Forging a Usenet adress is a bad idea.

You have been reading Usenet posts that attack one of you favorite politicians. Perhaps its Sarah Palin or Barack Obama.

You decide to get even by changing your newsreader identity to indicate the post is coming from the hated poster. Won't  that be funny  if it put a hyperlink in the message that redirects Usenet reader of the post to a pornographic web site?

One of the ways used to harass people on the internet is to forge their email address on a posting that is intentionally inflammatory. This tutorial, adapted from one presented by Sal Towse in misc.writing, is an attempt to illustrate how to detect the most common form of forged address.

In a generic sort of way we will discuss how to post messages "using" any email address and user name. We are using Netscape Navigator as the newsreader in this example. Other newsreaders will work in a different fashion, but Navigator is widely used and easily available. Having shown how to forge an address, we will then show how to detect the forgery.

Please be advised of the following

Most providers consider posting under a false name or anonymously an abuse of the provider's Terms of Service (TOS) which you, the user, agreed to abide by when you opened your account. Abuse of TOS leaves you, the user subject to penalties including immediate cancellation of your ISP access.

To quote AT&T's TOS (Terms of Service) guidelines (as an example):
Members may not post or transmit any message anonymously or under a false name.

How do you fake a person's email address information and why does the message id show the message as being from the specified ISP?

It is truly the easiest of things to set your identity and your return mail address as a false one. While doing so you could, of course, set your identity to someone else's existing information.

Using Netscape

Under the -> Options pull-down menu
Choose -> Mail and News Preferences
Choose -> Identity

You simply need to change the Reply-To Address field, the Your Email field, and the Your Name field to create a quick (and usually undetected) disguise of your true persona.

For your practice run, try changing the information in the Reply-To: field and the Your Email: field to test@test.net. Change the information in the Your Name: field to testy test.

If you should send a post (use the newsgroup alt.test), you will find that the post appears to come from test@test.net AND the message ID also appears to show test.net as the ISP source.

See how easy this is?  Your ISP will send off that message without worrying whether you are test@test.net or not. Your ISP is assuming you won't be malicious and/or stupid when placing information in these fields.

And, quite oddly, they believe you'll abide by the Terms of Service you agreed to when you signed up with them.

Surely it is not that easy? 

Well, no, not really. If I were curious as to whether test@test.net truly sent the message (and heaven knows I have a curiosity streak a mile wide at times), I would turn on full headers and look closely at the message.

Look at full headers and notice that the message ID shows as something similar to

Looks like it came from test.net alrighty, but if I check the path field I will find the true path the news post took from the originating NNTP host to my ISP:

Path:netnews.worldnet.att.net!worldnet.att.net!feed1.news.erols.com!news.idt.net!nntp.farm.idt.n et!new
XFrom: test@test.net
Date: Thu, 19 Dec 1996 19:14:36 -0800
Message-ID: <32BA049C.277F@test.net>
NNTP-Posting-Host: ppp-3.ts-7.nyc.idt.net

In this example the suspect poster is forging his test@test.net persona and using idt.net to ship out his stuff.

First check the Path: field.

The terminal machine in the Path: (i.e. the one furthest to the right) is usually the source of the news post, the NNTP host. In this case it shows as nntp.farm.idt.net. BINGO. This bit can be forged by someone who knows a great deal about NNTP, but usually is not tweaked by the everyday forger.

A second confirmation comes with the NNTP-Posting-Host field or Message ID fields- which again shows an idt.net machine.

What are the consequences?

Your Usenet service provider or ISP is likely to terminate your account for failure to satisfy the TOS you agreed to. Many Usenet posters use third party Usenet services so it may be difficult to find who the ISP is. If you can identify the ISP of the forger, this will have more impact when you report the violation. It is far harder to get an new ISP account than a new Usenet account.
 
You might be liable to criminal action as it might be considered aggravated harassment (due to use of the phone lines) which is a misdemeanor. You might also be liable to civil action brought by the person whose identity you are forging. Libel and defamation of character lawsuits are also possible. 

source: http://www.jahitchcock.com/cyberstalked/detect.html 

Subscribe to the Rightardia feed: feeds.feedburner.com/blogspot/IGiu Netcraft

rank: 15549  
http://toolbar.netcraft.com/site_report?url=http://rightardia.blogspot.com