Sybase module 0.28 (Brown Paper Bag) released
Robert Amesz
rcameszREMOVETHIS at dds.removethistoo.nl
Mon Jul 23 14:14:10 EDT 2001
Dave Cole wrote:
> I didn't post that (I posted the original a long time ago - but
> this isn't it).
>> Message-ID: <m3pubqd3i7.fsf at vole.object-craft.com.au>
Well, if it's a forgery, it's a pretty good one. Even the message-ID
seems authentic. That is to say, it matches the form of the ID in your
message closely. You might want to check if it's identical to the
message-ID of your original message: if so, onlynews.com shouldn't have
allowed it to be posted under that ID. Also, keepers of usenet-archives
will _not_ be amused. (This might give you some leverage if onlynews
isn't too helpful.)
Note carefully: if it *is* a duplicate message-ID, cancelling the
message may not do what you expect.
> Looking at the path, who are onlynews.com?
>
> Path: vic.nntp.telstra.net!intgwlon.nntp.telstra.net
> !newsfeeds.ihug.co.nz!news.xtra.co.nz!nntp-relay.ihug.net
> !ihug.co.nz!news-out.nibble.net!hub1.nntpserver.com
> !cyclone-sjo1.usenetserver.com!news-out-sjo.usenetserver.com
> !newsin.onlynews.com!newsout.onlynews.com!news1.onlynews.com.POSTED
> !not-for-mail
This is the same Path: header as it showed up on my server:
> Path: news.demon.nl!demon!bullseye.news.demon.net
> !dispose.news.demon.net!demon!feed2.news.rcn.net!rcn
> !dca6-feed2.news.digex.net!intermedia!newsfeed1.cidera.com
> !cyclone-sjo1.usenetserver.com!news-out-sjo.usenetserver.com
> !newsin.onlynews.com!newsout.onlynews.com!news1.onlynews.com.POSTED
> !not-for-mail
Theoretically, the Path: header could be forged too, but that wouldn't
prevent the originating server from appearing somewhere in that line.
Presumably, modern news servers wouldn't accept such a header form a
normal client.
Looking at the common servers in the path, the posting must have
entered the network at one of these servers:
- cyclone-sjo1.usenetserver.com
- news-out-sjo.usenetserver.com
- newsin.onlynews.com
- newsout.onlynews.com
- news1.onlynews.com
Mind you, that's just a theoretical possibility: there's no evidence
that header has been forged.
The following headers were added by the NNTP-sever, or so it would
seem:
>> NNTP-Posting-Host: onlyNews customer
>> X-Complaints-To: abuse at onlynews.com
>> X-Trace: onlyNews customer
>> NNTP-Posting-Date: Sat, 21 Jul 2001 16:18:41 PDT
>> Organization: www.onlynews.com
>> Date: Sat, 21 Jul 2001 23:18:41 GMT
>> Lines: 56
Not too helpful, I'm afraid:
- It seems to confirm onlynews.com is the originating server of the
message.
- We now know the timezone the news server is in. (PDT, isn't that
Pacific Daylight saving Time?)
- In all probability the sever inserted the Date: header, not the
newsclient.
So it's a deliberate fake, it's highly unlikely that a newsreader was
used to produce it, as those (AFAIK) never allow such detailed control
over the generation of the headers. You could get close by using the
same newsreader as the victim, but "Gnus/5.0807 (Gnus v5.8.7)
Emacs/20.5" isn't very popular [*], and it seems to insert it's own
Date: header.
Of course, using Python and the nntplib-module you could be producing
your own fake messages in about half an hour or less, and that includes
the time to read the documentation, so that makes _everybody_ in this
ng a suspect... ;-)
Mind you, this may be just a newsadmin trying to be helpful by re-
distributing messages s/he thought had been lost due to a crash or
something like that. Malicious forgeries are usually pretty crude, both
with regard to technical skill as contents.
Robert Amesz
--
[*] Which is probably a good thing, as I really *hate* what the
supercite function does to quoted text. Ugh! This might also be a
convenient opportunity to point out that the latest userfor-draft
*strongly* suggest you should use '>' for quoted text, and nothing
else.
More information about the Python-list
mailing list