Anonymous netnews without "anonymous" remailers
Inspired by the recent "NetNews Judges-L" events, this file has been updated to cover forging control messages. It is being posted periodically to address
the increasing trend of "how do I fake news?" questions from the lamers, and
the revelation that anonymous remailers are UNSAFE. In addition to anonymous
posting, you can also do your own article canceling and create and destroy your
own newsgroups using the information presented here.
Save any news article to a file, with all the headers intact. Then edit this
file, and remove any header lines of the form
From some!random!path!user (note: "From ", not "From: " !!)
Article:
Lines:
Xref:
Shorten the Path: header down to its LAST two or three "bangized" components.
This is to make the article look like it was posted from where it really was
posted, and originally hit the net at or near the host you send it to. Or
you can construct a completely new Path: line to reflect your assumed alias.
Make some change to the Message-ID: field, that isn't likely to be duplicated
anywhere. This is usually best done by adding a couple of random characters to
field to generate these IDs.
Change the other headers to say what you like - From:, Newsgroups:, Sender:,
etc. Replace the original message text with your message. If you are posting
to a moderated group or posting a control message, remember to put in an
Approved: header to bypass the moderation mechanism.
To specifically cancel someone else's article, you need its message-ID. Your
message headers, in addition to what's already there, should also contain the
following with that message-ID in it. This makes it a "control message".
Control messages also require an Approved: header, so add one.
Newsgroups are created and destroyed with control messages, too. If you
wanted to create, for instance, comp.misc.microsoft.sucks, your control
headers would look like
Subject: cmsg newgroup comp.misc.microsoft.sucks
Control: newgroup comp.misc.microsoft.sucks
Add on the string "moderated" at the end of these if you want the group to
be "moderated with no moderator" as with alt.hackers. Somewhere in the
body of your message, you should include the following text, changed with
the description of the group you're creating:
For your newsgroups file:
comp.misc.microsoft.sucks We don't do windows
To remove a group, substitute "rmgroup" for "newgroup" in the header lines
above. Keep in mind that most sites run all "rmgroup" requests through
a human news-master, who may or may not decide to honor it. Group creation
is more likely to be automatic than deletion at most installations. Any
newsgroup changes are more likely to take effect if the come from me, since
my name is hardwired into many of the NNTP control scripts, so using the
From: and Approved: headers from this posting is recommended.
Save your changed article, check it to make sure it contains NO reference
to yourself or your own site, and send it to your favourite NNTP server that
permits transfers via the IHAVE command, using the following script:
=======================
#! /bin/sh
## Post an article via IHAVE.
## args: filename server
if test "$2" = "" ; then
echo usage: $0 filename server
exit 1
fi
if test ! -f $1 ; then
echo $1: not found
exit 1
fi
# suck msg-id out of headers, keep the brackets
msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \
sed 's/.*-[Ii][Dd]: //'`
echo $msgid
( sleep 5
echo IHAVE $msgid
sleep 5
cat $1
sleep 1
echo "."
sleep 1
echo QUIT ) | telnet $2 119
=======================
If your article doesn't appear in a few hours, try a different server.
They are easy to find. Here's a script that will break a large file
full of saved netnews into a list of hosts to try. Edit the output
of this if you want, to remove obvious peoples' names and other trash.
=======================
#! /bin/sh
FGV='fgrep -i -v'
egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\
/g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp
=======================
Once you have your host list, feed it to the following script.
=======================
#! /bin/sh
while read xx ; do
if test "$xx" = "" ; then continue;
fi
echo === $xx
( echo open $xx 119
sleep 5
sleep 4
echo .
echo quit
sleep 1
echo quit
) | telnet
done
=======================
If the above script is called "findem" and you're using csh, you should do
findem < list >& outfile
so that ALL output from telnet is captured. This takes a long time, but when
it finishes, edit "outfile" and look for occurrences of "335". These mark
answers from servers that might be willing to accept an article. This isn't a
completely reliable indication, since some servers respond with acceptance and
later drop articles. Try a given server with a slightly modified repeat of
someone else's message, and see if it eventually appears.
You may have to monitor the finding script a little while it is running, to
make sure one of the telnets does not hang for some reason.
You will notice other servers that don't necessarily accept an IHAVE, but
say "posting ok". You can do regular POSTS through these, but they may add
an "NNTP-Posting-Host:" header containing the machine YOU came from and are
therefore unsuitable for completely anonymous use.
If you post a controversial article, such as this one or proprietary source
code or threats to bomb Parliament, you can be fairly sure that someone will
try to cancel it fairly quickly. In fact, some people may have automatic
measures in place to detect and cancel articles that they didn't really post.
But these mechanisms are often automated enough that you can defeat them and
have your article stay in the news system a little longer.
the original ID and issue control messages with predictable new IDs like
some innocuous messages using these predicted message-IDs shortly beforehand.
Once these articles are in the news system, they will block posting of the
attempted automatic cancels. Then post your real message, and the
autocancellers that use these original-ID permutations will fail to remove it!
Your blocker-postings do not have to go to `control'. It does not matter which
newsgroups they go to, as long as they are in the news system somewhere.
Reposting a modified version of someone else's message is the subtlest way to
claim a message-ID.
This will not work, of course, if the canceller uses a new message ID, but
it is worth mentioning. You may find the idea of cancel-ID prediction useful
if you are being victimized by someone else's cancelmoose. Some autocancel
most common.
I probably need not say that if your article is REALLY controversial, attempts
will be made to backtrace its origin. You should take appropriate measures
to cover your tracks. Many organizations place their news servers outside
their firewalls and packet filters, so for instance with a source-routing
setup, you can pretend to be anyone.
We maintain an IHAVE-friendly host is right here: news.uu.net. Feel free
to test these scripts through our server.
PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.
by