These annoying recipes

The German news server is filtering them out. Checking on NTL's server though, ISWYM

Presumably it makes someone happy somewhere...

Lee

Answer courtesy of Jeff C on rec.autos.makers.honda:

HTH, Al

Late last night, yes, nothing much today.

They appear to be forged headers created by harvesting name details and injecting messages into appropriately open news servers.

Some ISPs do address range limitations to prevent their news servers being used by other than their customers, but there are enough open ones around and this is before getting into use of trojan plants on legitimate machines being used to relay posts to look legitimate.

Unfortunately, the Usenet environment doesn't have quite so much protection as email servers can have. Equally, this type of attack does not seem to be too prevalent (at least not in the newsgroups I read).

news servers run software to filter them out, but not most because, as you say, the attack is an uncommon one (except on news.admin.net-abuse.email).

Al

I noted that the plusnet server had killed them before I saw them, however there was an interesting side effect, in that the original "mice" thread headers were also removed from the server as well. I only noticed when I synched another copy of Mozilla on another PC that the whole thread had vanished, yet I can still access the original messages from my cached thread headers on this PC.

I just had a report from, I guess, the moderator of news.karlvalentin.de that some recipes had been posted appearing to come from my email address by the following route:

news.karlvalentin.de!news.qymp.de!news-out.nuthinbutnews.com!propagator2-sterling.newsfeeds.com!news-in.newsfeeds.com!newsfeed.icl.net!feed.news.tiscali.de!newsfeed01.sul.t-online.de!newsfeed00.sul.t-online.de!t-online.de!tiscali!newsfeed1.ip.tiscali.net!border2.nntp.ams.giganews.com!nntp.giganews.com!lightspeed.eweka.nl!newsfeed.multikabel.nl!feeder.news-service.com!psinet-eu-nl!my.address.left.out.just.in.case!IP address also left out.mismatch

I don't know if this means anything to anyone. I have the email ID but am unsure whether it is wise to post it, so haven't.

Someone targetted me once about ten years ago. Very irritating. Sys admin at the place I worked tried to trace it but I had left it too long because I was baffled.

Peter Scott

That's because the original messages have been superceded by the fake ones - Hipcrime NewsAgent allows the user to issue supercede or cancel messages by impersonating the original user.

I would write back to him, pointing out that it appears that your address has been spoofed and that there are a whole bunch of recipe posts in different groups appearing to come from legitimate sources. You might like also to draw his attention to your legitimate posts to this and other groups to establish that in probability, you are not a bad lad.

From:

IP address is the number assigned by your internet service provider (ISP) that identifies your computer as you surf the web. An IP address usually looks like this: 111.222.333.444. It may have less digits in each field.

If you want to know your computer's IP address IPChicken will tell you:

You can also find it by clicking start, run, typing cmd, (in Win XP), hit enter, then type in "ipconfig" without the quotes.

The important thing to know about your IP address is that it is recorded at every website you visit and is shown in the header of every email that you send. However your IP address cannot be traced to you as in individual. It can be looked up at

you type in the set of numbers it will show the netblock or range of numbers in which yours is located. It may list the name of your ISP. It might or might not give a clue to the area where you live.

The only way to prevent your IP address from being visible on the web is to use a proxy or service such as Anonymizer to mask your identify while you surf.

All of which kind of pre-supposes that the message was not relayed via a botnet, or used IP source address spoofing on a network that does not implement egress filtering (i.e most of them!)

Helpful advice- thanks

I have emailed already. Difficult to prove these things though. I could be a schizophrenic and have a straight and a strange side couldn't I? Does anyone know of a feasible way to track down the nutters who send these things? Could this be the subject of an RFC?

Peter Scott

Doen';t really matter that much, since at some level the nntp posting host is in the path, and you can generally work from there.

Ip source address spoofing is rather hard to use to implement a stream connection, as if you fake where you are coming from, the ack packets won;t get back to you.

Yoi may be ale to take over a nearby addres, but you can't fake one across teh other side of teh world.

Most boundary routers are VERY tight on stuff like that.

To an extent, assuming someone is not running their own NNTP host on a "owned" computer, or hiding behind a proxy on one etc.

This is true... it a more useful technique for DDoS attacks than for things like two way traffic (i.e. TCP connections).

They are getting better. They have always been pretty tight on preventing external IP address blocks get access to services provided for subscribers (although there are still some ISPs that don't care).

The reverse situation however is still much more patchy (i.e. preventing exit of packets apparently originated from an IP address range that really ought not to be in the network segment) since this is a technically much harder problem to solve as an afterthought (i.e. you need to have started with a well planned and segmented network in the first place, rather than having "grown" one organically as your demand increased.

(The thrust of my post was really to highlight that post containing a snippet of "Noddy learns IP", was (while interesting to some), pretty pointless as a practical solution to the problem).