Thomas Overgaard <thover@post2.tele.dk> writes:

> Cichlidiot wrote :
>
>> Well, I could give Sympatico the benefit of a doubt. Perhaps they were
>> trying to clean up the mess their user(s) caused and went a little
>> overboard on issuing cancels.
>
> Thats definitely not what happened. The attacker did log on to a
> newsserver in Ukraine Tue, 4 Jan 2005 19:24:00 GMT from 65.93.34.40
> london-hse-ppp3547903.sympatico.ca and within the next hour he deleted
> some 400 messages.
>
> Then he returned the next day Wed, 5 Jan 2005 12:35:03 +0000 (UTC) to
> the same server from 67.70.204.204 toronto-hse-ppp3907393.sympatico.ca
> and within the next half hour he deleted some extra 100 messages.

Thomas, forgive me but I haven't got a clue about the mechanics of Usenet
- where do you find such information?

Just curious!

atb


Glyn
--
RTFM http://www.tldp.org/index.html
GAFC http://slackbook.lizella.net/
STFW http://groups.google.com/groups?hl=e...inux.slackware
JFGI http://jfgi.us/

Glyn Millington wrote :

> Thomas, forgive me but I haven't got a clue about the mechanics of Usenet
> - where do you find such information?

A cancel is actually just an empty message with the Message-ID of the
canceled message in subject (just headers - no body) and all cancels end
up in a group named control.cancel.

Its not a newsgroup like others and a news-reader wont do you any good,
all you see is a shitload of Message-ID's. But if you know how to talk
nntp with the news-server using telnet you can drag a lot of useful
information out of that group in a situation like this.

But you'll have to be quick, there's a lot of legal (and illegal) cancels
every day so the cancels only stays in the group for a very short period
of time.
--
Thomas O.

This area is designed to become quite warm during normal operation.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Overgaard <thover@post2.tele.dk> trolled:

> But you'll have to be quick, there's a lot of legal (and illegal)
> cancels every day so the cancels only stays in the group for a
> very short period of time.

And since those cancels disappear so fast it is impossible for an
ISP to determine whether the complaint about the cancels is itself
the forgery.

cordially, as always,

rm

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQd7ULOEckfDWS6x8EQLCswCfbHaill+zymC2mod/AQ2UqIjpGHoAoIYm
AST82pM/JsQIrgL3uH+ZBwYR
=FJ78
-----END PGP SIGNATURE-----

Thomas Overgaard <thover@post2.tele.dk> writes:

> A cancel is actually just an empty message with the Message-ID of the
> canceled message in subject (just headers - no body) and all cancels end
> up in a group named control.cancel.
>
> Its not a newsgroup like others and a news-reader wont do you any good,
> all you see is a shitload of Message-ID's. But if you know how to talk
> nntp with the news-server using telnet you can drag a lot of useful
> information out of that group in a situation like this.
>


My education continues :-) Many thanks!!

atb

Glyn
--
RTFM http://www.tldp.org/index.html
GAFC http://slackbook.lizella.net/
STFW http://groups.google.com/groups?hl=e...inux.slackware
JFGI http://jfgi.us/