This block is reserved for special purposes.
Comment:    Please see RFC 1918 for additional information.
Comment:
RegDate:    1994-03-15
Updated:    2002-09-16

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   Internet Corporation for Assigned Names and Number
OrgAbusePhone:  +1-310-301-5820
OrgAbuseEmail:  ab...@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName:   Internet Corporation for Assigned Names and Number
OrgTechPhone:  +1-310-301-5820
OrgTechEmail:  ab...@iana.org

<quote>
                Address Allocation for Private Internets

Status of this Memo

This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for
improvements.  Distribution of this memo is unlimited.

1. Introduction

For the purposes of this document, an enterprise is an entity
autonomously operating a network using TCP/IP and in particular
determining the addressing plan and address assignments within that
network.

This document describes address allocation for private internets. The
allocation permits full network layer connectivity among all hosts
inside an enterprise as well as among all public hosts of different
enterprises. The cost of using private internet address space is the
potentially costly effort to renumber hosts and networks between
public and private.

</quote>

http://www.faqs.org/rfcs/rfc1918.html

So. Is this a research project that Earthlink has assigned you
to? Mmindspring.net IS Earthlink and you certainly seem to
be working in their engineering office.

mid2.eng01.mindspring.net

So why are you posting through giganews, which it turns
out owns rcn.net:

$ host news.rcn.net
news.rcn.net            A       216.196.97.142

$ whois 216.196.97.142
Data Foundry, Inc. DATAFOUNDRY (NET-216-196-96-0-1)
                                  216.196.96.0 - 216.196.127.255
Giganews, Inc. GIGAN-CIDR1 (NET-216-196-96-0-2)
                                  216.196.96.0 - 216.196.111.255

Why not through news.east|west.earthlink.net?

AC

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

Surely not.  but you have made an assertion that people do it.  I merely
wish to understand how it is done.  You have replied earlier in another
post in this thread that most news readers do not permit altering of
which items are contained in a header, or to alter how those items are
generated by the news reader.  If one cannot alter those items, as per
you previous post, it certainly raises the question as how that might be
possible.

Not at all.  I have been posting for a number of years, using my own
name, and archiving all my posts.  I merely want to learn more about the
working of NG's.  Such includes understanding of how alterations are
made.  Nothing more.  I have told you that before, yet you apparently do
not believe me.  I assure you that such is not the case.

That is not my wish despite the heading of the post.  So there is no
reason to ask why for a circumstance which isn't applicable.  My
question came about because of some anonymous posting, but that merely
raised the question of information.  As I told you earlier, I may not
have been asking the correct questions, due to my lack of knowledge.
Please move beyond your skepticism.

                        Alan

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

On news.newusers.questions, in <nnq.xKudncETf_kgJAzfRVn...@rcn.net>, "Alan Lichtenstein" wrote:

<snip>

Now you are posting from a COMPLETELY different IP!

host 209.122.225.252
Name: 209-122-225-252.s252.apx1.nyw.ny.dialup.rcn.com
Address: 209.122.225.252

From mindspring.net, based in Atlanta, Goergia, to a
dial-up account at rcn.com

OrgName:    RCN Corporation
OrgID:      RCN
Address:    105 Carnegie Center
City:       Princeton
StateProv:  NJ
PostalCode: 08540
Country:    US

Which is the same as rcn.net which is giganews.

Which is based in Austin, Texas.

http://www.rcn.com
http://www.rcn.net

Both take you to the same website.

AC

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========

No.  You got that wrong somewhere.

You must've grabbed Jon Bell's from
news:nnq.d6s5m1$ff$1@jtbell.presby.edu - which isn't his 'proper' IP
either.

--
Mike Easter

--
====== Please DELETE This Line and Everything Below It When Replying! ====    
THIS NEWSGROUP is only for questions about newsgroups and the Internet.  
IF YOU HAVE questions on other topics, search for appropriate newsgroups
         using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
                http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========