T
Twayne
No panacea here, but I accidentally came across this and figured I'd
post it for those who wonder about trolls and newsgroup headers et al.
In OE, press CTRL-F3 to see the Headers and all source code. If you have
Mozilla FireFox, it's CTRL-u.
Waiting for dinner, so been just fiddling around with a 'safe'
browser.
Finally! Time to put on the feedbag!
Cheers!
--------------------
First, you can cast a vote at ticki:
http://www.sitetiki.com/Pcbutts1.com
-------------------
Then: from whois.com:
WHOIS information for pcbutts1.com :
Registrant:
JBL incorporated
3424 Topgun st
Rosamond, CA 93560
US
Domain name: PCBUTTS1.COM
Administrative Contact:
INC, JBL (e-mail address removed)
3424 Topgun st
Rosamond, CA 93560
US
661-256-6102
Technical Contact:
INC, JBL (e-mail address removed)
3424 Topgun st
Rosamond, CA 93560
US
661-256-6102
Registration Service Provider:
Web.com, (e-mail address removed)
1-877-467-8464
404-260-8685 (fax)
http://www.web.com
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 30-Mar-2009.
Record expires on 18-Apr-2011.
Record created on 18-Apr-2005.
Registrar Domain Name Help Center:
http://domainhelp.tucows.com
Domain servers in listed order:
B.NS.INTERLAND.NET
A.NS.INTERLAND.NET
Domain status: okBut it doesn't seem to be locked.
--------------------------------
I can only imagine all the spam it must get by now.
-------------------------------
From:
http://www.sonicbands.it/u-s-u-k-pe...in-about-newsgroup-trolls-worked-example.html
How to complain about newsgroup trolls - a worked example
--------------------------------------------------------------------------------
the generic name of "troll" is applied to anyone who posts abusive,
threatening or malicious content on a newsgroup. these people always
hide their identity behind false e-mail addresses, and in order to
further hide their identity, frequently create user accounts with news
service providers outside their own country. this gives the superficial
appearance that the posting originated from some other region of the
world.
in order to complain about this type behaviour it is necessary to look
at the "header" part of the news group posting. this text is normally
hidden from view, but can be displayed quite easily. if you are using
thunderbird as your newsreader, select the posting and press ctrl-u to
display the header.
once the posting's header header has been displayed, the next task is to
interpret the information it contains.
the following example is taken from a recent post to the
rec.music.maker.percussion newsgroup, but is representative of this
general category of abusive post.
path:
news.sap-ag.de!news2!news1.dtag.de!newsfeed00.sul.t-online.de!t-online.de!news.k-dsl.de!aioe.org!not-for-mail
from: "drmmr" <[email protected]>
newsgroups: rec.music.makers.percussion
subject: failed attemtps
date: fri, 3 oct 2008 00:18:54 -0700
organization: aioe.org nntp server
lines: 26
message-id: <[email protected]>
nntp-posting-host: 0tn5kku+uggfa8p+hq9fgg.user.aioe.org
x-complaints-to: (e-mail address removed)
x-mimeole: produced by microsoft mimeole v6.00.2900.5579
x-rfc2646: format=flowed; original
x-newsreader: microsoft outlook express 6.00.2900.5512
x-priority: 3
x-msmail-priority: normal
xref: news.sap-ag.de rec.music.makers.percussion:409867
schuh tried and failed to hack my system-yes indeed a backdoo trojan was
in...
firstly, this actual text contained within this posting is written in
what's called "plain text". in other words, it does not contain any
formatting instructions to control the appearance or layout of the
text. most newsgroup accept only plain text postings.
secondly, the first dozen or lines of the post are known as the header.
each header line starts with a key word followed by a colon. e.g.
"subject:" or "message-id:"
thirdly, the e-mail address shown in the "from:" header line will almost
always be fake - don't bother trying to send anything to that address!
fourthly, the actual posting (containing the abusive content) is the
block of text found after the last header entry (xref: in this case). in
this case, all but the first line of the message content has been
snipped.
the "path:" keyword is usually the first line of the header and contains
a list of news server names separated by exclamation marks. this shows
the route that this posting took as it was replicated from one news
server to another across the internet. the first server in the list is
your news server that you connect to in order to read that particular
newsgroup. then you get a chain of news servers going all the way back
to the server used by the troll to create their post. you may often see
"!not for mail" at the end of this server list. this just means that
the news group posting will not be replicated to an e-mail server.
now that you know the identity of the server from which the troll posted
their message, you can go to one of the domain name registrars to
identify who owns this domain name and where they are located in the
world. this will probably not help you identify the physical location
of the troll, but it does identify the service provider they are using.
in the above case, the troll has used the news server belonging to
aioe.org - a free news service running in italy.
if you copy this name into the "who is" lookup server provided by
internic (or whoever is responsible for the top level domain) , you will
see who registered that domain name, when they registered it and where
they located in the world. a "who is" service can be found here
http://internic.net/whois.html
the header also contains a line that starts with "x-complaints-to:"
followed by an email address - in this case (e-mail address removed). send an
email to this address and the service provider should then investigate
the complaint and hopefully terminate the troll's account. this of
course will not stop then setting up a new account, but it will disrupt
their behaviour for a while.
chris w
post it for those who wonder about trolls and newsgroup headers et al.
In OE, press CTRL-F3 to see the Headers and all source code. If you have
Mozilla FireFox, it's CTRL-u.
Waiting for dinner, so been just fiddling around with a 'safe'
browser.
Finally! Time to put on the feedbag!
Cheers!
--------------------
First, you can cast a vote at ticki:
http://www.sitetiki.com/Pcbutts1.com
-------------------
Then: from whois.com:
WHOIS information for pcbutts1.com :
Registrant:
JBL incorporated
3424 Topgun st
Rosamond, CA 93560
US
Domain name: PCBUTTS1.COM
Administrative Contact:
INC, JBL (e-mail address removed)
3424 Topgun st
Rosamond, CA 93560
US
661-256-6102
Technical Contact:
INC, JBL (e-mail address removed)
3424 Topgun st
Rosamond, CA 93560
US
661-256-6102
Registration Service Provider:
Web.com, (e-mail address removed)
1-877-467-8464
404-260-8685 (fax)
http://www.web.com
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 30-Mar-2009.
Record expires on 18-Apr-2011.
Record created on 18-Apr-2005.
Registrar Domain Name Help Center:
http://domainhelp.tucows.com
Domain servers in listed order:
B.NS.INTERLAND.NET
A.NS.INTERLAND.NET
Domain status: okBut it doesn't seem to be locked.
--------------------------------
I can only imagine all the spam it must get by now.
-------------------------------
From:
http://www.sonicbands.it/u-s-u-k-pe...in-about-newsgroup-trolls-worked-example.html
How to complain about newsgroup trolls - a worked example
--------------------------------------------------------------------------------
the generic name of "troll" is applied to anyone who posts abusive,
threatening or malicious content on a newsgroup. these people always
hide their identity behind false e-mail addresses, and in order to
further hide their identity, frequently create user accounts with news
service providers outside their own country. this gives the superficial
appearance that the posting originated from some other region of the
world.
in order to complain about this type behaviour it is necessary to look
at the "header" part of the news group posting. this text is normally
hidden from view, but can be displayed quite easily. if you are using
thunderbird as your newsreader, select the posting and press ctrl-u to
display the header.
once the posting's header header has been displayed, the next task is to
interpret the information it contains.
the following example is taken from a recent post to the
rec.music.maker.percussion newsgroup, but is representative of this
general category of abusive post.
path:
news.sap-ag.de!news2!news1.dtag.de!newsfeed00.sul.t-online.de!t-online.de!news.k-dsl.de!aioe.org!not-for-mail
from: "drmmr" <[email protected]>
newsgroups: rec.music.makers.percussion
subject: failed attemtps
date: fri, 3 oct 2008 00:18:54 -0700
organization: aioe.org nntp server
lines: 26
message-id: <[email protected]>
nntp-posting-host: 0tn5kku+uggfa8p+hq9fgg.user.aioe.org
x-complaints-to: (e-mail address removed)
x-mimeole: produced by microsoft mimeole v6.00.2900.5579
x-rfc2646: format=flowed; original
x-newsreader: microsoft outlook express 6.00.2900.5512
x-priority: 3
x-msmail-priority: normal
xref: news.sap-ag.de rec.music.makers.percussion:409867
schuh tried and failed to hack my system-yes indeed a backdoo trojan was
in...
firstly, this actual text contained within this posting is written in
what's called "plain text". in other words, it does not contain any
formatting instructions to control the appearance or layout of the
text. most newsgroup accept only plain text postings.
secondly, the first dozen or lines of the post are known as the header.
each header line starts with a key word followed by a colon. e.g.
"subject:" or "message-id:"
thirdly, the e-mail address shown in the "from:" header line will almost
always be fake - don't bother trying to send anything to that address!
fourthly, the actual posting (containing the abusive content) is the
block of text found after the last header entry (xref: in this case). in
this case, all but the first line of the message content has been
snipped.
the "path:" keyword is usually the first line of the header and contains
a list of news server names separated by exclamation marks. this shows
the route that this posting took as it was replicated from one news
server to another across the internet. the first server in the list is
your news server that you connect to in order to read that particular
newsgroup. then you get a chain of news servers going all the way back
to the server used by the troll to create their post. you may often see
"!not for mail" at the end of this server list. this just means that
the news group posting will not be replicated to an e-mail server.
now that you know the identity of the server from which the troll posted
their message, you can go to one of the domain name registrars to
identify who owns this domain name and where they are located in the
world. this will probably not help you identify the physical location
of the troll, but it does identify the service provider they are using.
in the above case, the troll has used the news server belonging to
aioe.org - a free news service running in italy.
if you copy this name into the "who is" lookup server provided by
internic (or whoever is responsible for the top level domain) , you will
see who registered that domain name, when they registered it and where
they located in the world. a "who is" service can be found here
http://internic.net/whois.html
the header also contains a line that starts with "x-complaints-to:"
followed by an email address - in this case (e-mail address removed). send an
email to this address and the service provider should then investigate
the complaint and hopefully terminate the troll's account. this of
course will not stop then setting up a new account, but it will disrupt
their behaviour for a while.
chris w