Re: OT - Reading Message Headers

woohoo I had some fun with this! I think I checked out just about everyone I
could . I saved this so I could reread it . I should of really had lessons
or something

--
:) Lynn
OF+HOF
Leaper!

"steveb" <me@xxxxxxxxxxx> wrote in message
news:tvt7j157rlauq0tls76oqv2u0c3euhetmf@xxxxxxxxxx
> There will be folk who wonder how locations can be traced, so this is
> for them. There are also those who think certain types of post *can't*
> be traced, so this is for them too .....
>
> Message headers are there for all to see. In Agent, simply hit *h*, in
> OE go to Properties, Message source. In Google show post in original
> format. The headers vary dependent mainly upon the server you post
> from. All messages contain some of the same info, and most of it can
> be, but rarely is, forged. Some lines cannot be forged, as they are
> inserted *along the way*.
>
> Below is a quote of the headers of a message posted by a troll. They
> are headers which I was told couldn't be tracked .... well we will
> see:
>
>
>>Path:
>>uni-berlin.de!fu-berlin.de!postnews.google.com!g47g2000cwa.googlegroups.com!not-for-mail
>
> The *Path* line tells you the names of all the servers that handled
> the message en-route. It can be dozens. In this case, it isn't many.
> What is important about the path, is that the last server (the right
> hand end) is the name of the server the troll is connected to. If they
> are posting from their own ISP, you got 'em. The path line is very
> difficult (but not impossible) to forge, as it builds after the
> message leaves the sender. It can get fucked up by proxies tho. In
> this case, it doesn't help much, as it's Google Groups. By the way,
> the left hand end is your own server ... in this case, it's mine,
> Berlin Uni.
>
>>From: kathy_andor_ken@xxxxxxxxx
>
> This is meaningless. You, the sender, can put anything in here. Some
> servers demand a *from* line, others don't
>
>>Newsgroups: alt.support.stop-smoking
>
> This line tells you the name of the group posted to. Often a whole
> list of groups when a message is cross-posted.
>
>>Subject: Re: Ken and Kathy are not new....they failed here before!
>
> This line helps your newsreader thread the message. It can be changed
> at will, so it's not to be relied on.
>
>>Date: 22 Sep 2005 15:34:42 -0700
>
> Google Groups inserted this line. It indicates US West Coast. It's not
> where the sender is, it's where the Google server lives
>
>>Organization: http://groups.google.com
>
> Hosting organisation .... easily altered if ya know how
>
>>Lines: 24
>
> Lines in message
>
>>Message-ID: <1127428482.136379.150220@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>
> This line cannot, under normal circumstances, be forged. It is used by
> every server carrying the group, for identifying the message. It is
> used by your news reader for threading. Google, by the way, can
> identify the individual account from this id ... won't help them much,
> as Google Groups allows anonymous accounts.
>
>>References: <1126465361.579809.31440@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>> <8dhoi1dk8cgcttbao3i5uba99tju870q18@xxxxxxx>
>> <1127338086.000642.207010@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>> <lbp3j1l4f2dlnf9ddvbsmdr17vb4bb7g4s@xxxxxxx>
>> <56oYe.1329$eH2.877@xxxxxxxx>
>> <Fpidna5YTJYGwK_eRVn-jg@xxxxxxxxxxx>
>> <b095j1pa7nbe7d4t5ic2n9upldns4vgf05@xxxxxxx>
>> <KNednZnoH4YzJa_eRVn-vg@xxxxxxxxxxx>
>
> The above lines reference the message ids of the previous posts in the
> thread.
>
>>NNTP-Posting-Host: 152.31.32.65
>
> This is the zinger (listen up robbb) Google groups inserts this line
> into most messages (if not all) It is the IP of the machine that
> posted the message. It cannot be forged but can be disguised by using
> a proxy server.
>
>>Mime-Version: 1.0
>
> Protocol used to send message
>
>>Content-Type: text/plain; charset="iso-8859-1"
>
> Encoding of text
>
>>X-Trace: posting.google.com 1127428487 29548 127.0.0.1 (22 Sep 2005
>>22:34:47 GMT)
>>X-Complaints-To: groups-abuse@xxxxxxxxxx
>
> Where to complain to. It might not make much difference
>
>>NNTP-Posting-Date: Thu, 22 Sep 2005 22:34:47 +0000 (UTC)
>>In-Reply-To: <KNednZnoH4YzJa_eRVn-vg@xxxxxxxxxxx>
>
> The id of the message the troll was replying to
>
>>User-Agent: G2/0.2
>>X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
>>5.0),gzip(gfe),gzip(gfe)
>
> The newsreader the sender used. In this case, it was web-based, and he
> is using Mozilla.
>
>>Complaints-To: groups-abuse@xxxxxxxxxx
>>Injection-Info: g47g2000cwa.googlegroups.com; posting-host=152.31.32.65;
>> posting-account=ucwNmQwAAABAbXyXcn-xRvpmRtZwyRDB
>
> Google can identify the user account from this, no one else can. It
> probably wouldn't help much, unless Google Groups were prepared to ban
> the IP, which is unlikely because it will be a dynamic IP, and would
> simply catch a bunch of innocent people.
>
>>Xref: uni-berlin.de alt.support.stop-smoking:920909
>
>
> So there you are. It's not rocket science, nor alchemy. It's easy, any
> one can do it, and it's quick. It's also pretty inaccurate and easily
> fooled.
>
> For example .... you can post thro a proxy (a server you are
> pretending to be from, use the one in Crystal's house), or thro an
> anonymous re-mailer. They are completely impenetrable without a court
> order, and even then it's not straight forward if the remailer is in
> Nigeria! FWIW, I killfile on principle, anyone using remailers.
>
> You can post via talkaboutsupport.com, which adds NO helpful info to
> the headers, and, quite frankly, are a Godsend for trolls and sock
> puppets (we have a few)
>
> You can also simply ignore the trolls ... works best in the end. But I
> know (roughly) how to read message headers, and I figured I'd share.
>
> When you have the IP address, go here:
>
> http://www.geobytes.com/iplocator.htm
>
> Go on, try it with mine .... then try it with your own and some of you
> will see the inaccuracies.
>
> Hope this helps
>
> steveb
>


.

Loading