Sam Trenholme's webpage
This article was posted to the Usenet group alt.hackers in 1995; any technical information is probably outdated.

FAQ: Better living through forgery


Article: 7528 of alt.hackers
Newsgroups:
news.admin.misc,alt.config,alt.hackers,alt.current-events.net-abuse,alt.online-service,alt.2600,news.newusers.questions,alt.censorship,alt.current-events.net-abuse
From: tale@uunet.uu.net (David C Lawrence)
Subject: FAQ: Better living through forgery
Message-ID: OXC8TsPxiy.10q@uunet.uu.net
Expires: 8 Oct 95 13:20
Approved: tale@uunet.uu.net
Organization: UUNet, the center of the known universe
Sender: tale@uunet.uu.net (David C Lawrence)
Date: 19 Mar 1995 02:37:09 GMT
Lines: 154
Status: RO

	Anonymous netnews without "anonymous" remailers

Inspired by the recent "NetNews Judges-L" events, this file has
been updated
to cover forging control messages, so you can do your own article canceling
and create and destroy your own newsgroups.

Save any news article to a file.  We'll call it "hak" in this
example.

Edit "hak", and remove any header lines of the form

	From some!random!path!user   (note: "From ", not "From:
	" !!)
	Article:
	Lines:
	Xref:

Shorten the Path: header down to its LAST two or three "bangized"
components.
This is to make the article look like it was posted from where it really was
posted, and originally hit the net at or near the host you send it to.	Or
you can construct a completely new Path: line to reflect your assumed alias.

Make some change to the Message-ID: field, that isn't likely to be
duplicated anywhere.  This is usually best done by adding a couple of
random characters to the part before the @, since news posting programs
generally use a fixed-length field to generate these IDs.

Change the other headers to say what you like -- From:, Newsgroups:,
Sender:, etc.  Replace the original message text with your message.  If you are
posting to a moderated group or posting a control message, remember to put in
an Approved: header to bypass the moderation mechanism.

To specifically cancel someone else's article, you need its message-ID.  Your
message headers, in addition to what's already there, should also contain the
following with that message-ID in it.  This makes it a "control
message".
NOTE: control messages generally require an Approved: header as well, so
you should add one.

Subject: cmsg cancel <xb8700A@twits.site.com>
Control: cancel <xb8700A@twits.site.com>
Approved: luser@twits.site.com

Newsgroups are created and destroyed with control messages, too.  If you
wanted to create, for instance, comp.misc.microsoft.sucks, your control
headers would look like

Subject: cmsg newgroup comp.misc.microsoft.sucks
Control: newgroup comp.misc.microsoft.sucks

Add on the string "moderated" at the end of these if you want the
group to
be "moderated with no moderator" as with alt.hackers.  Somewhere
in the
body of your message, you should include the following text, changed with
the description of the group you're creating:

For your newsgroups file:
comp.misc.microsoft.sucks		We don't do windows

To remove a group, substitute "rmgroup" for "newgroup"
in the header lines
above.	Keep in mind that most sites run all "rmgroup" requests
through
a human news-master, who may or may not decide to honor it.  Group creation
is more likely to be automatic than deletion at most installations.  Any
newsgroup changes are more likely to take effect if the come from me, since
my name is hardwired into many of the NNTP control scripts, so using the
From: and Approved: headers from this posting is recommended.

Save your changed article, check it to make sure it contains NO reference
to yourself or your own site, and send it to your favourite NNTP server that
permits transfers via the IHAVE command, using the following script:

=======================
#! /bin/sh
## Post an article via IHAVE.
## args: filename server

if test "$2" = "" ; then
  echo usage: $0 filename server
  exit 1
fi
if test ! -f $1 ; then
  echo $1: not found
  exit 1
fi

# suck msg-id out of headers, keep the brackets
msgid=`sed -e '/^$/,$d' $1 | egrep '^[Mm]essage-[Ii][Dd]: ' | \
  sed 's/.*-[Ii][Dd]: //'`
echo $msgid

( sleep 5
  echo IHAVE $msgid
  sleep 5
  cat $1
  sleep 1
  echo "."
  sleep 1
  echo QUIT ) | telnet $2 119
=======================

If your article doesn't appear in a day or two, try a different server.
They are easy to find.	Here's a script that will break a large file
full of saved netnews into a list of hosts to try.  Edit the output
of this if you want, to remove obvious peoples' names and other trash.

=======================
#! /bin/sh
FGV='fgrep -i -v'
egrep '^Path: ' $1 | sed -e 's/^Path: //' -e 's/!/\
/g' | sort -u | fgrep . | $FGV .bitnet | $FGV .uucp
=======================

Once you have your host list, feed it to the following script.

=======================
#! /bin/sh

while read xx ; do
if test "$xx" = "" ; then continue;
fi
echo === $xx
( echo open $xx 119
  sleep 5
  echo ihave IamSOk00l@podunk.edu
  sleep 4
  echo .
  echo quit
  sleep 1
  echo quit
) | telnet
done
=======================

If the above script is called "findem" and you're using csh,
you should do

	findem < list >& outfile

so that ALL output from telnet is captured.  This takes a long time, but when
it finishes, edit "outfile" and look for occurrences of
"335".  These mark
answers from servers that might be willing to accept an article.  This isn't a
completely reliable indication, since some servers respond with acceptance and
later drop articles.  Try a given server with a slightly modified repeat of
someone else's message, and see if it eventually appears.

Sometimes the telnets get into an odd state, and freeze, particularly when
a host is refusing NNTP connections.  If you manually kill these hung telnet
processes but not the main script, the script will continue on.  In other
words, you may have to monitor the finding script a little while it is
running.

You will notice other servers that don't necessarily take an IHAVE, but
say "posting ok".  You can probably do regular POSTS through these,
but they
will add an "NNTP-Posting-Host: " header containing the machine
YOU came from
and are therefore unsuitable for completely anonymous use.

PLEASE USE THE INFORMATION IN THIS ARTICLE FOR CONSTRUCTIVE PURPOSES ONLY.

(Someone should REALLY add this to the #hack FAQ.)



Back to index