Forgery but how?

Discussion in 'Computer Support' started by pete, May 7, 2007.

  1. pete

    pete Guest

    The first header is genuine. The second is not. How is this done?

    Path:
    g2news1.google.com!news4.google.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
    From: pete <>
    Newsgroups: free.uk.talk.ipswich
    Subject: FS 1996 Rover 414
    Date: Sun, 06 May 2007 00:57:03 +0100
    Lines: 7
    Message-ID: <>
    Mime-Version: 1.0
    Content-Type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: 8bit
    X-Trace: individual.net
    SEFdJvlPknGgMJA8xKVsHgfVwCZ81S5IWY9POGkq953Wikmxwq
    X-Newsreader: Forte Agent 4.2/32.1118
    X-Antivirus: avast! (VPS 000738-3, 05/05/2007), Outbound message
    X-Antivirus-Status: Clean


    This one is false.
    Path:
    g2news1.google.com!news4.google.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
    From: pete <>
    Newsgroups: uk.legal
    Subject: Re: Decent honest readers would be pleased to know this was
    sent to Gareth Read of reads sols. Bradford.
    Date: Mon, 07 May 2007 09:22:12 +0100
    Lines: 30
    Message-ID: <>
    References: <>
    <>
    <>
    Mime-Version: 1.0
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit
    X-Trace: individual.net
    wdESTxy4KsPbGVHiX+d5MgtWynYhL3nUrKd98vbyrB0dd6rXfk
    X-Newsreader: Forte Agent 4.2/32.1118


    How is this done and what can I do about it?
    pete
    www.suffolkrightsofway.co.uk
    www.ipswichwaterfrontaccess.co.uk
     
    pete, May 7, 2007
    #1
    1. Advertising

  2. pete

    Whiskers Guest

    On 2007-05-07, pete <> wrote:
    > The first header is genuine. The second is not. How is this done?


    [...]

    > How is this done and what can I do about it?
    > pete


    Both were posted to the Individual.net news-server. Contact them with
    evidence of articles posted to that server in your name but not by you,
    and ask them if they were posted using your username and login. If not,
    then someone is in breach of their terms of service ("Policy") - see also
    <http://news.individual.net/faq.php#5.5> for 'abuse reports'.

    If someone has obtained access to your Individual.net username and
    password information without your knowledge or permission, then that's
    your problem.

    --
    -- ^^^^^^^^^^
    -- Whiskers
    -- ~~~~~~~~~~
     
    Whiskers, May 7, 2007
    #2
    1. Advertising

  3. pete

    Frosty Guest

    On Mon, 07 May 2007 15:34:53 +0100 in 24hoursupport.helpdesk pete
    <>, intended to write something intelligible, but
    instead wrote :

    >The first header is genuine. The second is not. How is this done?
    >
    >Path:
    >g2news1.google.com!news4.google.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
    >From: pete <>
    >Newsgroups: free.uk.talk.ipswich
    >Subject: FS 1996 Rover 414
    >Date: Sun, 06 May 2007 00:57:03 +0100
    >Lines: 7
    >Message-ID: <>
    >Mime-Version: 1.0
    >Content-Type: text/plain; charset=ISO-8859-1
    >Content-Transfer-Encoding: 8bit
    >X-Trace: individual.net
    >SEFdJvlPknGgMJA8xKVsHgfVwCZ81S5IWY9POGkq953Wikmxwq
    >X-Newsreader: Forte Agent 4.2/32.1118
    >X-Antivirus: avast! (VPS 000738-3, 05/05/2007), Outbound message
    >X-Antivirus-Status: Clean
    >
    >
    >This one is false.
    >Path:
    >g2news1.google.com!news4.google.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
    >From: pete <>
    >Newsgroups: uk.legal
    >Subject: Re: Decent honest readers would be pleased to know this was
    >sent to Gareth Read of reads sols. Bradford.
    >Date: Mon, 07 May 2007 09:22:12 +0100
    >Lines: 30
    >Message-ID: <>
    >References: <>
    ><>
    ><>
    >Mime-Version: 1.0
    >Content-Type: text/plain; charset=us-ascii
    >Content-Transfer-Encoding: 7bit
    >X-Trace: individual.net
    >wdESTxy4KsPbGVHiX+d5MgtWynYhL3nUrKd98vbyrB0dd6rXfk
    >X-Newsreader: Forte Agent 4.2/32.1118
    >
    >
    >How is this done and what can I do about it?


    Form an org. and use government to force free people to do things the
    way YOU want them done?

    >pete
    >www.suffolkrightsofway.co.uk
    >www.ipswichwaterfrontaccess.co.uk
     
    Frosty, May 7, 2007
    #3
  4. pete

    Mr. Arnold Guest

    Mr. Arnold, May 7, 2007
    #4
  5. pete

    pete Guest

    On Mon, 07 May 2007 17:33:17 GMT, "Mr. Arnold" <MR. >
    wrote:

    >
    >>
    >> How is this done and what can I do about it?
    >> pete

    >
    >You're being trolled. You should read up on what is happening.
    >
    >http://www.hyphenologist.co.uk/killfile/anti_troll_faq.htm


    Yes I know I have been trolled. I am quite used to it but not a poster
    who can use identical path to do it. That is the bit that is puzzling
    me as my wireless connection is secured.
    pete
    www.suffolkrightsofway.co.uk
    www.ipswichwaterfrontaccess.co.uk
     
    pete, May 7, 2007
    #5
  6. pete

    Evan Platt Guest

    On Mon, 07 May 2007 20:19:00 +0100, pete <> wrote:

    >Yes I know I have been trolled. I am quite used to it but not a poster
    >who can use identical path to do it. That is the bit that is puzzling
    >me as my wireless connection is secured.


    Path in a newsgroup header has nothing to do with your connection,
    it's the news connection you use.

    If you and I connect to the same news server, we'll likely have the
    same Path.
    --
    To reply via e-mail, remove The Obvious from my e-mail address.
     
    Evan Platt, May 7, 2007
    #6
  7. pete

    Mike Easter Guest

    pete wrote:
    > The first header is genuine. The second is not. How is this done?


    Both headers are 'genuine' in that the newsserver dutifully
    recorded/stamped the information provided to it by the newsreader.

    You are apparently alleging that you posted the first and you did not
    post the 2nd, and you are presuming that the 2nd post was made with some
    other agent than Forte Agent and/or presumably made to individual by an
    account which was not yours.

    With the headers, Individual can tell you whether or not the alleged
    'bogus' message was posted with your individual.net account or not.
    Whether or not they will give you the IP address accessing is debatable.

    If the perp has access to your individual.net user/pw, then it is
    possible that all kinds of other confidential information of yours may
    have been cracked, and the security of your identity is a mess.

    > How is this done and what can I do about it?


    It depends on whether or not the perp accessed with your individual.net
    news account or not. If he accessed with his own the picture is
    different than if he accessed with yours.


    --
    Mike Easter
     
    Mike Easter, May 7, 2007
    #7
  8. pete

    pete Guest

    On Mon, 07 May 2007 12:25:44 -0700, Evan Platt
    <> wrote:

    >On Mon, 07 May 2007 20:19:00 +0100, pete <> wrote:
    >
    >>Yes I know I have been trolled. I am quite used to it but not a poster
    >>who can use identical path to do it. That is the bit that is puzzling
    >>me as my wireless connection is secured.

    >
    >Path in a newsgroup header has nothing to do with your connection,
    >it's the news connection you use.
    >
    >If you and I connect to the same news server, we'll likely have the
    >same Path.


    My news reader only shows what I posted and it shows a header that is
    identical to mine. How was it done?
    pete
    www.suffolkrightsofway.co.uk
    www.ipswichwaterfrontaccess.co.uk
     
    pete, May 7, 2007
    #8
  9. pete

    pete Guest

    On Mon, 7 May 2007 12:46:37 -0700, "Mike Easter" <>
    wrote:
    >pete wrote:
    >> The first header is genuine. The second is not. How is this done?

    >
    >Both headers are 'genuine' in that the newsserver dutifully
    >recorded/stamped the information provided to it by the newsreader.
    >
    >You are apparently alleging that you posted the first and you did not
    >post the 2nd, and you are presuming that the 2nd post was made with some
    >other agent than Forte Agent and/or presumably made to individual by an
    >account which was not yours.
    >
    >With the headers, Individual can tell you whether or not the alleged
    >'bogus' message was posted with your individual.net account or not.
    >Whether or not they will give you the IP address accessing is debatable.
    >
    >If the perp has access to your individual.net user/pw, then it is
    >possible that all kinds of other confidential information of yours may
    >have been cracked, and the security of your identity is a mess.
    >
    >> How is this done and what can I do about it?

    >
    >It depends on whether or not the perp accessed with your individual.net
    >news account or not. If he accessed with his own the picture is
    >different than if he accessed with yours.


    I have no idea how it was done. I don't care that much either except
    that I now have to change my posting routine. I am just curious about
    how it was done.
    pete
    www.suffolkrightsofway.co.uk
    www.ipswichwaterfrontaccess.co.uk
     
    pete, May 7, 2007
    #9
  10. pete

    Mike Easter Guest

    pete wrote:

    > I am just curious about
    > how it was done.


    Individual is a very popular newsserver; lots of people have accounts.
    Forte Agent is a very popular newsagent, lots of people use it. Given
    the popularity of both, if the perp has both an individual account and
    forte agent, then all that needs to be forged is the From. Elementary.

    Many newsagents allow the X-Newsreader: and other Xlines to be
    configured at will if the perp wanted to do it with some agent other
    than Forte's. In this case, if there were any forging of Xlines, the
    perp chose to not forge your silly outbound Avast headerline.

    --
    Mike Easter
     
    Mike Easter, May 7, 2007
    #10
  11. pete

    Mr. Arnold Guest

    "pete" <> wrote in message
    news:...
    > On Mon, 07 May 2007 12:25:44 -0700, Evan Platt
    > <> wrote:
    >
    >>On Mon, 07 May 2007 20:19:00 +0100, pete <> wrote:
    >>
    >>>Yes I know I have been trolled. I am quite used to it but not a poster
    >>>who can use identical path to do it. That is the bit that is puzzling
    >>>me as my wireless connection is secured.

    >>
    >>Path in a newsgroup header has nothing to do with your connection,
    >>it's the news connection you use.
    >>
    >>If you and I connect to the same news server, we'll likely have the
    >>same Path.

    >
    > My news reader only shows what I posted and it shows a header that is
    > identical to mine. How was it done?


    A troll wrote a NG program that will capture posting headers and duplicate
    them and change them, allowing them to be posted back to a NG or NG(s) as
    your posting headers.

    Thus, the impersonation of you is being applied, as explained in the link
    that was provided to you.
     
    Mr. Arnold, May 7, 2007
    #11
  12. pete

    Evan Platt Guest

    On Mon, 07 May 2007 21:09:37 +0100, pete <> wrote:

    >My news reader only shows what I posted and it shows a header that is
    >identical to mine. How was it done?


    What do you mean by identical?

    Ok, the Path is identical.

    Aside from that:

    Yours:
    Content-Type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: 8bit

    Theirs:
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit

    Yours:
    X-Newsreader: Forte Agent 4.2/32.1118
    X-Antivirus: avast! (VPS 000738-3, 05/05/2007), Outbound message
    X-Antivirus-Status: Clean

    Theirs:
    X-Newsreader: Forte Agent 4.2/32.1118

    Basically they use the same usenet provider you use, so their path is
    the same.

    And forging the From data is trivial.
    --
    To reply via e-mail, remove The Obvious from my e-mail address.
     
    Evan Platt, May 7, 2007
    #12
  13. pete

    pete Guest

    On Mon, 7 May 2007 17:29:44 +0100, Whiskers <>
    wrote:

    >On 2007-05-07, pete <> wrote:
    >> The first header is genuine. The second is not. How is this done?

    >
    >[...]
    >
    >> How is this done and what can I do about it?
    >> pete

    >
    >Both were posted to the Individual.net news-server. Contact them with
    >evidence of articles posted to that server in your name but not by you,
    >and ask them if they were posted using your username and login. If not,
    >then someone is in breach of their terms of service ("Policy") - see also
    ><http://news.individual.net/faq.php#5.5> for 'abuse reports'.
    >
    >If someone has obtained access to your Individual.net username and
    >password information without your knowledge or permission, then that's
    >your problem.


    Indeed but I am pretty sure my details are safe. Somebody has gone to
    an awful lot of trouble to make a post seem to be by me.
    pete
    www.suffolkrightsofway.co.uk
    www.ipswichwaterfrontaccess.co.uk
     
    pete, May 7, 2007
    #13
  14. pete

    pete Guest

    On Mon, 7 May 2007 13:36:03 -0700, "Mike Easter" <>
    wrote:

    >pete wrote:
    >
    >> I am just curious about
    >> how it was done.

    >
    >Individual is a very popular newsserver; lots of people have accounts.
    >Forte Agent is a very popular newsagent, lots of people use it. Given
    >the popularity of both, if the perp has both an individual account and
    >forte agent, then all that needs to be forged is the From. Elementary.
    >
    >Many newsagents allow the X-Newsreader: and other Xlines to be
    >configured at will if the perp wanted to do it with some agent other
    >than Forte's. In this case, if there were any forging of Xlines, the
    >perp chose to not forge your silly outbound Avast headerline.


    I see thanks. Surely somebody has to be pretty stupid to use their own
    Invidual News account? I can only assume that is what has happened
    though. Thank you.
    pete
    www.suffolkrightsofway.co.uk
    www.ipswichwaterfrontaccess.co.uk
     
    pete, May 8, 2007
    #14
  15. pete

    pete Guest

    On Mon, 07 May 2007 20:46:16 GMT, "Mr. Arnold" <MR. >
    wrote:

    >
    >"pete" <> wrote in message
    >news:...
    >> On Mon, 07 May 2007 12:25:44 -0700, Evan Platt
    >> <> wrote:
    >>
    >>>On Mon, 07 May 2007 20:19:00 +0100, pete <> wrote:
    >>>
    >>>>Yes I know I have been trolled. I am quite used to it but not a poster
    >>>>who can use identical path to do it. That is the bit that is puzzling
    >>>>me as my wireless connection is secured.
    >>>
    >>>Path in a newsgroup header has nothing to do with your connection,
    >>>it's the news connection you use.
    >>>
    >>>If you and I connect to the same news server, we'll likely have the
    >>>same Path.

    >>
    >> My news reader only shows what I posted and it shows a header that is
    >> identical to mine. How was it done?

    >
    >A troll wrote a NG program that will capture posting headers and duplicate
    >them and change them, allowing them to be posted back to a NG or NG(s) as
    >your posting headers.
    >
    >Thus, the impersonation of you is being applied, as explained in the link
    >that was provided to you.


    Yes I understood that from the link you posted. I was wondering if an
    IP addy is in there somewhere where I didn't recognise it as such.
    pete
    www.suffolkrightsofway.co.uk
    www.ipswichwaterfrontaccess.co.uk
     
    pete, May 8, 2007
    #15
  16. pete

    pete Guest

    On Mon, 07 May 2007 13:53:48 -0700, Evan Platt
    <> wrote:

    >On Mon, 07 May 2007 21:09:37 +0100, pete <> wrote:
    >
    >>My news reader only shows what I posted and it shows a header that is
    >>identical to mine. How was it done?

    >
    >What do you mean by identical?
    >
    >Ok, the Path is identical.
    >
    >Aside from that:
    >
    >Yours:
    >Content-Type: text/plain; charset=ISO-8859-1
    >Content-Transfer-Encoding: 8bit
    >
    >Theirs:
    >Content-Type: text/plain; charset=us-ascii
    >Content-Transfer-Encoding: 7bit
    >
    >Yours:
    >X-Newsreader: Forte Agent 4.2/32.1118
    >X-Antivirus: avast! (VPS 000738-3, 05/05/2007), Outbound message
    >X-Antivirus-Status: Clean
    >
    >Theirs:
    >X-Newsreader: Forte Agent 4.2/32.1118
    >
    >Basically they use the same usenet provider you use, so their path is
    >the same.
    >
    >And forging the From data is trivial.


    I hadn't noticed the different part of the header you picked up. I had
    thought the posts were identical. Thanks.
    pete
    www.suffolkrightsofway.co.uk
    www.ipswichwaterfrontaccess.co.uk
     
    pete, May 8, 2007
    #16
  17. pete

    Bert Hyman Guest

    In news: pete
    <> wrote:

    >I was wondering if an IP addy is in there somewhere where I didn't
    >recognise it as such.


    The line

    X-Trace: individual.net Ud56VlnbKmEiZls1p1gcZwoEihBDGTpmgs0u5oSaMik/CKtpAc

    either encodes that information directly, or would give the
    individual.net admins enough info to identify the real poster,
    if they were sufficiently motivated.

    --
    Bert Hyman St. Paul, MN
     
    Bert Hyman, May 8, 2007
    #17
  18. pete

    pete Guest

    On 07 May 2007 23:14:24 GMT, Bert Hyman <> wrote:

    >In news: pete
    ><> wrote:
    >
    >>I was wondering if an IP addy is in there somewhere where I didn't
    >>recognise it as such.

    >
    >The line
    >
    >X-Trace: individual.net Ud56VlnbKmEiZls1p1gcZwoEihBDGTpmgs0u5oSaMik/CKtpAc
    >
    >either encodes that information directly, or would give the
    >individual.net admins enough info to identify the real poster,
    >if they were sufficiently motivated.


    I suppose they get plenty of similar cases and think it is all part
    and parcel of Usenet. I wondered if there was anyway Individual would
    know it wasn't me.
    pete
    www.suffolkrightsofway.co.uk
    www.ipswichwaterfrontaccess.co.uk
     
    pete, May 8, 2007
    #18
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?dGFuaw==?=

    conects but wont send info but receves

    =?Utf-8?B?dGFuaw==?=, Jan 2, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    770
    Jack \(MVP-Networking\).
    Jan 4, 2006
  2. Replies:
    1
    Views:
    525
    Zhong Deng \(MSFT\)
    Mar 13, 2006
  3. Jimchip

    Re: Forgery

    Jimchip, Aug 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    520
    Jimchip
    Aug 5, 2003
  4. Guy Macon

    FORGERY: Your REC.PHOTO.DIGITAL comments

    Guy Macon, Oct 15, 2004, in forum: Digital Photography
    Replies:
    19
    Views:
    496
    Frank ess
    Oct 17, 2004
  5. Aardvark

    Re: FORGERY!

    Aardvark, Jan 8, 2010, in forum: Computer Support
    Replies:
    0
    Views:
    402
    Aardvark
    Jan 8, 2010
Loading...

Share This Page