Cross posting to rec.music.makers.percussion and rec.audio.pro
The generic name of "Troll" is applied to anyone who posts abusive,
threatening or malicious content on a newsgroup. These people always
hide their identity behind false e-mail addresses, and in order to
further hide their identity, frequently create user accounts with news
service providers outside their own country. This gives the superficial
appearance that the posting originated from some other region of the world.
In order to complain about this type behaviour it is necessary to look
at the "header" part of the news group posting. This text is normally
hidden from view, but can be displayed quite easily. If you are using
Thunderbird as your newsreader, select the posting and press Ctrl-U to
display the header.
Once the posting's header header has been displayed, the next task is to
interpret the information it contains.
The following example is taken from a recent post to the
rec.music.maker.percussion newsgroup, but is representative of this
general category of abusive post.
Path:
news.sap-ag.de!news2!news1.dtag.de!newsfeed00.sul.t-online.de!t-online.de!news.k-dsl.de!aioe.org!not-for-mail
From: "Drmmr"
Newsgroups: rec.music.makers.percussion
Subject: Failed attemtps
Date: Fri, 3 Oct 2008 00:18:54 -0700
Organization: Aioe.org NNTP Server
Lines: 26
Message-ID:
NNTP-Posting-Host: 0Tn5kKu+uggfa8P+Hq9fGg.user.aioe.org
X-Complaints-To:
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
X-RFC2646: Format=Flowed; Original
X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
X-Priority: 3
X-MSMail-Priority: Normal
Schuh tried and failed to hack my system-yes indeed a backdoo trojan was
in...
Firstly, this actual text contained within this posting is written in
what's called "plain text". In other words, it does not contain any
formatting instructions to control the appearance or layout of the
text. Most newsgroup accept only plain text postings.
Secondly, the first dozen or lines of the post are known as the header.
Each header line starts with a key word followed by a colon. E.G.
"Subject:" or "Message-ID:"
Thirdly, the e-mail address shown in the "From:" header line will almost
always be fake - don't bother trying to send anything to that address!
Fourthly, the actual posting (containing the abusive content) is the
block of text found after the last header entry (Xref: in this case). In
this case, all but the first line of the message content has been snipped.
The "Path:" keyword is usually the first line of the header and contains
a list of news server names separated by exclamation marks. This shows
the route that this posting took as it was replicated from one news
server to another across the internet. The first server in the list is
your news server that you connect to in order to read that particular
newsgroup. Then you get a chain of news servers going all the way back
to the server used by the troll to create their post. You may often see
"!Not for mail" at the end of this server list. This just means that
the news group posting will not be replicated to an e-mail server.
Now that you know the identity of the server from which the troll posted
their message, you can go to one of the domain name registrars to
identify who owns this domain name and where they are located in the
world. This will probably not help you identify the physical location
of the troll, but it does identify the service provider they are using.
In the above case, the troll has used the news server belonging to
aioe.org - a free news service running in Italy.
If you copy this name into the "Who Is" lookup server provided by
Internic (or whoever is responsible for the top level domain) , you will
see who registered that domain name, when they registered it and where
they located in the world. A "Who Is" service can be found here
http://internic.net/whois.html
The header also contains a line that starts with "X-Complaints-to:"
followed by an email address - in this case
. Send an
email to this address and the service provider should then investigate
the complaint and hopefully terminate the troll's account. This of
course will not stop then setting up a new account, but it will disrupt
their behaviour for a while.
Chris W
--
The voice of ignorance speaks loud and long,
But the words of the wise are quiet and few.
---