Cancel Messages: Frequently Asked Questions, Part 2/4 (v1.75)

[Tim Skirvin]

Archive-name: usenet/cancel-faq/part2
Posting-Frequency: monthly
Last-modified: 1999/09/30
Version: 1.75
URL: http://wiki.killfile.org/projects/usenet/faqs/cancel/

Cancel Messages
Frequently Asked Questions
Part 2/4

This document contains information about cancel messages on Usenet, such
as who is allowed to use them, how they operate, what to do if your
message is cancelled, and the like. It does not contain detailed
instructions on how to cancel a third party's posts. It is not intended
to be a fully technical document; its audience is the average Usenet user,
up to a mid-level administrator.

This document is not meant to be a comprehensive explanation of Usenet
protocols, or of Usenet itself, but a basic knowledge of these concepts
is assumed. Please refer to news.announce.newusers, RFC1036, and/or
RFC1036bis if you wish to learn them.

Disclaimers: The information contained within is potentially hazardous;
applying it without the permission of your news administrator may cause
the revocation of your account, civil action against you, and even the
possibility of criminal lawsuits. The author of this document is in no
way liable for misuse of the information contained within, nor is he in
any way responsible for damages related to the use or accuracy of the
information. Proceed at your own risk.

Table of Contents > = In other parts of the FAQ
================= * = Changed since last update
>I. What are cancel messages?
>II. How do cancels work?
>III. So your post was cancelled...
IV. What does it take to cancel messages?
A. I want to cancel posts! How do I do it?
B. I'm not kidding; I really do want to do it. How do I do it?.
C. What is a cancelbot?
D. Sounds cool. Where do I get one?
E. What? Why not?
F. Fine then, I'll write it myself.
* G. Right; I've got a cancelbot. Now what?
V. That idiot forge-cancelled my posts!
A. My post is gone; it was forge-cancelled, wasn't it?
* B. No, I'm sure, it was cancelled. Why?
C. How do I track the bastard down?
* D. Who's done this before?
E. What, are there only bad guys?
F. Is there anything I can do on my own?
VI. What moral issues are involved with cancel messages?
>VII. What's going to happen to cancels in the future?
>VIII. What about these other things?
>IX. What are the current cancel issues?

>Changes
>To Do
>Contributors
>Pointers

>Appendix A: Dave the Resurrector
>Appendix B: Retromoderation

IV. What does it take to cancel messages?
=========================================
A. I want to cancel posts! How do I do it?

You must be kidding.

B. I'm not kidding; I really do want to do it. How do I do it?

*sigh* Well, I'll bet you really haven't thought about it very
much yet. Read this section before you do anything, alright?

Anyway...

On a small scale, you can issue them by hand - see the Newsgroup
Care Cancel Cookbook (<URL:http://www.xs4all.nl/~rosalind/faq-care.html>)
for the details and warnings you'll need to get started. On a bigger scale,
you're going to want a cancelbot.

C. What is a cancelbot?

A cancelbot is a program that searches for messages matching a
certain pattern and sends out cancels for them; it's basically an
automated cancel program, run by a human operator.

D. Sounds cool. Where do I get one?

If you have to ask, you're probably going to have a hard time
getting one, and even if you do you probably won't be impressed with
the quality. I wouldn't even consider using a cancelbot unless you've
written it yourself or know exactly what it's doing (in which case you
might as well have written it yourself anyway).

E. What? Why not?

Giving out a cancelbot is like handing out loaded guns with no
safeties. Even if the recipient is well-intentioned, screw-ups are
fatal; you need the proper training first. There may be people out there
that will still give you that gun without the training, of course, but
it's a good idea to question their motives...

In general, until you know *exactly* how to use a cancelbot, you
shouldn't be experimenting with one - and most people that write the 'bots
know this. Cancelbots are dangerous, and can be used irresonsibly; more
than that, if you screw up with a cancel-bot you can cause *large*
problems, and it's fairly easy to screw up. For these and other reasons,
it's generally accepted that only those that are willing and able to
write their own cancelbot will ever actually get one.

Sidenote: even if you trust the source of the code, it's not a
good idea to trust it blindly. What security holes might it have? What
bugs may be in it? Is it optimized for the ways that you're planning on
using it? It's a lot safer to write your own code than to rely upon others;
not only is it easier to modify for yourself, but you at least then have an
idea what's still wrong with it...

F. Fine then, I'll write it myself.

Sure, go right ahead, but a word of wisdom: make sure you know
what you're doing.

Richard Depew, Usenet's current main bincanceller, was one of
the first people to use cancelbots in a large way. One of the most famous
bot-related incidents of all time was his ARMM cascade, in which a simple
spelling error on his part caused a large spew in news.admin.policy for
several hours before it was turned off. It was generally considered a Big
Oops.

Richard's incident was also far from the worst; that honor would
have to go to the incident where a misconfigured cancelbot was auto-
cancelling everything from netcom.com. Bigger Oops. And these examples
just scratch the surface of what can go wrong when writing a
cancelbot...

Before you test out your cancelbot on actual Usenet stuff,
double and triple check to make sure it *works*. Make sure that you've
gone through all the potential bugs and vulnerabilities - add safeties,
redundancies, internal logic checks, and what have you. Start a local
group, test the 'bot out in that group *only*. Whatever. Just remember,
you only get one chance at this, so do it right...

While writing a cancelbot, make sure you follow the conventions
that you plan on using ($alz, etc). In addition, once you've got the
basics down, mail Chris Lewis (cle...@ferret.ocunix.on.ca). He'll give
you some more tips.

G. Right; I've got a cancelbot. Now what?

Well, the obvious thing is to start using it. Don't. Before you
do so, make sure you've considered *everything*; cancels raise plenty of
interesting questions, and using a cancelbot isn't something to enter
into lightly.

Before you do anything, make sure you've thought a _lot_ about
_all_ of the following issues. Trust me, you'll need it.

1. Who is going to be affected by this, and how will they react?

Cancelbots tend to affect a lot of people. By running one, you
are messing with a lot of people - and, generally, making them
upset. Many are going to complain. Some are going to retaliate.

Succinctly, before you start up your cancelbot, make sure you can
handle any incoming mailbombs, that your network's security is
strong enough to stand up to persistent cracking attempts, that
you're on good enough terms with your bosses and administrators
that they won't fire you or drop your account the second they
get any complaints about you, that you've gotten your phone
number made unlisted, and that you've got a good lawyer handy.

That's a start, at least.

2. What kinds of problems will this cause legally?

In the USA, at least, the current best information/guess about
the legality of cancel messages says that non-content-based third
party cancels are legal, and that content-based ones are illegal.
However, this has just plain not been tested in anything resembling
a court of law, and wouldn't apply to other countries even if it
had been tested.

Even if cancels are legal in your place of work, of course, this
doesn't mean that you won't face legal harassment. It's almost
trivially easy to find some reason to sue somebody today; if you
hork somebody off by cancelling their posts, there is a chance
that they'll try this on you. Remember, to many it often doesn't
matter if they're going to win or lose the lawsuit; all that is
important is that they have forced you to spend money and time
to respond to the charges.

Regardless - there is definitely some legal risk associated with
third-party cancels. This risk is probably enough that you should
talk with your higher-ups first, or, if possible, a lawyer. It
could save you a lot of trouble down the line.

3. Is this a moral thing to do?

Even if cancel messages were perfectly legal, they still aren't
the nicest thing in the the world. By issuing a cancel you are
deleting somebody else's words; many would call this censorship,
and, even if their use is justified, they may be right.

The most commonly used moral argument about cancels is known as
the "slippery slope". The use of cancel messages leads down the
road to censorship, which is a Bad Thing; however, it may be
possible to keep the system under control by staying near the top.
The further cancels go, however, the more likely it is that they
cannot be controlled - and once that happens, any benefit they may
have once held will be gone.

Common practice says that non-content-based cancels are not
censorship. Instead, they are based on how "loud" the message
was said; it's not censorship to stop someone from blaring their
message out in the middle of the night using a megaphone. This
hopefully means spam cancels and their like are not yet out of
control, and that we haven't gone so far down that we can't return;
then again, this point is certainly up to debate.

4. Do I really have the time to deal with this?

Operating a cancelbot takes a lot of time. Just on a technical
level, the 'bot has to be written, the parameters have to be set
and constantly updated, and the thing watched to make sure it works;
that, though, is the least of your worries.

Once you get the 'bot running, people are going to take notice.
Result: you will get comments, you might get praise, and you will
probably get complaints. You *must* listen to them if you want to
continue running your 'bot responsibly. No, you don't have to
respond to everything, especially the more juvenile flames, but
you do have to make sure you listen to suggestions and problems;
after all, if your 'bot is cancelling something it shouldn't be
cancelling, you'll only find out when somebody tells you.

If you don't have time to deal with these comments and complaints,
then just give up now. Trust me, you'll be better off.

5. Do I know for *sure* what this program will be used for?

If people don't accept the purpose of your cancelbot, then your
cancelbot will not be effective for anything except getting a
whole lot of flames and your account nuked. As such, before you
start cancelling you should make sure you won't get rejected from
the job. Make yourself some rules:

- What kinds of posts will I be cancelling?
- Will I be expanding these criteria later?
- How accountable will I be?
- What if somebody asks me to include (or exclude) their
hierarchy?
- Will I give out my code to others?

Get these rules down now, before you run out of time to think
of them later on down the line. This way, when you're called on
them you can respond appropriately.

(Recap: the standard uses for third-party cancels are spams,
spews, moderated group cleanup, binaries in non-binary groups, and
forgeries. See section I.D. for details.)

6. Have I double- and triple-checked my code?

Again, screwing up your code can cause *big* problems. Before
you're ready to go operational, make absolutely sure that you know
that the code works 100% of the time. I'd personally recommend
asking yourself "could I operate this while drunk?" There are no
second tries here; don't give yourself a chance to screw it up.

This is, of course, especially important if your code is ever
going to be even viewed by another human being...

7. Do I know what's happened in the past?

The history of Usenet and cancels goes back a long, long way; it's
not only fairly interesting stuff, but it teaches interesting
lessons. Before you start the cancelbots, you should probably
know what they were used for before; with knowledge comes power,
after all, and this way you won't start repeating the mistakes of
your predecessors.

8. Am I following all of the rules?

While they may not be conventions, there are certain basic rules
that are usually followed by operators of cancelbots that should
probably be followed. A notice of the cancels should be posted
to news.admin.net-abuse.bulletins; the original poster and their
postmaster should be notified; a representative copy, or link to
such, should be appended to the notice of cancellation. You should
have a reliable contact address, so as to be fully accountable for
your actions. And, as usual, all of the official conventions
should be followed exactly.

If you're not doing them "nicely", you're going to get more
complaints than otherwise - and rightfully so. And if you aren't
capable of doing them nicely, then you probably shouldn't be issuing
cancels at all.

Remember, it has been proven time and again that nice, polite
cancel notifications make less enemies than angry, flamish ones.
It's probably a good idea to make your notifications as kind as
possible - though they should always include as much information
(or links to information) as you can possibly fit in.

9. Do I actually have to do *this*?

If you hadn't figured it out already, cancelbots are a pain in
the butt. For this if no other reason, you should probably
reconsider whether this is really necessary.

If your problem has to do with too much off-topic or irrelevant
traffic, maybe cancels aren't the solution. Talk about moderation
with the regulars of the newsgroup you're worrying about; someone
might be willing to help moderate the group, or maybe they have
another idea to solve the problem. Maybe mailing the offenders a
polite message saying "your message is off-topic" would help, or
perhaps it will take mailing the posters' administrators before
they'll stop; either way might be more effective than cancels.

Even if reasoning with everyone you can think of doesn't work, you
can still try other approaches. Post about it to news.admin.net-
abuse.usenet; the regulars there have trained themselves to deal
with obnoxious sites, and will help you if necessary. In many
cases, you can stop the problem with judicious use of killfiles.
And, if all else fails, you can always try NoCeM (section VII.D.).

In general, just make sure you've tried *every* alternative before
you start cancelling anything. It's a pain to start, it's a bigger
pain to continue, and the biggest pain comes when you finally want
to stop...

V. That idiot forge-cancelled my posts!
=======================================
A. My post is gone; it was forge-cancelled, wasn't it?

Before you do anything, check section III; double-check to make
sure that someone really *did* cancel your post before you get all upset.
Remember, no cancel message, no cancel.

B. No, I'm sure, it was cancelled. Why?

There are as many reasons to cancel a post as there are cancel
messages. Most cancels are issued for valid reasons (which are detailed in
previous sections), but sometimes they are done for what many people would
consider illegitimate reasons. The people that issue such cancels are known
as "rogue cancellers"; these are the ones to worry about.

Why do they do it? It depends. One popular excuse, started by the
infamous Church of Scientology, is that the message was a "Trade Secret" which
must be protected. Another excuse has become prevalent in recent years is
"if one may cancel, all may cancel" - the theory being that cancel messages
themselves are evil and must be stopped, and the way to do this is to abuse
the hell out of them so that sites will turn them off. Oddly, both of these
excuses generally lead to cancels aimed at those the cancellers have declared
"enemy", and usually end up backfiring.

All of those reasons, though, are pretty much just excuses. What
are the *real* reasons that somebody would do something like this? Simple:
they want to keep something out from under public scrutiny, they didn't like
what you said, or they just want to destroy a few messages.

And yes, those are very bad reasons.

In any case, rogue cancellers such as the above are *not* accepted
by the Usenet community. End of story. The hunts to track down rogue
cancellers often reach near-epic proportions, the searchers often spanning
the globe, and virtually all such quests end with, at the very least, the
cancels ending.

C. How do I track the bastard down?

If you have the cancel message, the best first step to tracking
down the canceller is to post a (single) copy of the message to news.admin.
net-abuse.usenet with a brief explanation of what's going on. The people
on that group are veterans at tracing Usenet messages; they can probably
help. While they're at it, they may also explain why your message may have
been cancelled legitimately, in case there's anything you missed.

For rudimentary analysis of who cancelled your post, check the
NNTP-Posting-Host: header of the cancel. While it is possible to forge
this header, it generally will say which machine was used to issue the
cancel message. Other, less-forgable headers include the Path: and
Sender: headers, and occasionally the Message-ID: header.

D. Who's done this before?

In the past, there have been many rogue cancellers of various
skill, competence, and intelligence. Some are gone; others are still on
the run, but appear occasionally. Here are a few of the most famous.

o Kevin Jay Lipsitz: "Krazy Kevin", as he called himself in his
spams, cancelled many posts on news.admin.net-abuse.misc
concerning his spams. His theory was that, by cancelling the
posts, it would take more effort to shut him down; on this point
he failed miserably, instead merely causing the implementation
of Dave the Resurrector (see Appendix A). During his time as
a spammer Kevin was kicked off of many ISPs, but he has not
been heard of for several months.

o CrackerBuster: in December of 1994, an unknown computer person
decided that he didn't like alt.2600, and decided to declare war
on the group and anyone that supported it. In one of the first
mass newsgroup attacks, CB issued cancels for every message in
alt.2600 and alt.current-events.net-abuse and then flooded the
groups with thousands of his own messages, effectively ruining
them. Chris Lewis did much of the work cleaning up the mess;
after he was done, he realized that he had himself a fully
working cancelbot; after getting some updated detection software
from Jonathan Kamens, Chris began work as Usenet's most prominent
major spam canceller.

o Crusader: Crusader's actions began with a very large neo-Nazi
mass email, sent several times to just about every email address
in existance. There were many systems involved in the sending of
this unprecedented attack, most of which were cracked; this didn't
stop a team of news.admin.* regulars from deciding they were going
to track the perpetrators down. To slow down the trace, the people
behind Crusader began to cancel all of the messages about the mass
mailings; this merely forced the creation of a short-term mailing
list and furthered the group's resolve to stop the attack. While
the trail stopped at a cracked system in Italy, the mailings
eventually stopped and the cancels ended.

o Ellisd: soon after the passing of the Communications Decency
Act, an anonymous user on Netcom decided to cancel everything in
alt.binaries.pictures.erotica.* and alt.sex.* as "indecent filth".
The account was shut down within hours; however, Ellisd continued
to forge cancels from other machines, forging them to appear to
come from his (now non-existant) Netcom account. Ellisd was
entirely stopped within another couple of days; his only real
effect had been to show that the cancellation of "morally
questionable" material would not be tolerated.

o The Pseudosite Incident: September of 1996 was a hard month for
Usenet. Having endured many varied newsgroup and mail bombs, the
next assault came in the form of tens of thousands of cancel
messages. Possibly modeled after the ellisd incident of several
months before, several parties unknown began issuing cancels using
several new pseudosites such as "geekcancel" (in comp.*) and
"kikecancel" (in soc.culture.israel). Needless to say, this
resulted in a whole pile of ticked off people. The cancels
stopped a few days later, and Chris Lewis reposted virtually all
of the cancelled messages, but the damage was done.

The pseudosite attack has started up several more times since its
initial run, most prominently in the "Michael Franowski" continuing
forgeries and the cancel/voter fraud attack upon news.lists.nocem.
This latter attack eventually forced UUNet to close down its open
news port.

o The CancelBunny: the Church of Scientology, a remarkably
paranoid organization, has several "secret scriptures" that have
long been distributed over Usenet. To stop this, the evidence
shows that they have called in someone with computer knowledge
to cancel posts that contain any of their scriptures -- or
anything that they didn't like. This brought the entire religion
to the attention of Usenet, and alt.religion.scientology is a
very well-read (and high traffic) group as a result.

The cancels, however, were generally accepted to be Bad Things.
Therefore, a group of people decided that they were going to hunt
down the (anonymous) CancelBunny, as it had been named, by checking
from bunches of sites. Several CancelBunnies have been tracked
down and lost their accounts; more keep popping up, only to be
bashed back down just as quickly.

The cancels by the CancelBunny are generally on comp.org.eff.talk
and alt.religion.scientology. Cancels to a.r.s are reported by
Lazarus (VIII.C).

o NewsAgent: HipCrime, an anonymous programmer with fairly
anarchist views, one day decided to write a publicly available
Usenet cancellation engine. His stated reason was the standard
"if one may cancel, all may cancel" excuse; however, when he
first unleashed his 'bot, he targeted moderated groups, anything
administration-related, and everything else that he personally
disliked. It quickly became apparent that his work was merely
intended to destroy Usenet; as such, some of Usenet's more
prominent anti-administration kooks joined him in what they
saw as the final anti-Usenet war.

It surprised them to no end when they soon found that their
cancels had stopped being effective, because too many sites
knew how to fight the attack.

Since then, NewsAgent has morphed and become more public-domain.
The software no longer issues cancel messages; instead, it issues
long randomly-generated messages with Supersedes: headers, which
destroy posts in a less-tracable and more-destructive manner
(and which are almost immediately themselves cancelled, and
the original messages reposted). Hipcrime has also written
other variants of NewsAgent which send out other Control
messages, creating thousands of bogus newsgroups on unwatched
servers or causing a few individuals to be mailbombed but
otherwise doing little damage. More worrisome is that older
versions are in the hands of many people who wish to use the
software maliciously, who are now using it to attack individual
newsgroups. Even this is generally stopped after a couple of
days, however.

Overall, NewsAgent has merely made life a bit more difficult
for news administrators and a bit more chaotic for standard
Usenet users. Too bad.

E. What, are there only bad guys?

No, of course not; they're just the most prominent. There are
plenty of important good guys, too -- the ones that perform the thankless
job of cancelling spam, spew, MMF, and all the rest, basically keeping
Usenet usable.

Among the most famous spam cancellers include the CancelMoose
(mo...@cm.org) [the first major spam canceller, author of NoCeM, now
retired from cancelling], Chris Lewis (cle...@ferret.ocunix.on.ca) [the
most prominent spam canceller of all time], and Jonathan Kamens
(j...@mit.edu) [writer of the best spam detection software to date]. Most
of the other cancellers can be found on news.admin.net-abuse.*.

F. Is there anything I can do on my own?

Of course.

1. Notify the postmaster at the offending site, or upstream site.

If you can determine where the cancels are coming form, mail
the postmaster at that site (or abuse@site, if present) with your complaints,
If this doesn't work, you may want to try notifying the people that give
the site its newsfeed; for details on how to determine this, read the Spam
Tracking FAQ.

2. Alias out the offending site.

Your news administrator may be capable of making your machine not
accept posts from a certain other machine. If necessary, this can be
used to ignore the cancel messages on your own site.

3. Ignore the cancels.

Most major cancel attacks are fairly easy to categorize, based on
a common header or message body. It is possible to run software, such as
Cleanfeed (<URL:http://www.exit109.com/~jeremy/news/antispam.html>), to
ignore those cancels based on the common pattern; if you've got the time
to update your filters fairly often, you may even be able to head off
further attacks.

4. Write and run a Resurrection 'bot.

It is possible to run a 'bot that reposts everything that is
cancelled; the most famous example of this is Dave the Resurrector, which
protects the news.admin.* hierarchy and is detailed in Appendix A. If you
want to do something similar, you can be a great help at stopping rogue
cancel attacks.

5. Call in the official authorities.

As was previously said, forged cancels are in a legal grey area.
If you want to call in the legal authorities, you probably can, and
something may be done.

The general recommendation of this, though, is "don't do it".
Any kind of legal judgment on this matter sets a precedent; at this point,
we're almost happier without one.

VI. What moral issues are involved with cancel messages?
========================================================

I'll answer this question succinctly:

Lots.

The moral issues related to cancel messages are among the most
interesting, and distressing, part of the issue. Third-party cancels,
spam and binary cancels, retromoderation, moderators in general, the
full "slippery slope" argument, the "Usenet is an anarchy" argument, "you're
violating my first amendment rights!" and "without cancels, Usenet would
have died under the weight of the spam long ago"...

This FAQ, though, isn't really the best place to get into it.

For lack of space and time, I cannot get into these issues in
detail here, however important they may be. If you want a start on this
matter, read the news.admin.net-abuse FAQ, along with the newsgroups.
It's at least a start.

--
Copyright 1999, Tim Skirvin. All rights reserved.