FAQ: A Girl's Forgery Primer

1 view
Skip to first unread message

The Prince of Lies

Dec 9, 1998, 3:00:00 AM12/9/98
Posting-frequency: whenever the fuck i feel like it.
Last-modified: 27 November 1997
Last-posted: 27 November 1997
FAQ-maintainer: p...@alt.alt.alt.alt.alt.net (Paul J. Zanca)

A Girl's Forgery Primer
How to Forge a Usenet Article
with Adroitness and Aplomb

The following information is provided for educational purposes only. In
no way is this document published to be aan advocacy for the forgery of
Usenet articles, and in no way is the author to be considered liable for
any mischief caused by those who choose to misuse this information. Also,
all of the techniques rescribed in this document are publically avialable
information, supplied in RFCs 850 and 977, respectively found at
http://www.cis.ohio-state.edu/rfc/rfc850.txt and

A reasonable effort has been put forth to ensure that the information
supplied in this document is accurate; feedback is encouraged and
corrections will be integrated as quickly as possible. Supplementary
information that does not coincide with the scope of this document will
be treated with a lower priority than actual corrections, and some
suggested supplementary information may be ignored without response.

The author has spent several hours drinking Irish beer, and thus is in a
state of sublime intoxication as this document is prepared. All complaints
regarding the substance of this document are encouraged to be shoved up
the arse of the complainer, preferably sideways and with great force. If
this recourse is insufficient for proper redress of grievances, then the
complainer is encouraged to get fucked.

The reader should note that actually engaging in the activities described
in this document could get you into trouble with your Usenet provider, and
possibly with law enforcement agencies as well. The author does not expect
that to deter the truly sociopathic fuckweed; indeed, the prospect of a
reprimand from the Glorious Sysadmin is seen as an illustrious reward for
some misanthropic gits.

The inexperienced sysadmin may choose to treat this document as an
educational reference; the troublemaking troll may see it as a method of
obfuscating hir identity; the IETF might just see this document as one of
many incentives to provide an alternative to RFC 977 that doesn't make
forging another user's email address on a public message base so damn easy.
Who can say for sure? We can only hope.


Q: I'd like to forge a Usenet article. How do I do it?
A: Forging Usenet articles isn't that hard. It's not like it's a big secret.

See, news servers work like this. Let's say for the sake of argument that
there are only two news servers on the entire Usenet, news.a.com and
news.b.com. When I post an article to news.a.com, I basically use a special
telnet client (everybody knows what telnet is, right?) to talk to a certain
telnet port, 119. Try it with plain old telnet (in many cases this is as
simple as typing "telnet news.a.com 119"), and you'll get something like
the following:

200 news.a.com InterNetNews NNRP server INN 1.4unoff3 05-Mar-96 ready (posting

If you type help, you get:

100 Legal commands
authinfo user Name|pass Password|generic <prog> <args>
article [MessageID|Number]
body [MessageID|Number]
group newsgroup
head [MessageID|Number]
list [active|newsgroups|distributions|schema]
listgroup newsgroup
mode reader
newgroups yymmdd hhmmss ["GMT"] [<distributions>]
newnews newnews groups yymmdd hhmmss ["GMT"] [<distributions>]
stat [MessageID|Number]
xgtitle [group_pattern]
xhdr header [range|MessageID]
xover [range]
xpat header range|MessageID pat [morepat...]
xpath MessageID
Report problems to <ne...@a.com>

Now, behind the scenes, your newsreader uses the /post/ command to throw
articles up onto the news server. First you just send the headers of the
article, exactly like so:

From: bl...@a.com
Subject: test
Newsgroups: alt.test
Organization: foo

...followed by a blank line, and then the body of your article. A period in
the first column of a line, all by itself, denotes the end of the article, and
the news server then posts it and begins to propagate it. It may be difficult
to believe, but you can do all this from the keyboard, although it's a bit

Q: Can I put anything I want into the From: line, as well as the other
A: Yep. Now, putting the email address of real person who is not you in the
From: line might get you into trouble with various folks, but the software
doesn't prevent you and it's entirely possible that you'd never be caught
anyhow, so what the hell?

Q: Hey, can't this stuff be traced?
A: Well, sure, to an extent. It depends on a lot of things:
1) How knowledgeable the sysadmin of the news server used for the forgery
2) How diligent that sysadmin is about keeping logs of who connected to
hir news server at what time, from where,
3) How much time has passed between when your forgery was posted, and when
the forgery was detected
4) How knowledgeable the tracer is at deciphering the Path: header.

What can really get you nabbed is that many Usenet servers log incoming
TCP connections and record where the user connected from; However, space is
a thing that is a precious and finite commodity to a Usenet carrier, so
if a little time has passed since your forgery was posted, chances are
the log has been overwritten and is long gone. Now, some anal-retentive
sysadmins might actually back their logs up on tape, but shoot, an anal-
retentive sysadmin isn't all that likely to be running an open News

Q: What is the Path: header anyways?
A: The Path: header is a line in the headers of the article that describes
the Path, oddly enough, that the article took to reach the news server from
which you retrieved it. In general, after you post an article it's out of
your control.

The way most forged Usenet articles are traced is by comparing different
copies from the same article that were recieved from different news servers
and comparing the two or more copies' Path: headers. At some point, the
server at which the forgery was injected will appear in the Path: headers
of the articles, and from there a tracker can go to the news administrator
of the site at which you injected your article.

Q: About this Path: header. It sounds ominous.
A: No worries. Now, as you might have already figgered, one can also supply
the Path: header to say whatever one wants, on most open news servers. For
example, one might supply


...and the news server one was posting through would append what was given in
that Path: header and go from there without a snag.

The reader should be aware that not all open news servers accept modified
Path: headers; most of them do, though, since there are legitimate uses for
modifying the Path: line of an article as it is posted. The various
despammers use this method to differentiate their forged cancel messages
from other forged articles.

Q: So what about that damn NNTP-Posting-Host: line? Don't most news servers
publish it? Maybe I shouldn't do this after all.
A: No no no. Calm down. Use a public news server that doesn't publish the
NNTP-Posting-Host line. Why leave a paper trail at all? Pick one, there are
dozens out there... Err, I suppose I should provide a list...

Post a test article and check the headers (you know how to look at those,
don't you?) to see what choice information that news server decides to
convey about you.

Q: Gee, that sounds okay. But I think I want to forge an article so's I
can post to a moderated newsgroup without the approval of the moderator. Can
I do that?
A: Sure you can! All you have to do is include in the headers of the article
you forge a line like:

Approved: of course, silly!

...and your article will pop right into almost all news servers's moderated
newsgroups. If you want to be REALLY sure, then you can include something
like this instead:

Approved: moderator-e...@foo.bar.com

Something to keep in mind is that some news servers may rely on PGP
cryptographic signatures for authentication of the moderator's email address,
so you might not be able to get around those.

Q: Hmm. These PGP cryptographic signatures. Can I forge them too?
A: Technically, yes, in that you can dedicate a lot of computer cycles to
cracking the PGP (Pretty Good Privacy) key the real author uses to sign hir
articles, but practically this is very time-consuming and requires a lot of
skull sweat to boot. If I were in your shoes I wouldn't bother with
something like that.

Q: Fuck you, I want to know how to crack PGP stuff!
A: Fuck YOU. That information is beyond the scope of this document.
Figure it out for yourself.

Q: Okay, you don't have to get shitty about it. What about propagation of
News articles? Tell me about that.
A: That's more like it. Let's go back to our news.a.com example.
So now news.a.com has a copy of the article. How does propagation work, you

Well, I'll tell you.

The server news.a.com is configured such that news.b.com is treated as his
/peer/, as in peer-to-peer network. News articles are propagated via a method
called flooding; periodically, news.a.com telnets to port 119 of news.b.com
and basically requests an article list, gives news.b.com copies of any article
b.com doesn't have, and requests copies of any articles that b.com has and
a.com doesn't, incidentally updating that Path: header we dealt with earlier.

The method that news.b.com uses to give news.a.com articles is different from
the one you use to post an article, i.e. the POST command. News.b.com will
the IHAVE command to inform news.a.com that news.b.com has an article that
news.a.com doesn't. Incidentally, this method usually relies on a somewhat
more secure method of authorization than the free-and-easy POST command does;
most news servers will check in a special file called hosts.allow to see if
the issuer of an IHAVE command is permitted to give articles in this fashion.
If it's not, then the IHAVE command will be ignored.

If the reader is especially interested in learning one way to circumvent this
method of authentication, the theory is described at:


...although many site adminstrators have implemented measures to block this
particular trick. But then again, we're talking about the stupid sysadmins.

Q: Damn. This crap open news server doesn't carry the newsgroup I want to
forge an article to. What do I do?
A: Stay calm. As long as you crosspost to at least one newsgroup the open
server /does/ carry, it should pass your articles.

Q: I want to follow-up an existing article. How do I do it?
A: Easy. All you have to do is note the Message-ID: of the article you
wish to follow up, and include a References: header in your forged article
that contains the Message-ID of the antecedent article. An example:

Article 1:
Message-ID: <asdf...@foo.bar.com>

Article 2:
References: <asdf...@foo.bar.com>

When somebody's newsreader encounters your forged article, it will be
threaded just as if you'd followed it up with your newsreader -- since
you are doing exactly what your newsreader would do, more or less.

If Article 1 already has a References: line, then you'd want to copy that
References line into the headers of your forged article, and append the
message-ID of the antecedent article at the end of the References: line.

Q: What else can I do with a forged article?
There's not a lot more to it than that. You can get creative with X-headers
if you like, especially X-NNTP-Posting-Host: lines, but much else is a waste.

Of course, one must avoid posting through news servers that include the
X-NNTP-Posting-Host: line themselves, as this will get you caught. There are
many out there that don't, though.

The simple way to do it is to compose the article, headers and all, with a
plain old text editor, after cruising for some suitable prototypes for Path:
and Message-ID: headers, tap it all into a text editor, then telnet to
port 119 of a suitable news server, type post, and then just paste it in.
Easy as pie. Mail works exactly the same way, by the bye, only one telnets to
port 25 of a mail server, and the commands are a bit different. A document on
the methods of doing this will be published published separately.

Good luck.
The@Prince of@Lies@ @@@@@@ @@@ @@@ @@@ pd
@@mhm16x8@@ @@@@@@@@ @@@@@@@@ @@@ @@@ @@@ jo
@@! @@! @@! @@! @@! @@@ @@! @@! @@! zt
!@! !@! !@! !@! !@! @!@ !@! !@! !@! @.
@!! !!@ @!@ @!!!:! @!@ !@! @!! !!@ @!@ an
!@! ! !@! !!!!!: !@! !!! !@! !!! !@! le
!!: !!: !!: !!: !!! !!: !!: !!: tt
:!: :!: :!: :!: !:! :!: :!: :!:
::: :: :: :::: ::::: :: :::: :: ::: :::
: : : :: :: : : : :: : : : :::

"I hereby give notice I will netcop any alt.net poster
posting a cascade in alt.flame or alt.fan.hell-flame-wars."
- famous last words

"Meowers have proven that meow does indeed equal meow."
- more words of wisdom

"This cascade is dedicated to none other than the GREAT JAMES KOPUT, in which
Paul Zanca has given the honors."
- high praise from someone who evidently loves cascades

Reply all
Reply to author
0 new messages