Abuse of Usenet: How to detect a forged email address in a post

One of the ways used to harass people on the internet is to forge their email address on a posting that is intentionally inflammatory. This tutorial, adapted from one presented by Sal Towse in misc.writing, is an attempt to illustrate how to detect the most common form of forged address.

In a generic sort of way we will discuss how to post messages "using" any email address and user name. We are using Netscape Navigator as the newsreader in this example. Other newsreaders will work in a different fashion, but Navigator is widely used and easily available. Having shown how to forge an address, we will then show how to detect the forgery.

Please be advised of the following, however:

Most providers consider posting under a false name or anonymously an abuse of the provider's Terms of Service (TOS) which you, the user, agreed to abide by when you opened your account. Abuse of TOS leaves you, the user subject to penalties including immediate cancellation of your ISP access.

To quote AT&T's TOS (Terms of Service) guidelines (as an example):

How do you fake a person's email address information and why does the message id show the message as being from the specified ISP?

It is truly the easiest of things to set your identity and your return mail address as a false one. While doing so you could, of course, set your identity to someone else's existing information.

    Using Netscape

  1. Under the -> Options pull-down menu
  2. Choose -> Mail and News Preferences
  3. Choose -> Identity

You simply need to change the Reply-To Address field, the Your Email field, and the Your Name field to create a quick (and usually undetected) disguise of your true persona.

For your practice run, try changing the information in the Reply-To: field and the Your Email: field to test@test.net. Change the information in the Your Name: field to testy test.

If you should send a post (use the newsgroup alt.test), you will find that the post appears to come from test@test.net AND the message ID also appears to show test.net as the ISP source.

See how easy, students? Your ISP will send off that message without worrying whether you are test@test.net or not. Your ISP is assuming you won't be malicious and/or stupid when placing information in these fields.

And, quite oddly, they believe you'll abide by the Terms of Service you agreed to when you signed up with them.

Surely it is not that easy?

Well, no, not really. If I were curious as to whether test@test.net truly sent the message (and heaven knows I have a curiosity streak a mile wide at times), I would turn on full headers and look closely at the message.

Look at full headers and notice that the message ID shows as something similar to

Looks like it came from test.net alrighty, but if I check the path field I will find the true path the news post took from the originating NNTP host to my ISP:

Path:netnews.worldnet.att.net!worldnet.att.net!feed1.news.erols.com!news.idt.net!nntp.farm.idt.n et!new
XFrom: test@test.net
Date: Thu, 19 Dec 1996 19:14:36 -0800
Message-ID: <32BA049C.277F@test.net>
NNTP-Posting-Host: ppp-3.ts-7.nyc.idt.net

meaning that the suspect poster is forging his test@test.net persona and using idt.net to ship out his stuff.

First check the Path: field.

The terminal machine in the Path: (i.e. the one furthest to the right) is usually the source of the news post, the NNTP host. In this case it shows as nntp.farm.idt.net. BINGO. This bit can be forged by someone who knows a great deal about NNTP, but usually is not tweaked by the everyday forger.

A second confirmation comes with the NNTP-Posting-Host field - which again shows an idt.net machine.

What are the consequences?

Your ISP is likely to terminate your account for failure to satisfy the TOS you agreed to.

You might be liable to criminal action as it might be considered aggravated harassment (due to use of the phone lines) - a misdemeanor. You might also be liable to civil action brought by the person whose identity you were forging. Libel has also been mentioned.


Pages currently maintained by The HELP Fund

Page expanded from an original compiled and written by Marty Fouts