[Eeyore]

Chris Whealy wrote:

Cross posting to rec.music.makers.percussion and rec.audio.pro

The generic name of "Troll" is applied to anyone who posts abusive,
threatening or malicious content on a newsgroup. These people always
hide their identity behind false e-mail addresses, and in order to
further hide their identity, frequently create user accounts with news
service providers outside their own country. This gives the superficial
appearance that the posting originated from some other region of the world.

In order to complain about this type behaviour it is necessary to look
at the "header" part of the news group posting. This text is normally
hidden from view, but can be displayed quite easily. If you are using
Thunderbird as your newsreader, select the posting and press Ctrl-U to
display the header.

A surprising number of people still use Netscape or the derivative SeaMonkey. To see the full headers select
View, Headers, All (rather than Normal) and it's easily reset.

Those using Outlook (Express) should find the info by highlighting the message and select 'Properties' from the
File menu. Then select the Details tab. It will give you the same info as Chris is describing.


Once the posting's header header has been displayed, the next task is to
interpret the information it contains.

The following example is taken from a recent post to the
rec.music.maker.percussion newsgroup, but is representative of this
general category of abusive post.

Path:
news.sap-ag.de!news2!news1.dtag.de!newsfeed00.sul.t-online.de!t-online.de!news.k-dsl.de!aioe.org!not-for-mail

From: "Drmmr"
Newsgroups: rec.music.makers.percussion
Subject: Failed attemtps
Date: Fri, 3 Oct 2008 00:18:54 -0700
Organization: Aioe.org NNTP Server
Lines: 26
Message-ID:
NNTP-Posting-Host: 0Tn5kKu+uggfa8P+Hq9fGg.user.aioe.org
X-Complaints-To:
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
X-RFC2646: Format=Flowed; Original
X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
X-Priority: 3
X-MSMail-Priority: Normal
Xref: news.sap-ag.de rec.music.makers.percussion:409867

Schuh tried and failed to hack my system-yes indeed a backdoo trojan was
in...

Firstly, this actual text contained within this posting is written in
what's called "plain text". In other words, it does not contain any
formatting instructions to control the appearance or layout of the
text. Most newsgroup accept only plain text postings.

Secondly, the first dozen or lines of the post are known as the header.
Each header line starts with a key word followed by a colon. E.G.
"Subject:" or "Message-ID:"

Thirdly, the e-mail address shown in the "From:" header line will almost
always be fake - don't bother trying to send anything to that address!

Fourthly, the actual posting (containing the abusive content) is the
block of text found after the last header entry (Xref: in this case). In
this case, all but the first line of the message content has been snipped.

The "Path:" keyword is usually the first line of the header and contains
a list of news server names separated by exclamation marks. This shows
the route that this posting took as it was replicated from one news
server to another across the internet. The first server in the list is
your news server that you connect to in order to read that particular
newsgroup. Then you get a chain of news servers going all the way back
to the server used by the troll to create their post. You may often see
"!Not for mail" at the end of this server list. This just means that
the news group posting will not be replicated to an e-mail server.

Now that you know the identity of the server from which the troll posted
their message, you can go to one of the domain name registrars to
identify who owns this domain name and where they are located in the
world. This will probably not help you identify the physical location
of the troll, but it does identify the service provider they are using.
In the above case, the troll has used the news server belonging to
aioe.org - a free news service running in Italy.

If you copy this name into the "Who Is" lookup server provided by
Internic (or whoever is responsible for the top level domain) , you will
see who registered that domain name, when they registered it and where
they located in the world. A "Who Is" service can be found here
http://internic.net/whois.html

The header also contains a line that starts with "X-Complaints-to:"
followed by an email address - in this case . Send an
email to this address and the service provider should then investigate
the complaint and hopefully terminate the troll's account. This of
course will not stop then setting up a new account, but it will disrupt
their behaviour for a while.

I agree with most of the above but different news providers structure their headers quite differently sometimes.

1: NEVER complain to . They passed on my email address to the sender who the set me up
with loads of spam. Google are a bunch of ****s who support hate speech. You have to trace further back.

2: With luck you may find a line that says something like, say, X-originating address = 123.123.123.123. This is
likely to be valid but beware of duplicate entries used by headers forgers.

3: Note that some perfectly reasonable news providers (including my own) strip originating information. In this
case you can only complain directly to the news provider.

You can then as Chris says use a 'whois' service to find out who 123.123.123.123 is. If it's a 'one off' I
suggest using the following service free of charge and very reliable.
http://geektools.com/whois.php

They even provide an executable version of the program you can install on your own PC. Needless to say I have it
! It's small too so no worries there.

Here is the result for a whois on 123.123.123.123.


% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 123.112.0.0 - 123.127.255.255
netname: CNCGROUP-BJ
descr: CNCGROUP Beijing province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN
admin-c: CH455-AP
tech-c: SY21-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-BJ
mnt-routes: MAINT-CNCGROUP-RR
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: 20070129
source: APNIC
role: CNCGroup Hostmaster
e-mail:
address: No.156,Fu-Xing-Men-Nei Street,
address: Beijing,100031,P.R.China
nic-hdl: CH455-AP
phone: +86-10-82993155
fax-no: +86-10-82993102
country: CN
admin-c: CH444-AP
tech-c: CH444-AP
changed: 20041119
mnt-by: MAINT-CNCGROUP
source: APNIC
person: sun ying
address: fu xing men nei da jie 97, Xicheng District
address: Beijing 100800
country: CN
phone: +86-10-66030657
fax-no: +86-10-66078815
e-mail:
nic-hdl: SY21-AP
mnt-by: MAINT-CNCGROUP-BJ
changed: 19980824
changed: 20060717
source: APNIC


You can see that it gives an email address for abuse complaints, plus phone numbers and a geographical address.
All of these are useful

To make an abuse complaint, send an email to the abuse@ address, explaining the situation and the inconvenience
it's causing you. You must send at least one example of the offending poster's full headers too. Use Copy and
Paste into the mail.

It's useful to mention where appropriate that their user is breaking group charters (if relevant) and also ask
about the providers own AUP and TOS/T&C (details covered in my other post).

The abuse team will not be greatly interested in reams of the text message but it may pay to include enough to
show the nuisance factor.

HTH.

Graham

[Sean Conolly]

"Eeyore" wrote in message
...
You can then as Chris says use a 'whois' service to find out who
123.123.123.123 is. If it's a 'one off' I
suggest using the following service free of charge and very reliable.
http://geektools.com/whois.php

They even provide an executable version of the program you can install on
your own PC. Needless to say I have it
! It's small too so no worries there.

FWIW - 'whois' is a standard unix program available on Linux, and can also
be loaded on Windows as part of the Cygwin distribution.

Sean