Article 22305 of alt.religion.scientology: Newsgroups: news.admin.net-abuse.misc,news.admin.misc,alt.religion.scientology,alt.censorship,kaiwan.general Path: news.cybercom.net!usenet.eel.ufl.edu!news.mathworks.com!news.duke.edu!godot.cc.duq.edu!newsfeed.pitt.edu!uunet!in1.uu.net!uchinews!rainbow.uchicago.edu!kweide From: kweide@rainbow.uchicago.edu (Klaus Weide) Subject: Anatomy of a forged cancel message X-Nntp-Posting-Host: rainbow.uchicago.edu Message-ID: Followup-To: news.admin.net-abuse.misc,news.admin.misc,alt.religion.scientology,kaiwan.general Sender: news@midway.uchicago.edu (News Administrator) Organization: The Univ. of Chicago, Advanced Research Systems Date: Thu, 24 Aug 1995 03:50:01 GMT Lines: 250 Xref: news.cybercom.net news.admin.net-abuse.misc:6677 news.admin.misc:3466 alt.religion.scientology:22305 alt.censorship:11530 This message is from the "Rabbit Hunters", an AD-HOC COMMITTEE AGAINST INTERNET CENSORSHIP that has tracked down the origin of unautorized cancel messages from a bogus user "noman@odesi.com". Some questions have arisen about the evidence that pointed to kaiwan.com as the origin of such cancel messages. Here is some detailed information on several forged cancel messages. Note that the latest cancels from "noman@odesi.com" were *not* inserted into USENET in the way shown here - the open NNTP port at the University of Delaware is closed now. After the closing of the open newsserver, the forger seems to have resorted to using the newsserver at his own provider, KAIWAN Internet. This message is crossposted to news.admin.net-abuse.misc,news.admin.misc, alt.religion.scientology,alt.censorship,kaiwan.general (with followups slightly narrowed) and also mailed to KAIWAN administrators. Please narrow followups further as appropriate. The Anatomy of a Cancel - cancels on July 14/15, 1995 The Kaiwan machine is in California - Pacific Daylight Time (PDT) while the server, louie.udel.edu is in Delaware - Eastern Daylight Time (EDT), three hours later than Pacific. From the output of "last" by a Kaiwan user (these are PDT - 3 hours earlier than EDT): bstone ttyp9 kaiwan012.kaiwa Fri Jul 14 21:02 - 21:29 (00:26) bstone ttypc kaiwan013.kaiwa Fri Jul 14 13:38 - 13:59 (00:20) These two entries tell us that bstone is a user at kaiwan and had two sessions on Jul.14. He was not logged on earlier or later that day, only at the time of the cancels. This "coincidence" was found throughout the data. _________________________________________________________________________ The following is from the University of Delaware's (udel) news.notice file (these are EDT). Louie.udel.edu is the domain name of this machine, it puts "udel" in the path headers as its identification. The first two sets of data tell us that a user at kaiwan009.kaiwan.com (198.178.203.9) logged onto the news server and took two tries to cancel a message at 16:39 EDT (13:39 PDT). Jul 14 16:39:00 louie innd: 198.178.203.9 connected 24 Jul 14 16:42:22 louie innd: 198.178.203.9:24 readclose Jul 14 16:42:22 louie innd: 198.178.203.9:24 closed seconds 202 accepted 0 refused 1 rejected 0 Jul 14 16:42:34 louie innd: 198.178.203.9 connected 24 Jul 14 16:43:17 louie innd: 198.178.203.9:24 readclose Jul 14 16:43:17 louie innd: 198.178.203.9:24 closed seconds 43 accepted 1 refused 0 rejected 0 _____________________________________________________________________________ These four sets of data tell us that a Kaiwan user connected to Udel's news-server at 00:02 EDT, July 15 (21:02 PDT, July 14) four times and made one unsuccessful attempt to cancel messages and two successful ones. Jul 15 00:02:46 louie innd: 198.178.203.9 connected 50 Jul 15 00:03:22 louie innd: 198.178.203.9:50 readclose Jul 15 00:03:22 louie innd: 198.178.203.9:50 closed seconds 36 accepted 1 refused 0 rejected 0 Jul 15 00:03:40 louie innd: 198.178.203.9 connected 50 Jul 15 00:04:22 louie innd: 198.178.203.9:50 readclose Jul 15 00:04:22 louie innd: 198.178.203.9:50 closed seconds 42 accepted 0 refused 0 rejected 1 Jul 15 00:04:39 louie innd: 198.178.203.9 connected 50 Jul 15 00:05:46 louie innd: 198.178.203.9:50 readclose Jul 15 00:05:46 louie innd: 198.178.203.9:50 closed seconds 67 accepted 0 refused 0 rejected 0 Jul 15 00:06:07 louie innd: 198.178.203.9 connected 50 Jul 15 00:06:52 louie innd: 198.178.203.9:50 readclose Jul 15 00:06:52 louie innd: 198.178.203.9:50 closed seconds 45 accepted 1 refused 0 rejected 0 ____________________________________________________________________________ These entries are from louie.udel.edu's "log" file. The first entry shows a cancellation of message <3tvl7$si8n@utopia.hactic.nl> occurring at 16:43 EDT. Note that "+ uwm.edu" appears in the log file because it is taken directly from the first component of the (forged) path header. This does *not* show where the cancel message actually came from. Jul 14 16:43:09.804 + uwm.edu (control/1350884) overview aonline darwin delmarva dtcc scotch faatcrl wolf gvls1 immacc intercon kuniv princeton rochester sunbelt udelnews wuccrc wupost _____________________________________________________________________________ Lazarus is a system set up by Homer Wilson Smith that automatically posts notifications in alt.religion.scientology for cancel messages that affect articles in that group. The notifications include the text of the cancel message. Here is the cancel notice that was posted for the article in question: Date: Sat, 15 Jul 95 18:45:05 EDT From: Lazarus Early Warning System To: alt.religion.scientology@bull.com Subject: Cancel Message-ID: <3tvl7s$i8n@utopia.hacktic.nl> Message-ID: <9507152245.AA24003@light.lightlink.com> A LAZARUS EARLY WARNING ALERT v2.0 light.lightlink.com/pub/homer/lazarus/lazarus.log Sat Jul 15 18:45:04 EDT 1995 The following post was canceled: From: nobody@REPLAY.COM (Anonymous) Date: 12 Jul 1995 07:06:04 +0200 Subject: OT3 Message-ID: <3tvl7s$i8n@utopia.hacktic.nl> by this cancel message found in control: lightlink.com > Path: >light!news.sprintlink.net!howland.reston.ans.net!vixen.cso.uiuc.edu!news.ec >n.bgu.edu!siemens!princeton!udel!uwm.edu!lll-winken.llnl.gov!osi-easr2.es.n >et!doevm!btnet!peernews.demon.co.uk!odesi.com!noman > Newsgroups: alt.religion.scientology > From: noman@odesi.com > Subject: cmsg cancel <3tvl7s$i8n@utopia.hacktic.nl> > Control: cancel <3tvl7s$i8n@utopia.hacktic.nl> > Message-ID: > Date: 12 Jul 1995 07:06:04 +0200 > Organization: Odesi > Lines: 2 > > CANCELLED BECAUSE OF COPYRIGHT INFRINGEMENT > ___________________________________________________________________ This entry also shows a successful cancellation occurring at 00:03 EDT Jul 15 00:03:03.851 + uwm.edu (control/1351718) overview aonline darwin delmarva dtcc scotch faatcrl wolf gvls1 immacc intercon kuniv princeton rochester sunbelt udelnews wuccrc wupost ____________________________________________________________________ And here is the cancel notice for <3tvml8$pek@ixnews3.ix.netcom.com>: Date: Sat, 15 Jul 95 15:45:06 EDT From: Lazarus Early Warning System To: alt.religion.scientology@bull.com Subject: Cancel Message-ID: <3tvml8$pek@ixnews3.ix.netcom.com> A LAZARUS EARLY WARNING ALERT v2.0 light.lightlink.com/pub/homer/lazarus/lazarus.log Sat Jul 15 15:45:05 EDT 1995 The following post was canceled: From: coriez@ix.netcom.com (Charles Oriez) Date: 12 Jul 1995 05:30:16 GMT Subject: Re: repost bogus canceled 020350Z10071995@anon.penet.fi Message-ID: <3tvml8$pek@ixnews3.ix.netcom.com> by this cancel message found in control: lightlink.com > Path: >light!news.sprintlink.net!simtel!news.kei.com!bloom-beacon.mit.edu!world!zi >lker.net!news.intercon.com!udel!uwm.edu!lll-winken.llnl.gov!osi-easr2.es.ne >t!doevm!btnet!peernews.demon.co.uk!odesi.com!noman > Newsgroups: alt.religion.scientology > From: noman@odesi.com > Subject: cmsg cancel <3tvml8$pek@ixnews3.ix.netcom.com> > Control: cancel <3tvml8$pek@ixnews3.ix.netcom.com> > Message-ID: > Date: 12 Jul 1995 05:30:16 GMT > Organization: Odesi > Lines: 2 > > CANCELLED - COPYRIGHT/TRADE SECRET INFRINGEMENT > ____________________________________________________________________ This entry shows a foul-up bad enough that the Kaiwan user left behind his IP# (198.178.203.9) when he tried to cancel message <3tvmv0$pjo@ixnews3.ix.netcom.com> at 00:04 EDT Jul 15 00:04:12.179 - 198.178.203.9:50 437 No colon-space in "" header ____________________________________________________________________ This entry is a successful cancellation. Jul 15 00:06:39.062 + uwm.edu (control/1351731) overview aonline darwin delmarva dtcc scotch faatcrl wolf gvls1 immacc intercon kuniv princeton rochester sunbelt ude... ______________________________________________________________________ And here is the third cancel: Date: Sat, 15 Jul 95 16:25:03 EDT From: Lazarus Early Warning System To: alt.religion.scientology@bull.com Subject: Cancel Message-ID: <3tvmv0$pjo@ixnews3.ix.netcom.com> A LAZARUS EARLY WARNING ALERT v2.0 light.lightlink.com/pub/homer/lazarus/lazarus.log Sat Jul 15 16:25:02 EDT 1995 The following post was canceled: From: coriez@ix.netcom.com (Charles Oriez) Date: 12 Jul 1995 05:35:28 GMT Subject: Re: more reposts from canceled articles (Uk09btK00YUq8Mt4VT@andrew.cmu.edu).... Message-ID: <3tvmv0$pjo@ixnews3.ix.netcom.com> by this cancel message found in control: lightlink.com > Path: >light!news.sprintlink.net!howland.reston.ans.net!news.moneng.mei.com!bloom- >beacon.mit.edu!world!zilker.net!news.intercon.com!udel!uwm.edu!lll-winken.l >lnl.gov!osi-easr2.es.net!doevm!btnet!peernews.demon.co.uk!odesi.com!noman > Newsgroups: alt.religion.scientology > From: noman@odesi.com > Subject: cmsg cancel <3tvmv0$pjo@ixnews3.ix.netcom.com> > Control: cancel <3tvmv0$pjo@ixnews3.ix.netcom.com> > Message-ID: > Date: 12 Jul 1995 05:35:28 GMT > Organization: Odesi > Lines: 2 > > CANCELLED - COPYRIGHT/TRADE SECRET INFRINGEMENT > -- _____________________________________________________________________ Here, from louie's news log is a case where the cancelbunny screwed up so badly that he left a complete trace of his commands in the log file. The 204.177.0.10 IP# is mach1.directnet.com, where an account was also used by the cancelbunny. Jul 19 01:45:52 louie innd: 204.177.0.10 connected 18 Jul 19 01:46:08 louie innd: 204.177.0.10:18 bad_command Path: uwm.edu!lll-winken.llnl.gov!osi-easr2.es.net!doevm!btnet!peernews.demo... Jul 19 01:46:08 louie innd: 204.177.0.10:18 bad_command Newsgroups: alt.religion.scientology,alt slack Jul 19 01:46:08 louie innd: 204.177.0.10:18 bad_command From: noman@odesi.com Jul 19 01:46:09 louie innd: 204.177.0.10:18 bad_command Subject: cmsg cancel <3uev8i$3qn@ixnews3.ix.netcom.com> Control: cancel <3u... Jul 19 01:46:09 louie innd: 204.177.0.10:18 bad_command Message-ID: Jul 19 01:46:09 louie innd: 204.177.0.10:18 bad_command Date: 18 Jul 1995 00:29:06 GMT Jul 19 01:46:09 louie innd: 204.177.0.10:18 bad_command Organization: Odesi Jul 19 01:46:09 louie innd: 204.177.0.10:18 bad_command CANCELLED - COPYRIGHT/TRADE SECRET INFRINGEMENT Jul 19 01:47:26 louie innd: 204.177.0.10:18 bad_command .ihave Jul 19 01:47:42 louie innd: 204.177.0.10:18 readclose Jul 19 01:47:42 louie innd: 204.177.0.10:18 closed seconds 110 accepted 0 refused 0 rejected 0 _____________________________________________________________________________