Poster ID in Usenet posts?

Discussion in 'NZ Computing' started by Sue Bilstein, Feb 15, 2004.

  1. Sue Bilstein

    Sue Bilstein Guest

    In one of the periodic "Is Mr X the same as Mr Y" debates, I recollect
    someone remarking that there is a way to tell for sure whether two posts
    were done by the same person. Unfortunately I can't find this remembered
    post when I google for it.

    I'm still puzzling over how this could be done. For a post done via an ISP,
    you can usually see the type of newsreader used, the ISP and the posting
    host.

    Is there in fact anything there that would always be the same in two posts
    done from the same account? I read that Message-ID contains posting date
    and time - would it also contain account name, if you know how to crack it?
     
    Sue Bilstein, Feb 15, 2004
    #1
    1. Advertising

  2. Sue Bilstein wrote:
    > Is there in fact anything there that would always be the same in two posts
    > done from the same account? I read that Message-ID contains posting date
    > and time - would it also contain account name, if you know how to crack it?


    I would doubt that it would contain this info... infact, with usenet
    there is almost always no kind of auth info sent, so it can only be tied
    back to one particular ISP/IP/Group of IP's. This is also not entirely
    accurate, as it would appear that I'm posting from an Xtra account(Im
    using news.xtra.co.nz) but infact I'm simply using that news server
    because it allows it from my current IP.

    If it is woger... he's on a static, so, yeah, easy to find him.

    --
    Http://www.Dave.net.nz
    Play Hangman
    Register, and play Space Invaders or Pacman.
     
    T.N.O. - Dave.net.nz, Feb 15, 2004
    #2
    1. Advertising

  3. Sue Bilstein

    Jason M Guest

    On Sun, 15 Feb 2004 21:01:38 +1300, "Sue Bilstein"
    <> wrote:

    >In one of the periodic "Is Mr X the same as Mr Y" debates, I recollect
    >someone remarking that there is a way to tell for sure whether two posts
    >were done by the same person. Unfortunately I can't find this remembered
    >post when I google for it.
    >
    >I'm still puzzling over how this could be done. For a post done via an ISP,
    >you can usually see the type of newsreader used, the ISP and the posting
    >host.
    >
    >Is there in fact anything there that would always be the same in two posts
    >done from the same account? I read that Message-ID contains posting date
    >and time - would it also contain account name, if you know how to crack it?


    Yes there is something in the headers that shows whether the same
    computer has been used, even though the IP number and/or newsreader is
    different.
    But I'd rather not explain that in a public forum and give the
    sockpuppets other ways to hide.

    nz.general cut
     
    Jason M, Feb 15, 2004
    #3
  4. On Sun, 15 Feb 2004 21:20:31 +1300, T.N.O. - Dave.net.nz wrote:

    > If it is woger... he's on a static, so, yeah, easy to find him.


    He also creates untold amounts of it. He should be enclosed in a Faraday
    shield.
    --

    Nicolaas.



    - Children have greater need of models than of critics.
     
    Nicolaas Hawkins, Feb 15, 2004
    #4
  5. Sue Bilstein

    Roger_Nickel Guest

    Sue Bilstein wrote:
    > Is there in fact anything there that would always be the same in two posts
    > done from the same account? I read that Message-ID contains posting date
    > and time - would it also contain account name, if you know how to crack it?
    >
    >

    the numeric part of the ID is from a random number generator seeded by
    the timestamp (maybe also the account number or assigned IP address,
    depending on the ISP). This is a one way hash function and going back
    the other way is not feasible. The only requirement is that the number
    be unique. If the ISP wanted to find out who posted, they would just
    check their internal log files. The "NNTP Posting Host" header gives an
    IP address as does the "Trace" header.This could be a clue if the poster
    is dumb enough to switch identities without starting a new session .
     
    Roger_Nickel, Feb 15, 2004
    #5
  6. Jason M wrote:
    > Yes there is something in the headers that shows whether the same
    > computer has been used, even though the IP number and/or newsreader is
    > different.
    > But I'd rather not explain that in a public forum and give the
    > sockpuppets other ways to hide.


    Can you email me the details, I'm very interested in this sort of thing.


    --
    Http://www.Dave.net.nz
    Play Hangman
    Register, and play Space Invaders or Pacman.
     
    T.N.O. - Dave.net.nz, Feb 15, 2004
    #6
  7. Roger_Nickel wrote:
    > This could be a clue if the poster
    > is dumb enough to switch identities without starting a new session .


    Or unable to change their posting host... much like myself.

    --
    Http://www.Dave.net.nz
    Play Hangman
    Register, and play Space Invaders or Pacman.
     
    T.N.O. - Dave.net.nz, Feb 15, 2004
    #7
  8. Sue Bilstein

    Mainlander Guest

    In article <>,
    says...
    > On Sun, 15 Feb 2004 21:01:38 +1300, "Sue Bilstein"
    > <> wrote:
    >
    > >In one of the periodic "Is Mr X the same as Mr Y" debates, I recollect
    > >someone remarking that there is a way to tell for sure whether two posts
    > >were done by the same person. Unfortunately I can't find this remembered
    > >post when I google for it.
    > >
    > >I'm still puzzling over how this could be done. For a post done via an ISP,
    > >you can usually see the type of newsreader used, the ISP and the posting
    > >host.
    > >
    > >Is there in fact anything there that would always be the same in two posts
    > >done from the same account? I read that Message-ID contains posting date
    > >and time - would it also contain account name, if you know how to crack it?

    >
    > Yes there is something in the headers that shows whether the same
    > computer has been used, even though the IP number and/or newsreader is
    > different.
    >
    > But I'd rather not explain that in a public forum and give the
    > sockpuppets other ways to hide.


    The only means of tracing with any certainty is IP address and timestamp
    combined. If someone is on dialup they will get a random IP address each
    time they connect. If you then find that IP address being used by someone
    who is using the same software with different identities to post messages
    close together then it's a pretty sure thing. That in a nutshell is how
    such identification has been done in the past and there is no real way
    otherwise of identifying someone except by their posting style. The
    message ID does not usually contain a username. Some ISPs do post a
    username in their headers but since it can be anything it's not really
    sufficient.

    --
    Full featured open source Win32 newsreader - Gravity 2.70
    http://sourceforge.net/projects/mpgravity/
     
    Mainlander, Feb 15, 2004
    #8
  9. Sue Bilstein

    steve Guest

    Sue Bilstein wrote:

    >
    > Is there in fact anything there that would always be the same in two posts
    > done from the same account?  I read that Message-ID contains posting date
    > and time - would it also contain account name, if you know how to crack
    > it?


    No....

    If I dial up to IHUG and post using Knode on Linux......

    Then I dial up to Actrix and post using Agent on Windows.....

    There is NO WAY you can tell it was the same person unless I make that clear
    in my posts.

    For people using cable modems it's a wee bit easier....as their posts will
    always contain the same IP address.

    ADSL users may also have the same IP address for days at time....though the
    provider rolls them over to make it difficult for users to operate servers.
    (though why they would want to do that when users by for data anyway is
    beyond me).
     
    steve, Feb 15, 2004
    #9
  10. Sue Bilstein

    Frank Osborn Guest

    On Sun, 15 Feb 2004 23:18:01 +1300, Mainlander <*@*.*> wrote:

    >In article <>,
    > says...
    >> On Sun, 15 Feb 2004 21:01:38 +1300, "Sue Bilstein"
    >> <> wrote:
    >>
    >> >In one of the periodic "Is Mr X the same as Mr Y" debates, I recollect
    >> >someone remarking that there is a way to tell for sure whether two posts
    >> >were done by the same person. Unfortunately I can't find this remembered
    >> >post when I google for it.
    >> >
    >> >I'm still puzzling over how this could be done. For a post done via an ISP,
    >> >you can usually see the type of newsreader used, the ISP and the posting
    >> >host.
    >> >
    >> >Is there in fact anything there that would always be the same in two posts
    >> >done from the same account? I read that Message-ID contains posting date
    >> >and time - would it also contain account name, if you know how to crack it?

    >>
    >> Yes there is something in the headers that shows whether the same
    >> computer has been used, even though the IP number and/or newsreader is
    >> different.
    >>
    >> But I'd rather not explain that in a public forum and give the
    >> sockpuppets other ways to hide.

    >
    >The only means of tracing with any certainty is IP address and timestamp
    >combined. If someone is on dialup they will get a random IP address each
    >time they connect. If you then find that IP address being used by someone
    >who is using the same software with different identities to post messages
    >close together then it's a pretty sure thing. That in a nutshell is how
    >such identification has been done in the past and there is no real way
    >otherwise of identifying someone except by their posting style. The
    >message ID does not usually contain a username. Some ISPs do post a
    >username in their headers but since it can be anything it's not really
    >sufficient.




    And Some News Servers do not use IP numbers or ISP's.plus the users name is
    put in by the user..

    From memory Ihug does not post IP Numbers, in fact all security sites state
    that Fixed IP's should never be posted or seen..

    Seems that a few ISP's don't understand the security of that..
     
    Frank Osborn, Feb 15, 2004
    #10
  11. Sue Bilstein

    Warwick Guest

    On Sun, 15 Feb 2004 23:18:01 +1300, Mainlander wrote:

    > Path: news.xtra.co.nz!newsfeed01.tsnz.net!news02.tsnz.net!not-for-mail
    > From: Mainlander <*@*.*>
    > Newsgroups: nz.comp
    > Subject: Re: Poster ID in Usenet posts?
    > Message-ID: <>
    > References: <> <>
    > MIME-Version: 1.0
    > Content-Type: text/plain; charset="iso-8859-15"
    > Content-Transfer-Encoding: 7bit
    > User-Agent: MicroPlanet-Gravity/2.70.2061
    > Lines: 39
    > Date: Sun, 15 Feb 2004 23:18:01 +1300
    > NNTP-Posting-Host: 210.246.24.214
    > X-Complaints-To:
    > X-Trace: news02.tsnz.net 1076840128 210.246.24.214 (Sun, 15 Feb 2004 23:15:28 NZDT)
    > NNTP-Posting-Date: Sun, 15 Feb 2004 23:15:28 NZDT
    > Organization: TelstraClear
    > Xref: news.xtra.co.nz nz.comp:223268
    >
    > In article <>,
    > says...
    >> On Sun, 15 Feb 2004 21:01:38 +1300, "Sue Bilstein"
    >> <> wrote:
    >>
    >>>In one of the periodic "Is Mr X the same as Mr Y" debates, I recollect
    >>>someone remarking that there is a way to tell for sure whether two posts
    >>>were done by the same person. Unfortunately I can't find this remembered
    >>>post when I google for it.
    >>>
    >>>I'm still puzzling over how this could be done. For a post done via an ISP,
    >>>you can usually see the type of newsreader used, the ISP and the posting
    >>>host.
    >>>
    >>>Is there in fact anything there that would always be the same in two posts
    >>>done from the same account? I read that Message-ID contains posting date
    >>>and time - would it also contain account name, if you know how to crack it?

    >>
    >> Yes there is something in the headers that shows whether the same
    >> computer has been used, even though the IP number and/or newsreader is
    >> different.
    >>
    >> But I'd rather not explain that in a public forum and give the
    >> sockpuppets other ways to hide.

    >
    > The only means of tracing with any certainty is IP address and timestamp
    > combined. If someone is on dialup they will get a random IP address each
    > time they connect. If you then find that IP address being used by someone
    > who is using the same software with different identities to post messages
    > close together then it's a pretty sure thing. That in a nutshell is how
    > such identification has been done in the past and there is no real way
    > otherwise of identifying someone except by their posting style. The
    > message ID does not usually contain a username. Some ISPs do post a
    > username in their headers but since it can be anything it's not really
    > sufficient.


    Which header field might contain the users IP addy?

    thanks
    Warwick
     
    Warwick, Feb 15, 2004
    #11
  12. Sue Bilstein

    Warwick Guest

    On Sun, 15 Feb 2004 21:01:38 +1300, Sue Bilstein wrote:

    > From: "Sue Bilstein" <>
    > Newsgroups: nz.general,nz.comp
    > Subject: Poster ID in Usenet posts?
    > Date: Sun, 15 Feb 2004 21:01:38 +1300
    > Lines: 14
    > X-Priority: 3
    > X-MSMail-Priority: Normal
    > X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    > X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    > NNTP-Posting-Host: 218-101-74-107.dialup.clear.net.nz
    > X-Original-NNTP-Posting-Host: 218-101-74-107.dialup.clear.net.nz
    > Message-ID: <>
    > X-Trace: 15 Feb 2004 21:02:36 +1300, 218-101-74-107.dialup.clear.net.nz
    > Organization: CLEAR Net New Zealand http://www.clear.net.nz - Complaints
    > Path: news.xtra.co.nz!newsfeeds.ihug.co.nz!ihug.co.nz!203.97.37.7!news.clear.net.nz
    > Xref: news.xtra.co.nz nz.general:441988 nz.comp:223248
    >
    > In one of the periodic "Is Mr X the same as Mr Y" debates, I recollect
    > someone remarking that there is a way to tell for sure whether two posts
    > were done by the same person. Unfortunately I can't find this remembered
    > post when I google for it.
    >
    > I'm still puzzling over how this could be done. For a post done via an ISP,
    > you can usually see the type of newsreader used, the ISP and the posting
    > host.
    >
    > Is there in fact anything there that would always be the same in two posts
    > done from the same account? I read that Message-ID contains posting date
    > and time - would it also contain account name, if you know how to crack it?


    Even if such a Header field existed (and I am not sure it does) it would
    not be hard to spoof it, the internet being set up for anonymous access as
    it is.
    So you might catch someone out with a header comparison, but it would take
    a trivial level of determination for a user to post as different authors if
    they wished to, and not be caught out.



    mho
    Warwick
     
    Warwick, Feb 15, 2004
    #12
  13. Sue Bilstein

    EMB Guest

    "Warwick" <> wrote in message
    news:1nrsdlnxdubq5.11rxnm1l1flxw$...
    > > NNTP-Posting-Host: 210.246.24.214

    >
    > Which header field might contain the users IP addy?
    >
    > thanks
    > Warwick


    > > NNTP-Posting-Host: 210.246.24.214
     
    EMB, Feb 15, 2004
    #13
  14. Sue Bilstein

    Howard Guest

    On Mon, 16 Feb 2004 00:48:00 +1300, Warwick wrote:

    > Date: Mon, 16 Feb 2004 00:48:00 +1300
    > From: Warwick <>
    > Lines: 61
    > Message-ID: <1nrsdlnxdubq5.11rxnm1l1flxw$>
    > NNTP-Posting-Date: Mon, 16 Feb 2004 00:47:59 NZDT
    > NNTP-Posting-Host: 219.88.117.164 <<<<<<<<<<<<<<<<<<<<<<<<
    > Newsgroups: nz.comp Organization: Xtra Path:
    > news.xtra.co.nz!53ab2750!not-for-mail References:
    > <> <>
    > <> Subject:
    > Re: Poster ID in Usenet posts? User-Agent:
    > 40tude_Dialog/2.0.9.1 X-Complaints-To:
    > X-Trace: news.xtra.co.nz 1076845679 219.88.117.164
    > (Mon, 16 Feb 2004 00:47:59 NZDT) Xref: news.xtra.co.nz nz.comp:223293
    > MIME-Version: 1.0 Content-Type: text/plain;
    > charset=us-ascii Content-Transfer-Encoding: 7bit


    In your post, it's the "NNTP-Posting-Host: 219.88.117.164" line.
     
    Howard, Feb 15, 2004
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kompu Kid

    Free Agent usenet posts do not appear

    Kompu Kid, Dec 21, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    604
    Star@*.*.invalid
    Dec 22, 2004
  2. Kompu Kid

    Free Agent usenet posts do not appear

    Kompu Kid, Dec 21, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    495
    samuel
    Dec 21, 2004
  3. Jaroobish

    PING Usenet Stats Poster

    Jaroobish, Mar 7, 2005, in forum: Digital Photography
    Replies:
    4
    Views:
    368
    Sean Monaghan
    Mar 7, 2005
  4. Rebecca1984

    TONY the Usenet poster

    Rebecca1984, Apr 20, 2005, in forum: Digital Photography
    Replies:
    2
    Views:
    268
    Mark²
    Apr 22, 2005
  5. Baldoni
    Replies:
    1
    Views:
    484
    couple of minutes
    May 20, 2007
Loading...

Share This Page