In a generic sort of way we will discuss how to post messages "using" any email address and user name. We are using Netscape Navigator as the newsreader in this example. Other newsreaders will work in a different fashion, but Navigator is widely used and easily available. Having shown how to forge an address, we will then show how to detect the forgery.
Please be advised of the following, however:
Most providers consider posting under a false name or anonymously an abuse of the provider's Terms of Service (TOS) which you, the user, agreed to abide by when you opened your account. Abuse of TOS leaves you, the user subject to penalties including immediate cancellation of your ISP access.
To quote AT&T's TOS (Terms of Service) guidelines (as an example):
You simply need to change the Reply-To Address field, the Your Email field, and the Your Name field to create a quick (and usually undetected) disguise of your true persona.
For your practice run, try changing the information in the Reply-To: field and the Your Email: field to test@test.net. Change the information in the Your Name: field to testy test.
If you should send a post (use the newsgroup alt.test), you will find that the post appears to come from test@test.net AND the message ID also appears to show test.net as the ISP source.
See how easy, students? Your ISP will send off that message without worrying whether you are test@test.net or not. Your ISP is assuming you won't be malicious and/or stupid when placing information in these fields.
And, quite oddly, they believe you'll abide by the Terms of Service you agreed to when you signed up with them.
Surely it is not that easy?
Well, no, not really. If I were curious as to whether test@test.net truly sent the message (and heaven knows I have a curiosity streak a mile wide at times), I would turn on full headers and look closely at the message.
Look at full headers and notice that the message ID shows as something similar to
Looks like it came from test.net alrighty, but if I check the path field I will find the true path the
news post took from the originating NNTP host to my ISP:
Path:netnews.worldnet.att.net!worldnet.att.net!feed1.news.erols.com!news.idt.net!nntp.farm.idt.n
et!new
meaning that the suspect poster is forging his test@test.net persona and using idt.net to ship out
his stuff.
First check the Path: field.
The terminal machine in the Path: (i.e. the one furthest to the right) is usually the source
of the news post, the NNTP host. In this case it shows as nntp.farm.idt.net. BINGO. This bit
can be forged by someone who knows a great deal about NNTP, but usually is not
tweaked by the everyday forger.
A second confirmation comes with the NNTP-Posting-Host field - which again shows an
idt.net machine.
You might be liable to criminal action as it might be considered aggravated harassment (due to
use of the phone lines) - a misdemeanor. You might also be liable to civil action brought by the
person whose identity you were forging. Libel has also been mentioned.
XFrom: test@test.net
Date: Thu, 19 Dec 1996 19:14:36 -0800
Message-ID: <32BA049C.277F@test.net>
NNTP-Posting-Host: ppp-3.ts-7.nyc.idt.net
What are the consequences?
Your ISP is likely to terminate your account for failure to satisfy the TOS you agreed to.
Back
Pages currently maintained by The HELP Fund
Page expanded from an original compiled and written by Marty Fouts