Anonymous netnews without "anonymous" remailers
Inspired by the recent "NetNews Judges-L" events, this file has been updated to cover forging control messages. It is being posted periodically to address
the increasing trend of "how do I fake news?" questions from the lamers, and
the revelation that anonymous remailers are UNSAFE. In addition to anonymous
posting, you can also do your own article canceling and create and destroy your
own newsgroups using the information presented here.
Save any news article to a file. We'll call it "hak" in this example.
Edit "hak", and remove any header lines of the form
From some!random!path!user (note: "From ", not "From: " !!)
Shorten the Path: header down to its LAST two or three "bangized" components.
This is to make the article look like it was posted from where it really was
posted, and originally hit the net at or near the host you send it to. Or
you can construct a completely new Path: line to reflect your assumed alias.
Make some change to the Message-ID: field, that isn't likely to be duplicated
anywhere. This is usually best done by adding a couple of random characters to
field to generate these IDs.
Change the other headers to say what you like -- From:, Newsgroups:,
Sender:, etc. Replace the original message text with your message. If you are
posting to a moderated group or posting a control message, remember to put in
an Approved: header to bypass the moderation mechanism.
To specifically cancel someone else's article, you need its message-ID. Your
message headers, in addition to what's already there, should also contain the
following with that message-ID in it. This makes it a "control message".
NOTE: control messages generally require an Approved: header as well, so
you should add one.
Newsgroups are created and destroyed with control messages, too. If you
wanted to create, for instance, comp.misc.microsoft.sucks, your control
headers would look like
Subject: cmsg newgroup comp.misc.microsoft.sucks
Control: newgroup comp.misc.microsoft.sucks
Add on the string "moderated" at the end of these if you want the group to
be "moderated with no moderator" as with alt.hackers. Somewhere in the
body of your message, you should include the following text, changed with
the description of the group you're creating:
For your newsgroups file:
comp.misc.microsoft.sucks We don't do windows
To remove a group, substitute "rmgroup" for "newgroup" in the header lines
above. Keep in mind that most sites run all "rmgroup" requests through
a human news-master, who may or may not decide to honor it. Group creation
is more likely to be automatic than deletion at most installations. Any
newsgroup changes are more likely to take effect if the come from me, since
my name is hardwired into many of the NNTP control scripts, so using the
From: and Approved: headers from this posting is recommended.
Save your changed article, check it to make sure it contains NO reference
to yourself or your own site, and send it to your favourite NNTP server that
permits transfers via the IHAVE command, using the following script:
## Post an article via IHAVE.
## args: filename server
if test "$2" = "" ; then
echo usage: $0 filename server
if test ! -f $1 ; then
echo $1: not found
# suck msg-id out of headers, keep the brackets
msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \
sed 's/.*-[Ii][Dd]: //'`
( sleep 5
echo IHAVE $msgid
echo QUIT ) | telnet $2 119
If your article doesn't appear in a day or two, try a different server.
They are easy to find. Here's a script that will break a large file
full of saved netnews into a list of hosts to try. Edit the output
of this if you want, to remove obvious peoples' names and other trash.
FGV='fgrep -i -v'
egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\
/g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp
Once you have your host list, feed it to the following script.
while read xx ; do
if test "$xx" = "" ; then continue;
echo === $xx
( echo open $xx 119
) | telnet
If the above script is called "findem" and you're using csh, you should do
findem < list >& outfile
so that ALL output from telnet is captured. This takes a long time, but when
it finishes, edit "outfile" and look for occurrences of "335". These mark
answers from servers that might be willing to accept an article. This isn't a
completely reliable indication, since some servers respond with acceptance and
later drop articles. Try a given server with a slightly modified repeat of
someone else's message, and see if it eventually appears.
Sometimes the telnets get into an odd state, and freeze, particularly when
a host is refusing NNTP connections. If you manually kill these hung telnet
processes but not the main script, the script will continue on. In other
words, you may have to monitor the finding script a little while it is
You will notice other servers that don't necessarily take an IHAVE, but
say "posting ok". You can probably do regular POSTS through these, but they
will add an "NNTP-Posting-Host: " header containing the machine YOU came from
and are therefore unsuitable for completely anonymous use.
We maintain an IHAVE-friendly host is right here -- news.uu.net. Feel free
to test these scripts through our server.
PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.