OT - Reading Message Headers

There will be folk who wonder how locations can be traced, so this is
for them. There are also those who think certain types of post *can't*
be traced, so this is for them too .....

Message headers are there for all to see. In Agent, simply hit *h*, in
OE go to Properties, Message source. In Google show post in original
format. The headers vary dependent mainly upon the server you post
from. All messages contain some of the same info, and most of it can
be, but rarely is, forged. Some lines cannot be forged, as they are
inserted *along the way*.

Below is a quote of the headers of a message posted by a troll. They
are headers which I was told couldn't be tracked .... well we will
see:


>Path: uni-berlin.de!fu-berlin.de!postnews.google.com!g47g2000cwa.googlegroups.com!not-for-mail

The *Path* line tells you the names of all the servers that handled
the message en-route. It can be dozens. In this case, it isn't many.
What is important about the path, is that the last server (the right
hand end) is the name of the server the troll is connected to. If they
are posting from their own ISP, you got 'em. The path line is very
difficult (but not impossible) to forge, as it builds after the
message leaves the sender. It can get fucked up by proxies tho. In
this case, it doesn't help much, as it's Google Groups. By the way,
the left hand end is your own server ... in this case, it's mine,
Berlin Uni.

>From: kathy_andor_ken@xxxxxxxxx

This is meaningless. You, the sender, can put anything in here. Some
servers demand a *from* line, others don't

>Newsgroups: alt.support.stop-smoking

This line tells you the name of the group posted to. Often a whole
list of groups when a message is cross-posted.

>Subject: Re: Ken and Kathy are not new....they failed here before!

This line helps your newsreader thread the message. It can be changed
at will, so it's not to be relied on.

>Date: 22 Sep 2005 15:34:42 -0700

Google Groups inserted this line. It indicates US West Coast. It's not
where the sender is, it's where the Google server lives

>Organization: http://groups.google.com

Hosting organisation .... easily altered if ya know how

>Lines: 24

Lines in message

>Message-ID: <1127428482.136379.150220@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

This line cannot, under normal circumstances, be forged. It is used by
every server carrying the group, for identifying the message. It is
used by your news reader for threading. Google, by the way, can
identify the individual account from this id ... won't help them much,
as Google Groups allows anonymous accounts.

>References: <1126465361.579809.31440@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> <8dhoi1dk8cgcttbao3i5uba99tju870q18@xxxxxxx>
> <1127338086.000642.207010@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> <lbp3j1l4f2dlnf9ddvbsmdr17vb4bb7g4s@xxxxxxx>
> <56oYe.1329$eH2.877@xxxxxxxx>
> <Fpidna5YTJYGwK_eRVn-jg@xxxxxxxxxxx>
> <b095j1pa7nbe7d4t5ic2n9upldns4vgf05@xxxxxxx>
> <KNednZnoH4YzJa_eRVn-vg@xxxxxxxxxxx>

The above lines reference the message ids of the previous posts in the
thread.

>NNTP-Posting-Host: 152.31.32.65

This is the zinger (listen up robbb) Google groups inserts this line
into most messages (if not all) It is the IP of the machine that
posted the message. It cannot be forged but can be disguised by using
a proxy server.

>Mime-Version: 1.0

Protocol used to send message

>Content-Type: text/plain; charset="iso-8859-1"

Encoding of text

>X-Trace: posting.google.com 1127428487 29548 127.0.0.1 (22 Sep 2005 22:34:47 GMT)
>X-Complaints-To: groups-abuse@xxxxxxxxxx

Where to complain to. It might not make much difference

>NNTP-Posting-Date: Thu, 22 Sep 2005 22:34:47 +0000 (UTC)
>In-Reply-To: <KNednZnoH4YzJa_eRVn-vg@xxxxxxxxxxx>

The id of the message the troll was replying to

>User-Agent: G2/0.2
>X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0),gzip(gfe),gzip(gfe)

The newsreader the sender used. In this case, it was web-based, and he
is using Mozilla.

>Complaints-To: groups-abuse@xxxxxxxxxx
>Injection-Info: g47g2000cwa.googlegroups.com; posting-host=152.31.32.65;
> posting-account=ucwNmQwAAABAbXyXcn-xRvpmRtZwyRDB

Google can identify the user account from this, no one else can. It
probably wouldn't help much, unless Google Groups were prepared to ban
the IP, which is unlikely because it will be a dynamic IP, and would
simply catch a bunch of innocent people.

>Xref: uni-berlin.de alt.support.stop-smoking:920909


So there you are. It's not rocket science, nor alchemy. It's easy, any
one can do it, and it's quick. It's also pretty inaccurate and easily
fooled.

For example .... you can post thro a proxy (a server you are
pretending to be from, use the one in Crystal's house), or thro an
anonymous re-mailer. They are completely impenetrable without a court
order, and even then it's not straight forward if the remailer is in
Nigeria! FWIW, I killfile on principle, anyone using remailers.

You can post via talkaboutsupport.com, which adds NO helpful info to
the headers, and, quite frankly, are a Godsend for trolls and sock
puppets (we have a few)

You can also simply ignore the trolls ... works best in the end. But I
know (roughly) how to read message headers, and I figured I'd share.

When you have the IP address, go here:

http://www.geobytes.com/iplocator.htm

Go on, try it with mine .... then try it with your own and some of you
will see the inaccuracies.

Hope this helps

steveb

.

Loading