Tracking the Trolls: Usenet Headers
This is the fourth in a series of articles on reading internet message headers. If you haven’t already done so, please read the previous articles: Reading Internet Message Headers, Where’d That Email Come From? and So It Came From a Mailing List – Where Did It Come From Before That?
Messages posted to usenet (newsgroups) have some headers in common with email messages. They will look slightly different to each person who reads them depending on the news server used to receive the message.
Newsgroups: soc.support.fat-acceptance,atl.general, mindspring.local.atlanta Path: mindspring!firehose.mindspring.com!newsfeed1-hme1! newsfeed.internetmci.com!188.8.131.52!vixen.cso.uiuc.edu! uchinews!news From: Suzy Smith <email@example.com> Subject: Re: Help with headers? Nntp-Posting-Host: ip14.an4-atlanta2.ga.pub-ip.psi.net Message-ID: <firstname.lastname@example.org> Reply-To: email@example.com Organization: Anything You Like References: <19970901140100.KAA29407@ladder02.news. aol.com> <EFy5Ar.firstname.lastname@example.org> < 340DC46C.3A62@wco.com> <5umekl$44m@dfw-ixnews9. ix.netcom.com> <email@example.com> Date: Tue, 9 Sep 1997 21:17:39 GMT X-Newsreader: AOL Offline Reader X-No-Archive: yes Lines: 24
Okay, let’s take these one at a time. None of these headers will normally appear more than once in any message.
The newsgroups: header is simple–it shows where the message is being posted. It can be just one newsgroup or many–if there’s more than one, there will be commas between each newsgroup’s name. This message was posted to three newsgroups (that’s referred to as cross-posting).
The path: header shows, from first to last, the news server from which you read the message, all the news servers through which it was passed, and lastly the news server where the message originated (vixen.cso.uiuc.edu, in this case). You can look at this example and see that I read the message on a news server at MindSpring enterprises (mindspring.com) and that it was originally posted on a news server at the University of Illinois at Urbana Champaign (uiuc.edu).
From: Suzy Smith <firstname.lastname@example.org>
The from: line is supposed to be the name and email address of the person who posted the message. Unfortunately, it is one of the easiest things to fake in any message–it only requires changing a setting in your news software and voilá! you’re Bill Clinton! Or Suzy Smith, or Liberace, as you please. It doesn’t even have to contain a valid email address.
- Subject: Re: Help with headers?
The subject line is chosen by whoever posted the original message in the thread. If this had been the first message in the thread, the subject line would probably have looked more like
Subject: Help with headers?
- Nntp-Posting-Host: ip14.an4-atlanta2.ga.pub-ip.psi.net
This one’s important. The nntp-posting-host: is supposed to tell us with which machine, and sometimes from which user, a message originated. It might be a name address, like the example above, or it might be the IP address of the machine in question–like so:
If there’s a numeric address, use a tool like Sam Spade’s whois to figure out what it translates to and who owns that IP address. In this case, both the numeric and English addresses given refer to the same machine. We can tell that it’s a machine owned by PSINet, Inc. and that it’s probably at their Atlanta point-of-presence (POP). The NNTP posting host can be faked, but not easily (by the average user, anyway).
- Message-ID: <email@example.com>
Again, the message-id: field is important, and is one that can be faked but not easily. It’s a unique ID assigned to this particular message by the news server on which it originated. If it were, for instance, a forged post, or spam, whoever owns that news server (interamp.com is owned by PSINet) should be able to look at their server logs to see who posted that message. This message-id: indicates that it came from a news server at interamp.com. That doesn’t match what was in the path: statement, remember? So one or the other might well be forged.
- Reply-To: firstname.lastname@example.org
In most cases the reply-to: will be the email address of the person who posted the message–just like the From: line. But it isn’t always, and again it is incredibly simple to fake. It doesn’t have to be a valid email address at all.
- Organization: Anything You Like
Organization: is one of those fields where the user can enter anything he or she likes. If the user doesn’t specify anything, it’ll usually be filled in by the news server with a default value, like "MindSpring Enterprises" or "Internet America."
- References: <19970901140100.KAA29407@ladder02.news.aol.com> <EFy5Ar.email@example.com> <340DC46C.3A62@wco.com> <firstname.lastname@example.org> <email@example.com>
The references: line gives the message-ID numbers for each message in the thread to which the user is replying. Lets say that a user at smart.net posted the first message, and somebody at netcom.com replied, then a user at wco.com followed up to that, and finally someone at std.com answering him. This message is in reply to all of those, so it shows all of those message-IDs. It can be very helpful in figuring out how a thread got started, especially when one or more messages isn’t available any more. Also, some newsreaders arrange messages by message-IDs instead of subject lines.
- Date: Tue, 9 Sep 1997 21:17:39 GMT
The date: header usually gives the date and time that the message was posted. "GMT" is the time zone in question (Greenwich Mean Time). It can be confusing, though, because sometimes it isn’t clear as to whether the date and time are that from the server, or are from the user’s machine–and you can set your machine to say it’s any date and time you like (although most servers won’t accept a message posted in what they deem the future). If there is also an X-Server Date: line, that tells you the time the message was posted according to the news server on which the message originated.
- X-Newsreader: AOL Offline Reader
You’ll usually see X-Newsreader:, if it is present, is the name and sometimes the version of the software the poster used. Some people have hacked the code on their news readers so it’ll say something odd, and some folks have removed that line altogether.
- X-No-Archive: yes
The X-No-Archive: header tells the scripts for archives like Deja.com to ignore the message so it won’t be archived. It’s an honor system, though – there are almost certainly archives that ignore that header.
- Lines: 24
The number of lines in the message. It’ll generally be a fairly low number, unless it’s a binary post (a picture, a program–anything but a plain text message). For instance, a text post might only be 10 lines. A post containing a picture, though, might be three to four thousand lines.
Cancel messages are the same as other usenet messages with an important addition. They are a special sort of message, called a control message, that go to a newsgroup called control.cancel. They are used to delete messages that were posted to other newsgroups.
From @ Fri Aug 16 03:26:45 1996 Path: nntp0.mindspring.com!news.mindspring.com! gatech!usenet.eel.ufl.edu!news-res.gsl.net! news.gsl.net!news.sgi.com!swrinde! howland.erols.net!newsfeed.internetmci.com! in3.uu.net!psinntp!psinntp!interramp.com!usenet From: Cyn Newsgroups: atl.general Subject: cmsg cancel <firstname.lastname@example.org. mindspring.com> Control: cancel <email@example.com. mindspring.com> Date: Fri, 16 Aug 1996 07:26:45 GMT Organization: PSI Public Usenet Link Lines: 1 Message-ID: <firstname.lastname@example.org> NNTP-Posting-Host: 184.108.40.206 X-No-Archive: Yes X-No-Archive: Yes
The addition, of course is this line:
Control: cancel <email@example.com>
It will always contain the message-ID: of the message that is being cancelled. If the domain in that message-ID: and the cancel message’s message-ID: don’t match, it’s a very good bet that the cancel message is a forgery. In this case, the original message was one I’d posted from MindSpring. The cancel message is a forgery issued by an interamp.com user. In this case the original message’s ID is also in the subject line, but that will not always be so.
In the last part of the series, we’ll talk a little about anonymous remailers.
Originally Published February 14, 2001