Tracking the Trolls: Usenet Headers

This is the fourth in a series of arti­cles on read­ing inter­net mes­sage head­ers. If you haven’t already done so, please read the pre­vi­ous arti­cles: Read­ing Inter­net Mes­sage Head­ers, Where’d That Email Come From? and So It Came From a Mail­ing List — Where Did It Come From Before That?

Mes­sages posted to usenet (news­groups) have some head­ers in com­mon with email mes­sages. They will look slightly dif­fer­ent to each per­son who reads them depend­ing on the news server used to receive the message.

Newsgroups: soc.support.fat-acceptance,atl.general,
	mindspring.local.atlanta
Path: mindspring!firehose.mindspring.com!newsfeed1-hme1!
	newsfeed.internetmci.com!128.174.5.49!vixen.cso.uiuc.edu!
	uchinews!news
From: Suzy Smith <user@uiuc.edu>
Subject: Re: Help with headers?
Nntp-Posting-Host:  ip14.an4-atlanta2.ga.pub-ip.psi.net
Message-ID: <32146bef.20423023@news.interamp.com>
Reply-To: suzy@other.place
Organization: Anything You Like
References: <19970901140100.KAA29407@ladder02.news.
	aol.com> <EFy5Ar.3pq@world.std.com> <
	340DC46C.3A62@wco.com> <5umekl$44m@dfw-ixnews9.
	ix.netcom.com> <5v3g50$hsl$1@news.smart.net>
Date: Tue, 9 Sep 1997 21:17:39 GMT
X-Newsreader: AOL Offline Reader
X-No-Archive: yes
Lines: 24

Okay, let’s take these one at a time. None of these head­ers will nor­mally appear more than once in any message.

  • News­groups: soc.support.fat-acceptance,atl.general,mindspring.local.atlanta

    The news­groups: header is simple–it shows where the mes­sage is being posted. It can be just one news­group or many–if there’s more than one, there will be com­mas between each newsgroup’s name. This mes­sage was posted to three news­groups (that’s referred to as cross-posting).


  • Path: mindspring!firehose.mindspring.com!
    newsfeed1-hme1!newsfeed.internetmci.com!
    128.174.5.49!vixen.cso.uiuc.edu!uchinews!news

    The path: header shows, from first to last, the news server from which you read the mes­sage, all the news servers through which it was passed, and lastly the news server where the mes­sage orig­i­nated (vixen.cso.uiuc.edu, in this case). You can look at this exam­ple and see that I read the mes­sage on a news server at Mind­Spring enter­prises (mindspring.com) and that it was orig­i­nally posted on a news server at the Uni­ver­sity of Illi­nois at Urbana Cham­paign (uiuc.edu).


  • From: Suzy Smith <user@uiuc.edu>

    The from: line is sup­posed to be the name and email address of the per­son who posted the mes­sage. Unfor­tu­nately, it is one of the eas­i­est things to fake in any message–it only requires chang­ing a set­ting in your news soft­ware and voilá! you’re Bill Clin­ton! Or Suzy Smith, or Lib­er­ace, as you please. It doesn’t even have to con­tain a valid email address.

  • Sub­ject: Re: Help with head­ers?

    The sub­ject line is cho­sen by who­ever posted the orig­i­nal mes­sage in the thread. If this had been the first mes­sage in the thread, the sub­ject line would prob­a­bly have looked more like
    Sub­ject: Help with headers?

  • Nntp-Posting-Host: ip14.an4-atlanta2.ga.pub-ip.psi.net

    This one’s impor­tant. The nntp-posting-host: is sup­posed to tell us with which machine, and some­times from which user, a mes­sage orig­i­nated. It might be a name address, like the exam­ple above, or it might be the IP address of the machine in question–like so:

    NNTP-Posting-Host: 38.6.4.14

    If there’s a numeric address, use a tool like Sam Spade’s whois to fig­ure out what it trans­lates to and who owns that IP address. In this case, both the numeric and Eng­lish addresses given refer to the same machine. We can tell that it’s a machine owned by PSINet, Inc. and that it’s prob­a­bly at their Atlanta point-of-presence (POP). The NNTP post­ing host can be faked, but not eas­ily (by the aver­age user, anyway).

  • Message-ID: <32146bef.20423023@news.interamp.com>

    Again, the message-id: field is impor­tant, and is one that can be faked but not eas­ily. It’s a unique ID assigned to this par­tic­u­lar mes­sage by the news server on which it orig­i­nated. If it were, for instance, a forged post, or spam, who­ever owns that news server (interamp.com is owned by PSINet) should be able to look at their server logs to see who posted that mes­sage. This message-id: indi­cates that it came from a news server at interamp.com. That doesn’t match what was in the path: state­ment, remem­ber? So one or the other might well be forged.

  • Reply-To: suzy@other.place

    In most cases the reply-to: will be the email address of the per­son who posted the message–just like the From: line. But it isn’t always, and again it is incred­i­bly sim­ple to fake. It doesn’t have to be a valid email address at all.

  • Orga­ni­za­tion: Any­thing You Like

    Orga­ni­za­tion: is one of those fields where the user can enter any­thing he or she likes. If the user doesn’t spec­ify any­thing, it’ll usu­ally be filled in by the news server with a default value, like “Mind­Spring Enter­prises” or “Inter­net America.”

  • Ref­er­ences: <19970901140100.KAA29407@ladder02.news.aol.com> <EFy5Ar.3pq@world.std.com> <340DC46C.3A62@wco.com> <5umekl$44m@dfw-ixnews9.ix.netcom.com> <5v3g50$hsl$1@news.smart.net>

    The ref­er­ences: line gives the message-ID num­bers for each mes­sage in the thread to which the user is reply­ing. Lets say that a user at smart.net posted the first mes­sage, and some­body at netcom.com replied, then a user at wco.com fol­lowed up to that, and finally some­one at std.com answer­ing him. This mes­sage is in reply to all of those, so it shows all of those message-IDs. It can be very help­ful in fig­ur­ing out how a thread got started, espe­cially when one or more mes­sages isn’t avail­able any more. Also, some news­read­ers arrange mes­sages by message-IDs instead of sub­ject lines.

  • Date: Tue, 9 Sep 1997 21:17:39 GMT

    The date: header usu­ally gives the date and time that the mes­sage was posted. “GMT” is the time zone in ques­tion (Green­wich Mean Time). It can be con­fus­ing, though, because some­times it isn’t clear as to whether the date and time are that from the server, or are from the user’s machine–and you can set your machine to say it’s any date and time you like (although most servers won’t accept a mes­sage posted in what they deem the future). If there is also an X-Server Date: line, that tells you the time the mes­sage was posted accord­ing to the news server on which the mes­sage originated.

  • X-Newsreader: AOL Offline Reader

    You’ll usu­ally see X-Newsreader:, if it is present, is the name and some­times the ver­sion of the soft­ware the poster used. Some peo­ple have hacked the code on their news read­ers so it’ll say some­thing odd, and some folks have removed that line altogether.

  • X-No-Archive: yes

    The X-No-Archive: header tells the scripts for archives like Deja.com to ignore the mes­sage so it won’t be archived. It’s an honor sys­tem, though — there are almost cer­tainly archives that ignore that header.

  • Lines: 24

    The num­ber of lines in the mes­sage. It’ll gen­er­ally be a fairly low num­ber, unless it’s a binary post (a pic­ture, a program–anything but a plain text mes­sage). For instance, a text post might only be 10 lines. A post con­tain­ing a pic­ture, though, might be three to four thou­sand lines.

Can­cel Messages

Can­cel mes­sages are the same as other usenet mes­sages with an impor­tant addi­tion. They are a spe­cial sort of mes­sage, called a con­trol mes­sage, that go to a news­group called control.cancel. They are used to delete mes­sages that were posted to other newsgroups.

From @ Fri Aug 16 03:26:45 1996
Path: nntp0.mindspring.com!news.mindspring.com!
	gatech!usenet.eel.ufl.edu!news-res.gsl.net!
	news.gsl.net!news.sgi.com!swrinde!
	howland.erols.net!newsfeed.internetmci.com!
	in3.uu.net!psinntp!psinntp!interramp.com!usenet
From: Cyn
Newsgroups: atl.general
Subject: cmsg cancel <3213eced.1824837@news.atl.
	mindspring.com>
Control: cancel <3213eced.1824837@news.atl.
	mindspring.com>
Date: Fri, 16 Aug 1996 07:26:45 GMT
Organization: PSI Public Usenet Link
Lines: 1
Message-ID: <321422ad.1651917@news.interamp.com>
NNTP-Posting-Host: 38.6.4.10
X-No-Archive: Yes
X-No-Archive: Yes

The addi­tion, of course is this line:
Con­trol: can­cel <3213eced.1824837@news.atl.mindspring.com>
It will always con­tain the message-ID: of the mes­sage that is being can­celled. If the domain in that message-ID: and the can­cel message’s message-ID: don’t match, it’s a very good bet that the can­cel mes­sage is a forgery. In this case, the orig­i­nal mes­sage was one I’d posted from Mind­Spring. The can­cel mes­sage is a forgery issued by an interamp.com user. In this case the orig­i­nal message’s ID is also in the sub­ject line, but that will not always be so.

In the last part of the series, we’ll talk a lit­tle about anony­mous remail­ers.

Orig­i­nally Pub­lished Feb­ru­ary 14, 2001

Leave a Reply

Comments links could be nofollow free.