Sybase module 0.28 (Brown Paper Bag) released

Mon Jul 23 14:14:10 EDT 2001

Dave Cole wrote:

> I didn't post that (I posted the original a long time ago - but
> this isn't it).

>> Message-ID: <m3pubqd3i7.fsf at vole.object-craft.com.au>

Well, if it's a forgery, it's a pretty good one. Even the message-ID 
seems authentic. That is to say, it matches the form of the ID in your 
message closely. You might want to check if it's identical to the 
message-ID of your original message: if so, onlynews.com shouldn't have 
allowed it to be posted under that ID. Also, keepers of usenet-archives 
will _not_ be amused. (This might give you some leverage if onlynews 
isn't too helpful.)

Note carefully: if it *is* a duplicate message-ID, cancelling the 
message may not do what you expect.

> Looking at the path, who are onlynews.com?
> 
> Path: vic.nntp.telstra.net!intgwlon.nntp.telstra.net
>  !newsfeeds.ihug.co.nz!news.xtra.co.nz!nntp-relay.ihug.net
>  !ihug.co.nz!news-out.nibble.net!hub1.nntpserver.com
>  !cyclone-sjo1.usenetserver.com!news-out-sjo.usenetserver.com
>  !newsin.onlynews.com!newsout.onlynews.com!news1.onlynews.com.POSTED
>  !not-for-mail 

This is the same Path: header as it showed up on my server:

> Path: news.demon.nl!demon!bullseye.news.demon.net
>  !dispose.news.demon.net!demon!feed2.news.rcn.net!rcn
>  !dca6-feed2.news.digex.net!intermedia!newsfeed1.cidera.com
>  !cyclone-sjo1.usenetserver.com!news-out-sjo.usenetserver.com
>  !newsin.onlynews.com!newsout.onlynews.com!news1.onlynews.com.POSTED
>  !not-for-mail

Theoretically, the Path: header could be forged too, but that wouldn't 
prevent the originating server from appearing somewhere in that line. 
Presumably, modern news servers wouldn't accept such a header form a 
normal client.

Looking at the common servers in the path, the posting must have 
entered the network at one of these servers:

 - cyclone-sjo1.usenetserver.com
 - news-out-sjo.usenetserver.com
 - newsin.onlynews.com
 - newsout.onlynews.com
 - news1.onlynews.com

Mind you, that's just a theoretical possibility: there's no evidence 
that header has been forged.

The following headers were added by the NNTP-sever, or so it would 
seem:

>> NNTP-Posting-Host: onlyNews customer
>> X-Complaints-To: abuse at onlynews.com
>> X-Trace: onlyNews customer
>> NNTP-Posting-Date: Sat, 21 Jul 2001 16:18:41 PDT
>> Organization: www.onlynews.com
>> Date: Sat, 21 Jul 2001 23:18:41 GMT
>> Lines: 56

Not too helpful, I'm afraid:

 - It seems to confirm onlynews.com is the originating server of the
   message.
 - We now know the timezone the news server is in. (PDT, isn't that
   Pacific Daylight saving Time?)
 - In all probability the sever inserted the Date: header, not the
   newsclient.

So it's a deliberate fake, it's highly unlikely that a newsreader was 
used to produce it, as those (AFAIK) never allow such detailed control 
over the generation of the headers. You could get close by using the 
same newsreader as the victim, but "Gnus/5.0807 (Gnus v5.8.7) 
Emacs/20.5" isn't very popular [*], and it seems to insert it's own 
Date: header.

Of course, using Python and the nntplib-module you could be producing 
your own fake messages in about half an hour or less, and that includes 
the time to read the documentation, so that makes _everybody_ in this 
ng a suspect... ;-) 

Mind you, this may be just a newsadmin trying to be helpful by re-
distributing messages s/he thought had been lost due to a crash or 
something like that. Malicious forgeries are usually pretty crude, both 
with regard to technical skill as contents.

Robert Amesz
-- 
[*] Which is probably a good thing, as I really *hate* what the 
supercite function does to quoted text. Ugh! This might also be a 
convenient opportunity to point out that the latest userfor-draft 
*strongly* suggest you should use '>' for quoted text, and nothing 
else.