Tracing & Identifying Poster
Alan Lichtenstein
listed in the Header?
Additionally, what is meant by a DNS?
Alan
--
====== Please DELETE This Line and Everything Below It When Replying! ====
THIS NEWSGROUP is only for questions about newsgroups and the Internet.
IF YOU HAVE questions on other topics, search for appropriate newsgroups
using http://members.fortunecity.com/nnqweb/ngroups.html
LEARN about newsgroups at the news.newusers.questions Web site:
http://members.fortunecity.com/nnqweb/
===== The moderators append this notice to non-crossposted articles; =====
======= It does not imply that the article is on topic or correct ========
Mike Easter
> How can one trace the source of a NG post when there is NO NNTP Host
> listed in the Header?
You should go to the site of links I mentioned when you were asking
about using a whois on an IP http://spamlinks.net/index.html
Additional sites designed more for the frequently fruitless pastime of
newsgroup message tracking
Margie Arbon, previously of MAPS, on usenet headers
http://home.att.net/~marjie1/usenet.htm
Ed Falk, How to track netnews spam to its source, 2 local links
http://www.rahul.net/falk/#howtos a tutorial and a practical example
Sputum tutorial has moved from its original site, but a copy is held
at newsguy http://member.newsguy.com/~sputum/sputools.htm - it contains
some useful strategy
In my opinion there are quite a number of reasons why you shouldn't be
trying to track the source of a newsgroup message, depending upon why
you are doing that. It is very common that you will not be able to
track the source of a newsgroup posting, and it is often unlikely that
you should be notifying a provider about spammish or trollish behavior
in a newsgroup message
> Additionally, what is meant by a DNS?
The wikipedia is one of many places that has a good discussion on DNS
related issues http://en.wikipedia.org/wiki/Dns
--
Mike Easter
Alan Lichtenstein
> Alan Lichtenstein wrote:
>
>>How can one trace the source of a NG post when there is NO NNTP Host
>>listed in the Header?
>
>
> You should go to the site of links I mentioned when you were asking
> about using a whois on an IP http://spamlinks.net/index.html
Tried that, but it wasn't very useful. Perhaps because I don't have
sufficient background information, but, then again, that's why I posted
this question, I guess.
> Additional sites designed more for the frequently fruitless pastime of
> newsgroup message tracking
>
> Margie Arbon, previously of MAPS, on usenet headers
> http://home.att.net/~marjie1/usenet.htm
>
> Ed Falk, How to track netnews spam to its source, 2 local links
> http://www.rahul.net/falk/#howtos a tutorial and a practical example
>
> Sputum tutorial has moved from its original site, but a copy is held
> at newsguy http://member.newsguy.com/~sputum/sputools.htm - it contains
> some useful strategy
>
> In my opinion there are quite a number of reasons why you shouldn't be
> trying to track the source of a newsgroup message, depending upon why
> you are doing that. It is very common that you will not be able to
> track the source of a newsgroup posting, and it is often unlikely that
> you should be notifying a provider about spammish or trollish behavior
> in a newsgroup message
>
>
>>Additionally, what is meant by a DNS?
>
>
> The wikipedia is one of many places that has a good discussion on DNS
> related issues http://en.wikipedia.org/wiki/Dns
thanks for your other sources. I'll try them. I realize that you're
trying to be helpful, but sources without explanation of how to use them
really don't help me much. A bit more thorough explanation would be
appreciated.
I understand that perhaps I may need a better understanding of how
things work and the terms used in their operation. Every time I access
a site, the terms used raise more questions. maybe i should start at
the beginning with some elementary primer and work from there.
Can you recommend something?
Alan
Mike Easter
> thanks for your other sources. I'll try them. I realize that you're
> trying to be helpful, but sources without explanation of how to use
> them really don't help me much. A bit more thorough explanation
> would be appreciated.
First read what's been put on your plate, grasshopper.
> I understand that perhaps I may need a better understanding of how
> things work and the terms used in their operation. Every time I
> access a site, the terms used raise more questions. maybe i should
> start at the beginning with some elementary primer and work from
> there.
Good idea.
> Can you recommend something?
You haven't yet said what you are trying to do and why you are trying to
do it.
Are you trying to learn how to be an identity sleuth?
--
Mike Easter
Alan Lichtenstein
> Alan Lichtenstein wrote:
>
>
>>thanks for your other sources. I'll try them. I realize that you're
>>trying to be helpful, but sources without explanation of how to use
>>them really don't help me much. A bit more thorough explanation
>>would be appreciated.
>
>
> First read what's been put on your plate, grasshopper.
I did. It wasn't very helpful.
>>I understand that perhaps I may need a better understanding of how
>>things work and the terms used in their operation. Every time I
>>access a site, the terms used raise more questions. maybe i should
>>start at the beginning with some elementary primer and work from
>>there.
>
>
> Good idea.
>
>
>>Can you recommend something?
>
>
> You haven't yet said what you are trying to do and why you are trying to
> do it.
What I am trying to do is educate myself. My question grew out of an
earlier post about interpreting headers. I got a lot of web sites which
required that I was familiar with terminology, and on a higher level,
familiarity with how systems which comprise Usenet work. I got several
Acronyms for registration agencies, yet I don't know what those agencies
are, their purpose and what they do. Perhaps what i am looking for is
fundamental knowledge on a very basic level.
Jon Bell posted s basic primer and that was a good start. i need to go
on from their into the specifics of they systems. I need to have
definitions of terms. I need to know how things have evolved.
After each post and based on the information I get, I can ask better
questions. I don't doubt that my questions are poorly phrased. but
that is due to my ignorance in being unable to phrase the questions in a
specific manner. I would have hope my fundamental ignorance would have
been recognized, and a basic response, on which I could build, provided.
I guess that was not the case. I hope I have clarified my needs
somewhat better.
> Are you trying to learn how to be an identity sleuth?
No; merely to understand how things work.
Alan
Mike Easter
Alan Lichtenstein wrote:
> Mike Easter wrote:
>
>> Are you trying to learn how to be an identity sleuth?
>
> No; merely to understand how things work.
The reason I ask about the identity sleuthing business is because there
are all different types of newsgroup personalities participating in all
different types of 'personality of the newsgroup'. That is, some
newsgroups are full of trollish types which feed on each other; and
some ng/s are full of hostility and antagonism and ad hominem attacks.
Those conditions lead to a desire to cross over the chasm between
cyberspace and what is called 'meatspace' or the actual identity of some
individual cyber-personality.
An example of the types of ng/s in which trollish behavior abounds are
those in which the 'standard' or normal posting behavior is to crosspost
to multiple groups and to behave churlishly. The same types of groups
and personalities very often find themselves in contentious arguments
and ad hominem attacks. In fact, the very 'meaning' of an ad hominem
attack is the concept of attacking the person rather than the argument;
and when the emotions associated with that run high, there's a certain
frustration to considering that the 'person' being attacked is simply
the cyberperson. Or to wonder 'who' this is who is attacking you.
As a result of that frustration and for other reasons, it is very common
for some ng participants to derive an interest in 'exactly' /who/ is
this person I'm fighting with; or talking to; or whatever. Or perhaps
the opposite; to be attracted to an individual. That leads to the
practice of identity sleuthing.
Identity sleuthing might start with just looking 'back' at whatall the
cyberidentity has had to say in the past; or what kinds of arguments or
discussions they have found themselves in; or what their interests are.
Then, that might transition over to trying to figure out what country or
what state they live in; or what community; or what is their address
or telephone number; or social security number or date of birth or
mother's maiden name. It is a sport for some. Rarely it results in
cyberstalking.
So learning about a cyberpersonality's 'handwriting' as I call it, is
one step. Deriving the maximum information from their news server's
header lines, including NNTP posting host is another step. Learning how
to separate the wheat from the chaff including bogus information in the
header is another step. Tracking them into the meatspace is another
step.
You've been ng posting for several years as your current persona. Some
of the newsgroup postings and people you have been involved with
discussing and arguing points of view involve the kinds of contentious
and ad hominem attacks which invite identity sleuthing -- and then/now
you start getting interested in how to use newsgroup header information
such as the nntp posting host to track or identify the poster to the ng.
That's why I asked. For example, I like to lurk in the alt.locksmithing
ng because I find the topics of lock picking and security penetration to
be interesting. That group is populated by everyone from
professional locksmiths to amateur hobbyists to wannabe safe cracking
burglars or bicycle or school locker thieves. Naturally the
professional
locksmiths and skilled hobbyists are concerned about what the 'students'
are planning on doing with the information.
There are many newsgroup posters who find that this condition of
identity sleuthing is an infringement on their privacy; so they choose
to use newsservers which don't leave an nntp posting host trail. They
may also engage anonymous remailers thru' which to make their posts to
make the identity sleuthing process significantly more difficult if not
impossible.
--
Mike Easter
Jon Bell
>>>trying to be helpful, but sources without explanation of how to use
>>>them really don't help me much. A bit more thorough explanation
>>>would be appreciated.
>>
>> First read what's been put on your plate, grasshopper.
>
>I did. It wasn't very helpful.
OK, now that you've made an honest effort to do the research yourself,
it's completely appropriate to ask specific questions. This is probably
as good a place as any, unless Mike or somebody else can suggest a better
place.
So, what specifically are you having trouble with? If it relates to
deciphering something you've read somewhere, it would be helpful to
provide a link to it, along with your question(s), so we can see where
you're coming from.
--
Jon Bell <jtb...@presby.edu> Presbyterian College
Dept. of Physics and Computer Science Clinton, South Carolina USA
Rodger Whitlock
wrote:
> Alan Lichtenstein wrote:
> > How can one trace the source of a NG post when there is NO NNTP Host
> > listed in the Header?
> In my opinion there are quite a number of reasons why you shouldn't be
> trying to track the source of a newsgroup message, depending upon why
> you are doing that.
Seconded with the proviso that "depending upon" is altered to "no
matter".
Waste of time and effort. Go do something productive like changing the
tide. :)
--
Rodger Whitlock
Victoria, BC, Canada
to send email, change atlantic to pacific
and invalid to net
Mike Easter
> "Mike Easter"
>> Alan Lichtenstein wrote:
>>> How can one trace the source of a NG post when there is NO NNTP Host
>>> listed in the Header?
>
>> In my opinion there are quite a number of reasons why you shouldn't
>> be trying to track the source of a newsgroup message, depending upon
>> why you are doing that.
>
> Seconded with the proviso that "depending upon" is altered to "no
> matter".
>
> Waste of time and effort. Go do something productive like changing the
> tide. :)
Studying email headers including their bogosity is a educational
experience in smtp tech. Studying newsgroup headers is much more like a
waste of time, depending upon what kind of pastimes you like.
Of the links I posted, Margie's is a good graphical representation that
shows a mostly honest set of newgroup headers, with only a bogus From,
but which had 'sufficient' newsserver factual information, including the
nntp posting host. Her graphics show which of the header elements are
the least reliable and most easily forged, compared with which are the
most reliable. It is a nice presentation.
Ed Falk's tutorial does the same thing textually rather than
graphically, and goes into some nice details about trying to analyze
Path forgeries when they are present before the honest path information.
At his site he also includes a step by step analysis of a dissection of
an item with considerably more bogosity in it than Margie's example or
his preliminary tutorial. In that case he dissects a spammish one which
doesn't have an nntp posting host and which has a path line which does
*not* contain any preliminary bogosity.
The last link, the sputum one, has the highest level of training of the
three; as he includes examples which he typifies in the following way:
Type 1: Stupid Clueless Newbie, posting in the clear
Type 2: Careful clueless spammer/warez kiddie, attempting pseudonymity
Type 3: Professional SpamDude, posting pseudo-anon from rogue ISP
The problem with trying to 'simplify' something like analyzing newsgroup
headers, which is much more difficult and complex and less reliable than
analyzing email headers even emails with bogus headerlines, is that it
has to get very complicated before it starts becoming any clearer.
--
Mike Easter
Alan Lichtenstein
> In article <nnq.NuidnYJHO...@rcn.net>,
> Alan Lichtenstein <a...@xyz.com> wrote:
>
>>Mike Easter wrote:
>>
>>
>>>Alan Lichtenstein wrote:
>>>
>>>
>>>>[...] I realize that you're
>>>>trying to be helpful, but sources without explanation of how to use
>>>>them really don't help me much. A bit more thorough explanation
>>>>would be appreciated.
>>>
>>>First read what's been put on your plate, grasshopper.
>>
>>I did. It wasn't very helpful.
>
>
> OK, now that you've made an honest effort to do the research yourself,
> it's completely appropriate to ask specific questions. This is probably
> as good a place as any, unless Mike or somebody else can suggest a better
> place.
>
> So, what specifically are you having trouble with? If it relates to
> deciphering something you've read somewhere, it would be helpful to
> provide a link to it, along with your question(s), so we can see where
> you're coming from.
>
For starters, how does one decipher the path a message took? It appears
to be just a bunch of abbreviations to me. I have not found any text
material that instructs one how to do this.
Next, what is meant by MIME?
Alan
Mike Easter
> For starters, how does one decipher the path a message took? It
> appears to be just a bunch of abbreviations to me. I have not found
> any text material that instructs one how to do this.
I don't know of a place that is going to help identify the agents or
elements in the path, but it is educational to look at a bunch of them.
Headers need to be looked at in the context of the whole header,
realizing that some parts may be bogus and some parts may be true. By
'integrating' the complexion of the entire header and disregarding any
items which can easily be forged and 'don't fit', a picture begins to
emerge.
In the case of the path, we look at/ see/ the path from one news server
to the other, backwards. This newsgroup's headers are more awkward to
deal with because of the moderation effect, but if we look at the path
of one of your messages in a different newsgroup from your provider's
newsserver to my provider's newsserver, we see this, with me adding some
spaces after the bangs so that the line will wrap.
Path: newsspool2.news.pas.earthlink.net! stamper.news.pas.earthlink.net!
elnk-nf2-pas! newsfeed.earthlink.net! newshub.sdsu.edu!
border1.nntp.dca.giganews.com! nntp.giganews.com!
local01.nntp.dca.giganews.com! nntp.rcn.net! news.rcn.net.POSTED!
not-for-mail
This is a header with no forgery - so that is an important consideration
to begin with. We see your provider rcn to giganews to San Diego
State's hub to earthlink. If I look at that same message on a different
newsserver it takes a different path to the alternate newsserver.
Path: authen.white.readfreenews.net! green.octanews.net!
news-out.octanews.net! canary.octanews.net!
border2.nntp.dca.giganews.com! border1.nntp.dca.giganews.com!
nntp.giganews.com! local01.nntp.dca.giganews.com! nntp.rcn.net!
news.rcn.net.POSTED! not-for-mail
There we see your provider rcn to giga to octanews to readfreenews,
whcih is in the octa family.
> Next, what is meant by MIME?
MIME is an 'official' RFC sanctioned/defined message format which stands
for Multipurpose Internet Mail Extensions, the MIME line is stamped by
your newsreader which calls itself User-Agent: Mozilla/5.0 (Macintosh;
U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2
In the case of news 'protocols' or good practices, the general behavior
is plaintext with no attachments, so the mime business isn't usually an
important or useful tag. And, I've only seen mime 1.0.
--
Mike Easter
Mike Easter
> Alan Lichtenstein wrote:
>> For starters, how does one decipher the path a message took? It
>> appears to be just a bunch of abbreviations to me. I have not found
>> any text material that instructs one how to do this.
>
> I don't know of a place that is going to help identify the agents or
> elements in the path, but it is educational to look at a bunch of
> them.
A good way to become acquainted with paths is to just look at a 'bunch'
or a few dozen different paths which do not include any forgery. Start
with looking at the honest or unforged ones on your own provider's
newsserver. After about the first 2 or 3, you will realize that the
first [which is chronologically the last] 'half' of the path is always
the same, because it represents the feed that your provider's newsserver
gets.
So, then, for the first dozen or so that you are looking at on your rcn
newsserver, you would just focus on the 2nd half of the path, from the
poster's newsserver to the poster's newsserver's backbone feed.
Typically you will see some transition from one backbone to another --
that makes sense.
Before you start trying to look at bogotic headers, you should spend
some time with legitimate ones.
Then, after you examine some honest headers on your own provider's
newsserver, you should access some alternate newsservers, ie free or
nearly free ones, so that you can see the other half, 'your'
newsserver's half when 'your' newsserver isn't rcn's newsserver.
So, then you will begin to recognize how the 'halfs' look. After some
dozens of doing that, then you can start tinkering with the amateurish
attempts to forge headers, so that you can discern where the forgery
begins. You can't start cutting your teeth on bandsaw grade forged
headers.
Jon Bell
Mike Easter <mike....@gmail.com> wrote:
>
>A good way to become acquainted with paths is to just look at a 'bunch'
>or a few dozen different paths which do not include any forgery. Start
>with looking at the honest or unforged ones on your own provider's
>newsserver. After about the first 2 or 3, you will realize that the
>first [which is chronologically the last] 'half' of the path is always
>the same, because it represents the feed that your provider's newsserver
>gets.
It's common for servers to have incoming feeds from more than one other
server. In fact, it's almost a necessity for a server that aims for
"completion" in any particular newsgroup. My college's server, for
example, receives feeds from four universities. So even if you look at
postings that were made on the same server, it's quite possible for them
to take different routes to get to your server, if they were posted at
different times.
--
Jon Bell <jtb...@presby.edu> Presbyterian College
Dept. of Physics and Computer Science Clinton, South Carolina USA
Mike Easter
> Mike Easter
>>After about the first 2 or 3, you will
>> realize that the first [which is chronologically the last] 'half' of
>> the path is always the same, because it represents the feed that
>> your provider's newsserver gets.
>
> It's common for servers to have incoming feeds from more than one
> other server. In fact, it's almost a necessity for a server that
> aims for "completion" in any particular newsgroup. My college's
> server, for example, receives feeds from four universities. So even
> if you look at postings that were made on the same server, it's quite
> possible for them to take different routes to get to your server, if
> they were posted at different times.
That's good for your news, and shows that old friendly cooperation
between universities.
'Always' wasn't a good choice of words - depending on the newsserver. A
lot of newsservers would have much better performance if they had that
kind of redundancy you describe -- but with more and more feeds becoming
overwhelmed, more and more newsservers are not stepping up to the plate
with significant redundancy.
I'll bet the rcn only gets fed by giganews. Now, maybe/ likely/ giga
has redundancy.
--
Mike Easter
Jon Bell
Looks like it. In another window, I'm running a search on the article
spool on my server, for "Path:" headers that contain ".rcn.". All of the
ones that I've noticed so far originated at rcn, and went through giganews
next.
>Now, maybe/ likely/ giga has redundancy.
So far I've seen glorb.com (mostly), syr.edu, and sdsu.edu, after a few
dozen postings.
Google exchanges with at least glorb.com and stanford.edu.
--
Jon Bell <jtb...@presby.edu> Presbyterian College
Dept. of Physics and Computer Science Clinton, South Carolina USA
Alan Lichtenstein
> Alan Lichtenstein wrote:
>
>>For starters, how does one decipher the path a message took? It
>>appears to be just a bunch of abbreviations to me. I have not found
>>any text material that instructs one how to do this.
>
>
> I don't know of a place that is going to help identify the agents or
> elements in the path, but it is educational to look at a bunch of them.
>
> Headers need to be looked at in the context of the whole header,
> realizing that some parts may be bogus and some parts may be true. By
> 'integrating' the complexion of the entire header and disregarding any
> items which can easily be forged and 'don't fit', a picture begins to
> emerge.
An obvious question is, "how does one know that they don't fit?" But
let's table that for a minute to go on to the examples you posted below.
> In the case of the path, we look at/ see/ the path from one news server
> to the other, backwards. This newsgroup's headers are more awkward to
> deal with because of the moderation effect, but if we look at the path
> of one of your messages in a different newsgroup from your provider's
> newsserver to my provider's newsserver, we see this, with me adding some
> spaces after the bangs so that the line will wrap.
>
> Path: newsspool2.news.pas.earthlink.net! stamper.news.pas.earthlink.net!
> elnk-nf2-pas! newsfeed.earthlink.net! newshub.sdsu.edu!
> border1.nntp.dca.giganews.com! nntp.giganews.com!
> local01.nntp.dca.giganews.com! nntp.rcn.net! news.rcn.net.POSTED!
> not-for-mail
I see the general path. But if I didn't have your analysis, I never
would have been able to interpret this on my own. For example, you say
the post went from rcn to giganews. But if I look at the post,
beginning with the last, I see:
"...nntp.giganews.com!
> local01.nntp.dca.giganews.com! nntp.rcn.net! news.rcn.net.POSTED!
> not-for-mail"
Now why are there two identifications for rcn, and why are there two
identifications for giganews? Does the fact that the first( last rcn )
indicate the originating news server, and the second reference to rcn
headed by the nntp. merely indicate that the post was transferred from
rcn according to the nntp? And ditto for giganews? If that
interpretation is correct, that would be an explanation. If not, an
explanation is required.
And next question: Why do some of the notations in the path end with a
"!" and others not?
Additionally, what is meant by dca.? What is meant by local101,
border1, border2, elnk-nf2-pas?
Your previous explanation didn't cover those.
> This is a header with no forgery - so that is an important consideration
> to begin with. We see your provider rcn to giganews to San Diego
> State's hub to earthlink. If I look at that same message on a different
> newsserver it takes a different path to the alternate newsserver.
How would one tell if something doesn't belong? Based on what I know
right now, the portion of the path elnk-nf2-pas! doesn't seem to belong
either?
> Path: authen.white.readfreenews.net! green.octanews.net!
> news-out.octanews.net! canary.octanews.net!
> border2.nntp.dca.giganews.com! border1.nntp.dca.giganews.com!
> nntp.giganews.com! local01.nntp.dca.giganews.com! nntp.rcn.net!
> news.rcn.net.POSTED! not-for-mail
>
> There we see your provider rcn to giga to octanews to readfreenews,
> whcih is in the octa family.
>
>
>>Next, what is meant by MIME?
>
>
> MIME is an 'official' RFC sanctioned/defined message format which stands
> for Multipurpose Internet Mail Extensions, the MIME line is stamped by
> your newsreader which calls itself User-Agent: Mozilla/5.0 (Macintosh;
> U; PPC Mac OS X Mach-O; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2
>
> In the case of news 'protocols' or good practices, the general behavior
> is plaintext with no attachments, so the mime business isn't usually an
> important or useful tag. And, I've only seen mime 1.0.
You used the term wrap? What is meant by that? I note in my edit box a
'rewrap' command.
Also, you mention people can edit their headers. Is that a common
practice with all news readers? I don't seem to have any control over
what my headers say? I see nothing in the help instructions regarding
those.
Any assistance, and the simpler the better( considering the fundamental
nature of my questions ) would be appreciated.
Alan
Alan Lichtenstein
I appreciate the reply, however, it still raises a question: How does
one forge a header? My news reader does not apparently permit me to
alter their composition? do others? Does mine( but I just don't know
how to do it )?
And I see that my comments have initiated a developing discussion that
appears to be going in additional directions. Hopefully, I'll be able
to learn something from it.
Alan
Mike Easter
> Mike Easter wrote:
>> Headers need to be looked at in the context of the whole header,
> An obvious question is, "how does one know that they don't fit?"
Remember the earlier links about forgery detection and which elements
are easier and harder to forge.
>> me adding some spaces after the bangs so that the line
>> will wrap.
>>
>> Path: newsspool2.news.pas.earthlink.net!
>> stamper.news.pas.earthlink.net! elnk-nf2-pas!
>> newsfeed.earthlink.net! newshub.sdsu.edu!
>> border1.nntp.dca.giganews.com! nntp.giganews.com!
>> local01.nntp.dca.giganews.com! nntp.rcn.net! news.rcn.net.POSTED!
>> not-for-mail
> and the second reference to
> rcn headed by the nntp. merely indicate that the post was transferred
> from rcn according to the nntp? And ditto for giganews?
Yes.
> And next question: Why do some of the notations in the path end with
> a "!" and others not?
They all do except for the one attached to POSTED and the end.
> Additionally, what is meant by dca.? What is meant by local101,
> border1, border2, elnk-nf2-pas?
I don't know - except that the news server feeds, backbones, borders,
and such are free to name themselves. There is a lot about news servers
and feeds and backbones that I am just now learning.
> How would one tell if something doesn't belong? Based on what I know
> right now, the portion of the path elnk-nf2-pas! doesn't seem to
> belong either?
In an unforged header, everything 'belongs' in the sense that no one put
it there 'nefariously'. In a possibly forged header, one with evidence
and/or suspicion of forgery - anything can be forged. In this case I
picked your headers and assumed they were not forged.
In the one extreme sense, headers are either forged or they are not.
But that doesn't tell the story very well. Maybe obfuscated would
sometimes be a better or another term. For example, I might choose to
use a news server that is configured to leave a different kind of
'trail' for my posts than my EL one does. That isn't forgery. It is
just choosing a newsserver which provides less identification of me by
my post. If we choose to 'forge' our From line to avoid spam, that is
one form of obfuscation ie forgery that is mostly acceptable, but not by
everyone's philosophy.
Someone else might choose to derive their anonymity for a news post
without performing any forgery at all by using an anonymizing service or
remailer. Somewhere in here we need to get back to the question of why
it is you are trying to learn how to interpret newsheaders. Mostly it
should be none of your business whether or not someone chose to forge
their headers or otherwise obfuscate them of if they used an anonymizer.
When you interact in a newsgroup, you are interacting with a
cyberpersona. Figuring out where the post came from doesn't really have
anything to do with that interaction.
OTOH, some other people might feel that they don't choose to interact
with anyone who has chosen to anonymize themselves. Dif'rent strokes
for dif'rent folks.
> You used the term wrap? What is meant by that? I note in my edit
> box a 'rewrap' command.
Our newsreaders wrap the length of our lines to about 72-74 chars for
readability and make those wraps in the spaces between words, not right
in the middle of the words; so if there's a line which has no spaces in
it, like a Path: line, my newsreader has a hard time wrapping the line,
so when I post Path lines I put in a space after the bang to help with
the wrap. Wrapping is the end of a line EOL and the beginning of
another line.
> Also, you mention people can edit their headers.
I don't recall using those words - just implying that people can forge
headers.
> Is that a common
> practice with all news readers?
You can edit your From line and your Reply-To line and you can make your
date be funky. You can indirectly influence other elements which show
up in your headers. Some people have more control than others,
depending upon their newsreader. The same is true for your mailuser
agent. Healthy normal mua/s don't allow the same kind of 'manipulation'
of header information that ratware or spamware permits.
> I don't seem to have any control over
> what my headers say? I see nothing in the help instructions regarding
> those.
Mostly our newsreaders are not designed for header forgery.
--
Mike Easter
Mike Easter
> I appreciate the reply, however, it still raises a question: How does
> one forge a header? My news reader does not apparently permit me to
> alter their composition? do others? Does mine( but I just don't know
> how to do it )?
Surely you aren't interested in learning how to forge headers!?
If your wish is to anonymize yourself better for newsgroup postings,
let's change the subject to that.
If your wish is to identify those who are trying to anonymize
themselves, let's ask why.
--
Mike Easter
Bill Cole
Alan Lichtenstein <a...@xyz.com> wrote:
[...]
> I appreciate the reply, however, it still raises a question: How does
> one forge a header? My news reader does not apparently permit me to
> alter their composition? do others? Does mine( but I just don't know
> how to do it )?
Some headers are easier to forge than others, and some newsreaders
provide greater control over what is in various headers than others.
There is also some fuzziness in the term 'forge' because that implies
that manual arbitrary modification is always incorrect. For example,
many people have multiple email addresses that are perfectly valid, and
don't always want to post using the same one, so some newsreaders allow
them to enter anything at all as their From and/or Reply-To headers.
Or someone may think some domain like "xyz.com" is funny, and use an
address they do not own in it as a way to avoid getting spam to their
real address without consideration for the fact that there really IS a
xyz.com with actual users, maybe even one thought up out of thin air. On
that level, virtually ANY newsreader supports header forgery, as the
newsreader has to trust whatever a foolish user enters as their email
address.
Path headers are actually one of the easier things to forge, because
there can be legitimate reasons to 'preload' a Path header and a server
cannot generally tell that such a preload is necessarily bogus. Many
newsreaders provide direct control over header content including the
capacity to add an arbitrary Path header, but it looks like you are
using Netscape 7.2 for MacOS, whose features I cannot speak to. Last I
bothered looking, the Netscape newsreader piece was rather weak.
The bottom line is always that a newsreader does not really limit such
behavior, because news is sufficiently simple that a human can rather
easily do everything a newsreader does to post a message using simple
tools like telnet. Some news servers impose some controls in narrow
areas over what can be posted, but but there is no universal enforcement
of anything in headers by all news servers so you really cannot know
which headers are fake and which can be trusted in a particular message.
--
Now where did I hide that website...
Jon Bell
Alan Lichtenstein <a...@xyz.com> wrote:
[in response to Mike]
>
>I see the general path. But if I didn't have your analysis, I never
>would have been able to interpret this on my own. For example, you say
>the post went from rcn to giganews. But if I look at the post,
>beginning with the last, I see:
>
>"...nntp.giganews.com!
> > local01.nntp.dca.giganews.com! nntp.rcn.net! news.rcn.net.POSTED!
> > not-for-mail"
>
>Now why are there two identifications for rcn, and why are there two
>identifications for giganews?
Probably because both giganews and rcn use separate servers for incoming
and outgoing feeds, to distribute the workload.
>And next question: Why do some of the notations in the path end with a
>"!" and others not?
The "!" is the separator between names, so each name is followed by a "!"
except the last one. The entire "Path:" header is one long line, with
just a single blank space, after "Path:". Mike added spaces by hand so
the line would wrap in a readable fashion on display.
>Additionally, what is meant by dca.? What is meant by local101,
>border1, border2, elnk-nf2-pas?
Path names can be whatever the server's admins configure them to be, in
their server software. Usually (not always!) they are the actual Internet
domain names of the servers. The last two components of the name
(rcn.com, earthlink.com, presby.edu, etc.) are usually easily recognizable
as company/university/whatever domains. Other components are entirely up
to whatever naming convention each company uses for subdomain and host
names.
>How would one tell if something doesn't belong? Based on what I know
>right now, the portion of the path elnk-nf2-pas! doesn't seem to belong
>either?
You have to know by some other means (or at least make an educated guess)
that the named servers don't actually feed each other. For example, any
path that contains something like "jtbell.presby.edu!newshub.sdsu.edu" has
to be bogus because we don't get a feed from sdsu.edu.
If you don't have that kind of information, it's hard to come to any
conclusions from looking at a single posting's "Path:" header, or even a
bunch of postings on the same server. However, if you have several
copies of the same posting, as seen on different servers, then you can
compare their "Path:" headers and look for suspicious patterns. Usually,
in o normal posting the paths to different servers will start to "diverge"
quickly, after passing through only one or two servers (not counting
multiple servers run by the same company). If all the paths have a longer
"matching" sequence of components at the end, it *may* indicate that most
of them were "pre-loaded", with the first "matching" component being the
actual originating server. For example, if you have paths of
a:q:n:d:e:f:g
c:w:x:d:e:f:g
m:r:s:d:e:f:g
on three copies of the same posting, from servers a, c and m, one might
suspect that "e:f:g" was preloaded and that the postings actually
originated at d. (Again, you have to allow for multiple servers operated
by the same company.)
>> Path: authen.white.readfreenews.net! green.octanews.net!
>> news-out.octanews.net! canary.octanews.net!
>> border2.nntp.dca.giganews.com! border1.nntp.dca.giganews.com!
>> nntp.giganews.com! local01.nntp.dca.giganews.com! nntp.rcn.net!
>> news.rcn.net.POSTED! not-for-mail
I just noticed in this one, "news.rcn.net.POSTED". I think some companies
add the a "POSTED" component to the path name of a server that actually
receives postings directly from their own users. If you see one of these
in the middle of a "Path:" line, that should probably be treated as a
warning flag that the following names might have been preloaded.
I just did some searching and came up with a bunch of examples similar to
this one:
Path: jtbell.presby.edu! newsfeed.stanford.edu! headwall.stanford.edu!
newshub.sdsu.edu! elnk-nf2-pas! newsfeed.earthlink.net!
stamper.news.pas.earthlink.net! stamper.news.atl.earthlink.net!
newsread1.news.atl.earthlink.net.POSTED! 6f5b67f4! not-for-mail
The third-from-last component had "POSTED". The next-to-last one is new
to me (at last this this is the first time I've paid attention to it).
It's probably some kind of code that Earthlink uses to track
which of their customers, or subsidiaries, or something, originated the
posting.
And the last one, "not-for-mail" is pretty universal. I think your
news-posting software puts it there, or else your originating server puts
it there if it doesn't find one. I think it goes back to the days when
Usenet wasn't part of the Internet, and people who weren't on the Internet
sent e-mail using addresses that explicitly indicated how to route the
message to its final destination. Those addresses used a format that
looked just like the "Path:" lines on Usenet postings: a list of mail
servers separated by "!" ("bang-path addressing"). Here, the
"not-for-mail" (I think) traditionally indicates that *these* paths are
*not* to be used for e-mail. (Most of this is a semi-educated guess, and
I'd be delighted if someone can confirm or correct it!)
--
Jon Bell <jtb...@presby.edu> Presbyterian College
Dept. of Physics and Computer Science Clinton, South Carolina USA
Alan Connor
<nnq.nuidnczze...@rcn.net>, "Alan Lichtenstein" wrote:
> How can one trace the source of a NG post when there is NO NNTP
> Host listed in the Header?
>
> Additionally, what is meant by a DNS?
>
> Alan
>
You have interesting headers, "Alan".
To start with, host (a dns tool) reports
that rcn.net, which your post originates
from (allegedly), has no A record.
No IP can gotten for rcn.net with the
normal tools.
$ host rcn.net
rcn.net A record currently not present
Interestingly, I couldn't ping your IP (no response),
but another tool at my disposal revealed that it was up
and running on the Internet.
Here's what a whois search reveals about
rcn. net:
$ whois rcn.net
Registrant:
Residential Communications Network
105 Carnegie Center
Princeton, NJ 08540
US
Domain Name: RCN.NET
Administrative Contact:
RCN ab...@RCN.COM
7921 WOODRUFF CT
SPRINGFIELD, VA 22151-2108
US
703-321-8000 fax: 703-321-8316
Technical Contact:
RCN ab...@RCN.COM
105 Carnegie Center
Princeton, NJ 08540
US
800-746-4726 fax: 999 999 9999
Record expires on 03-May-2011.
Record created on 02-May-1995.
Database last updated on 23-May-2005 05:24:19 EDT.
Domain servers in listed order:
AUTH1.DNS.RCN.NET 207.172.3.20
AUTH3.DNS.RCN.NET 207.172.3.21
AUTH4.DNS.RCN.NET 207.172.3.22
AUTH2.DNS.RCN.NET 207.172.11.14
And here is what host reports about your NNTP-Posting-
Host IP:
$ host -a 192.168.253.29
Name: mid2.eng01.mindspring.net
Address: 192.168.253.29
And what whois has to say about that IP:
$ whois 192.168.253.29
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
NetRange: 192.168.0.0 - 192.168.255.255
CIDR: 192.168.0.0/16
NetName: IANA-CBLK1
NetHandle: NET-192-168-0-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate: 1994-03-15
Updated: 2002-09-16
OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: ab...@iana.org
OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: ab...@iana.org
<quote>
Address Allocation for Private Internets
Status of this Memo
This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for
improvements. Distribution of this memo is unlimited.
1. Introduction
For the purposes of this document, an enterprise is an entity
autonomously operating a network using TCP/IP and in particular
determining the addressing plan and address assignments within that
network.
This document describes address allocation for private internets. The
allocation permits full network layer connectivity among all hosts
inside an enterprise as well as among all public hosts of different
enterprises. The cost of using private internet address space is the
potentially costly effort to renumber hosts and networks between
public and private.
</quote>
http://www.faqs.org/rfcs/rfc1918.html
So. Is this a research project that Earthlink has assigned you
to? Mmindspring.net IS Earthlink and you certainly seem to
be working in their engineering office.
So why are you posting through giganews, which it turns
out owns rcn.net:
$ host news.rcn.net
news.rcn.net A 216.196.97.142
$ whois 216.196.97.142
Data Foundry, Inc. DATAFOUNDRY (NET-216-196-96-0-1)
216.196.96.0 - 216.196.127.255
Giganews, Inc. GIGAN-CIDR1 (NET-216-196-96-0-2)
216.196.96.0 - 216.196.111.255
Why not through news.east|west.earthlink.net?
AC
Alan Lichtenstein
> Alan Lichtenstein wrote:
>
>>I appreciate the reply, however, it still raises a question: How does
>>one forge a header? My news reader does not apparently permit me to
>>alter their composition? do others? Does mine( but I just don't know
>>how to do it )?
>
>
> Surely you aren't interested in learning how to forge headers!?
Surely not. but you have made an assertion that people do it. I merely
wish to understand how it is done. You have replied earlier in another
post in this thread that most news readers do not permit altering of
which items are contained in a header, or to alter how those items are
generated by the news reader. If one cannot alter those items, as per
you previous post, it certainly raises the question as how that might be
possible.
> If your wish is to anonymize yourself better for newsgroup postings,
> let's change the subject to that.
Not at all. I have been posting for a number of years, using my own
name, and archiving all my posts. I merely want to learn more about the
working of NG's. Such includes understanding of how alterations are
made. Nothing more. I have told you that before, yet you apparently do
not believe me. I assure you that such is not the case.
> If your wish is to identify those who are trying to anonymize
> themselves, let's ask why.
That is not my wish despite the heading of the post. So there is no
reason to ask why for a circumstance which isn't applicable. My
question came about because of some anonymous posting, but that merely
raised the question of information. As I told you earlier, I may not
have been asking the correct questions, due to my lack of knowledge.
Please move beyond your skepticism.
Alan
Alan Connor
<snip>
Now you are posting from a COMPLETELY different IP!
host 209.122.225.252
Name: 209-122-225-252.s252.apx1.nyw.ny.dialup.rcn.com
Address: 209.122.225.252
From mindspring.net, based in Atlanta, Goergia, to a
dial-up account at rcn.com
OrgName: RCN Corporation
OrgID: RCN
Address: 105 Carnegie Center
City: Princeton
StateProv: NJ
PostalCode: 08540
Country: US
Which is the same as rcn.net which is giganews.
Which is based in Austin, Texas.
http://www.rcn.com
http://www.rcn.net
Both take you to the same website.
AC
Mike Easter
> And here is what host reports about your NNTP-Posting-
> Host IP:
>
> $ host -a 192.168.253.29
No. You got that wrong somewhere.
You must've grabbed Jon Bell's from
news:nnq.d6s5m1$ff$1...@jtbell.presby.edu - which isn't his 'proper' IP
either.
--
Mike Easter
Jon Bell
Mike Easter <mike....@gmail.com> wrote:
>Alan Connor wrote:
>> And here is what host reports about your NNTP-Posting-
>> Host IP:
>>
>> $ host -a 192.168.253.29
>
>No. You got that wrong somewhere.
>
>You must've grabbed Jon Bell's from
>news:nnq.d6s5m1$ff$1...@jtbell.presby.edu - which isn't his 'proper' IP
>either.
Yes, that's one of the private internal IP addresses used by our dialup
PPP modems, so it indicates that I was posting from home. It resolves
properly only within our campus network. If you're inside some other
local network, it may resolve to some machine on that network.
To Alan L. and the peanut gallery: There are blocks of IP addresses that
are reserved for use within local networks. Any local network can use
them, but they must not be resolvable outside of the local network. One
block is 10.*.*.*, another is 192.168.253.*, and there's another that I've
forgotten. If you need to trace an IP address like this, you have to
contact that local network's administrators.
A typical NNTP-Posting-Host from one of Alan L.'s postings:
|
| NNTP-Posting-Host: 209.122.225.88
--
Jon Bell <jtb...@presby.edu> Presbyterian College
Dept. of Physics and Computer Science Clinton, South Carolina USA
Alan Connor
<nnq.bplke.1697$oT1...@newsread1.news.pas.earthlink.net>, "Mike
Easter" wrote:
> Alan Connor wrote:
>
>> And here is what host reports about your NNTP-Posting- Host
>> IP:
>>
>> $ host -a 192.168.253.29
>
> No. You got that wrong somewhere.
>
> You must've grabbed Jon Bell's from
> news:nnq.d6s5m1$ff$1...@jtbell.presby.edu - which isn't his
> 'proper' IP either.
You are right. I got sloppy and hit a key and switched from
Alan's to Jon's headers. It was late....
And if it hadn't been so late, I would have recognized the
off-net block of addresses that Jon covers in his post.
After all, I use them myself...
I think I got the mindspring.net domain name because that's
an address that Earthlink also uses internally, and that's
the network I'm in.
Sorry,
AC
Alan Lichtenstein
> In article <nnq.NuidnYJHO...@rcn.net>,
> Alan Lichtenstein <a...@xyz.com> wrote:
>
>>Mike Easter wrote:
>>
>>
>>>Alan Lichtenstein wrote:
>>>
>>>
>>>>[...] I realize that you're
>>>>trying to be helpful, but sources without explanation of how to use
>>>>them really don't help me much. A bit more thorough explanation
>>>>would be appreciated.
>>>
>>>First read what's been put on your plate, grasshopper.
>>
>>I did. It wasn't very helpful.
>
>
> OK, now that you've made an honest effort to do the research yourself,
> it's completely appropriate to ask specific questions. This is probably
> as good a place as any, unless Mike or somebody else can suggest a better
> place.
>
> So, what specifically are you having trouble with? If it relates to
> deciphering something you've read somewhere, it would be helpful to
> provide a link to it, along with your question(s), so we can see where
> you're coming from.
Headers contain a number of items. I have noticed that some headers
contain more items than others. My question is: Are those items
programmed into the software of the news reader, or are they put in by
the news server?
If the latter should be the case, and the header items are NOT
programmed into the news reader, then how does the news reader KNOW to
put them in if they are not contained in the programming?
Additionally, which news readers permit the user to select which header
topics are included in his/her headers?
Alan
Kathy Morgan
> Headers contain a number of items. I have noticed that some headers
> contain more items than others. My question is: Are those items
> programmed into the software of the news reader, or are they put in by
> the news server?
Both, actually. Some of the headers are created by the newsreader, some
by the posting server, and at least one (Path) is modified by each
server the message passes through. Which ones you normally see are
controlled by the news reader.
I use MacSOUP, and have a set of headers that I always want to see
displayed by default. There's a toggle switch so that if I wish to see
full headers on a particular message, I can.
> If the latter should be the case, and the header items are NOT
> programmed into the news reader, then how does the news reader KNOW to
> put them in if they are not contained in the programming?
Your news reader can only show you headers which are present in the
message. (For instance the "Lines: " header is present in some messages
and not in others.) By default, most news readers show you just a subset
of the headers, but most (maybe all?) have some key or button to show
all of them. Some newsreaders have an options or preferences setting
where you can select which headers will normally be shown.
> Additionally, which news readers permit the user to select which header
> topics are included in his/her headers?
If you are talking about outbound messages that you post, the answer is
none--some of them are added by the server and you have no control over
that with any newsreader.
There are a *lot* of newsreaders out there, and I don't know the answer
to this question for incoming messages. Since you use a Mac, I can tell
you that MacSOUP gives you almost complete control over what you see in
the headers of incoming messages. You might check out the reviews on
the GNKSA (Good Net Keeping Seal of Approval) website in my .sig--what
headers are shown by default is one of the factors in earning a GNKSA.
--
Kathy - read reviews of other newsgroups in news:news.groups.reviews
Good Net Keeping Seal of Approval at <http://www.gnksa.org/>
OE-quotefix can fix OE:
<http://home.in.tum.de/~jain/software/oe-quotefix/>
Thor Kottelin
> Headers contain a number of items. I have noticed that some headers
> contain more items than others. My question is: Are those items
> programmed into the software of the news reader, or are they put in by
> the news server?
Some are inserted by the poster's news reader; others are added (or added
to) by news servers along the path. The most important netnews headers are
specified in RFC 1036.
> If the latter should be the case, and the header items are NOT
> programmed into the news reader, then how does the news reader KNOW to
> put them in if they are not contained in the programming?
They may also be inserted manually by the poster.
Thor
Alan Lichtenstein
> Alan Lichtenstein wrote:
>
>
>>Headers contain a number of items. I have noticed that some headers
>>contain more items than others. My question is: Are those items
>>programmed into the software of the news reader, or are they put in by
>>the news server?
>
>
> Some are inserted by the poster's news reader; others are added (or added
> to) by news servers along the path. The most important netnews headers are
> specified in RFC 1036.
>
>
>>If the latter should be the case, and the header items are NOT
>>programmed into the news reader, then how does the news reader KNOW to
>>put them in if they are not contained in the programming?
>
>
> They may also be inserted manually by the poster.
Many people in this and other NG's say this is not possible. I know
that I can't change the headers for my newsreader, and a number of other
posters have told me such is the case with theirs. I would like to know
how I can control which headers appear in my news reader.
Alan
Kathy Morgan
> Thor Kottelin wrote about news headers:
>
> > They may also be inserted manually by the poster.
>
> Many people in this and other NG's say this is not possible.
They are mistaken. You cannot insert some of the headers (the ones
under the control of the news server or news reader), but some of them
are optional up to the poster. (For instance, see the Mail-Copies-To:
header that I've just inserted in this message.)
> I know
> that I can't change the headers for my newsreader, and a number of other
> posters have told me such is the case with theirs. I would like to know
> how I can control which headers appear in my news reader.
Which headers you can control depends some on what newsreader you are
using. Experiment and search among your options and preferences to find
out what it will allow you to change.
--
Kathy - read reviews of other newsgroups in news:news.groups.reviews
Good Net Keeping Seal of Approval at <http://www.gnksa.org/>
OE-quotefix can fix OE:
<http://home.in.tum.de/~jain/software/oe-quotefix/>
Alan Lichtenstein
> Alan Lichtenstein <a...@xyz.com> wrote:
>
>
>>Thor Kottelin wrote about news headers:
>>
>>
>>>They may also be inserted manually by the poster.
>>
>>Many people in this and other NG's say this is not possible.
>
>
> They are mistaken. You cannot insert some of the headers (the ones
> under the control of the news server or news reader), but some of them
> are optional up to the poster. (For instance, see the Mail-Copies-To:
> header that I've just inserted in this message.)
>
>
>>I know
>>that I can't change the headers for my newsreader, and a number of other
>>posters have told me such is the case with theirs. I would like to know
>>how I can control which headers appear in my news reader.
>
>
> Which headers you can control depends some on what newsreader you are
> using. Experiment and search among your options and preferences to find
> out what it will allow you to change.
>
So MacSoup permits you some flexibility. I do not believe Nestcape(
Mozilla ) does. I was unable to find any such capability in my
preferences folder. Perhaps I was inefficient and missed something?
Alan
Andy
> Kathy Morgan wrote:
>
>> Alan Lichtenstein <a...@xyz.com> wrote:
>>
>>>Thor Kottelin wrote about news headers:
>>>
>>>>They may also be inserted manually by the poster.
>> Which headers you can control depends some on what newsreader
>> you are using. Experiment and search among your options and
>> preferences to find out what it will allow you to change.
>>
>
> So MacSoup permits you some flexibility. I do not believe
> Nestcape( Mozilla ) does. I was unable to find any such
> capability in my preferences folder. Perhaps I was inefficient
> and missed something?
>
> Alan
Maybe ask in one of the many Mozilla or Netscape or Mac groups?
netscape.public.mozilla.mac
comp.sys.mac.
Kathy Morgan
> Alan Lichtenstein <a...@xyz.com> wrote in
> news:nnq.3a2dnaOC_...@rcn.net:
>
> > So MacSoup permits you some flexibility. I do not believe
> > Nestcape( Mozilla ) does. I was unable to find any such
> > capability in my preferences folder. Perhaps I was inefficient
> > and missed something?
>
> Maybe ask in one of the many Mozilla or Netscape or Mac groups?
This is a good suggestion. I often see newsreaders discussed in
<comp.sys.mac.comm>.
--
Kathy - Good Net Keeping Seal of Approval at <http://www.gnksa.org/>
OE-quotefix can fix OE:
<http://home.in.tum.de/~jain/software/oe-quotefix/>
John McWilliams
> Kathy Morgan wrote:
>>
>> Which headers you can control depends some on what newsreader you are
>> using. Experiment and search among your options and preferences to find
>> out what it will allow you to change.
>>
>
> So MacSoup permits you some flexibility. I do not believe Nestcape(
> Mozilla ) does. I was unable to find any such capability in my
> preferences folder. Perhaps I was inefficient and missed something?
>
Mozilla, Thunderbird and N7x all offer levels of Header viewing. The
settings are available generally under "View-> Headers" in the menu bar.
Also, on later versions, there's a small triangle to the left of the
Subject line that toggles headers on or off.
I generally have Full Headers selected, but not visible until I toggle
said triangle when I have reason to.
As stated earlier in the thread, those who choose to do so can forge
just about any line except those that are added by the server after
leaving the Sender's computer.
The ones changeable in just about any News client are Name, Reply-to,
From, and Subject.
It's also customary to set off one's signature with a dash dash space
return.
Alan Lichtenstein
> Alan Lichtenstein wrote:
>
>> Kathy Morgan wrote:
>>
>>>
>>> Which headers you can control depends some on what newsreader you are
>>> using. Experiment and search among your options and preferences to find
>>> out what it will allow you to change.
>>>
>>
>> So MacSoup permits you some flexibility. I do not believe Nestcape(
>> Mozilla ) does. I was unable to find any such capability in my
>> preferences folder. Perhaps I was inefficient and missed something?
>>
>
> Mozilla, Thunderbird and N7x all offer levels of Header viewing. The
> settings are available generally under "View-> Headers" in the menu bar.
> Also, on later versions, there's a small triangle to the left of the
> Subject line that toggles headers on or off.
>
> I generally have Full Headers selected, but not visible until I toggle
> said triangle when I have reason to.
>
> As stated earlier in the thread, those who choose to do so can forge
> just about any line except those that are added by the server after
> leaving the Sender's computer.
>
> The ones changeable in just about any News client are Name, Reply-to,
> From, and Subject.
>
> It's also customary to set off one's signature with a dash dash space
> return.
>
I wasn't referring to header viewing. I understand that. I was
referring to selecting WHICH headers appear in the post.
Alan
John McWilliams
You are welcome. You were given that information in previous posts, and
it's difficult to determine what you in fact know, and what you are asking.
It's also customary- read: good netiquette- to set off one's signature
with a dash dash space return.
--
Alan Connor
>
>
> How can one trace the source of a NG post when there is NO NNTP Host
> listed in the Header?
>
> Additionally, what is meant by a DNS?
>
> Alan
I've reviewed the thread, and seen that a very important fact has
been left out:
You CAN track down almost anyone on the Usenet. But there's no
point: The people that abuse and harass and threaten you don't
DO anything but run their mouths on the Usenet.
They aren't a threat in the real worldr, regardless of
what they SAY (which is usually reinforced by numerous
posts from different newsservers and ISPs and aliases
that are all really from the same person: Sockpuppets).
The best that you could accomplish by way of punishment/vengeance
would be to have them thrown off a particular ISP, and even that
isn't very likely: These are paying customers.
Then they'd just pop up on another one.
There's only one real defense: Don't respond to their posts and
don't respond to any RESPONSES to their posts.
EVER.
That's the ONLY way to defeat them.
<shrug> You can waste your time trying to track down a bunch of
sorry excuses for human beings if you want to.
But if you do, YOU are one of them.
Which I have suspected that you are from the very outset here.
And couldn't care less.
You can post anything you want on the Internet about me or to
me, and after the first couple of abusive posts, you are history.
See my sig? It has a URL to a website put up by a viscious troll
who hates my guts because I've ignored 10's of thousands of
his posts and he can't email me because of my excelllent troll/
spam filter.
I've never even looked at the site, but assume that it contains
a lot of abuse directed towards me: <yawn>
See how thoroughly I have kicked this loser's butt?
I claim that the page is mine, and because he is a
little cowardly punk, he can't come forward and say
that I am lying, because in order to do that, he'd have
to give the thousands of people that he has offended
enough information to easily track him down.
:-)
AC
--
Please visit my home page:
http://angel.1jh.com./nanae/kooks/alanconnor.html