The Alt.Slack Forgery Flood HOWTO v1.3 -- Living with the spam

Note from Stang: our beloved newsgroup, alt.slack, has been under attack by some entity. It causes the newsgroup to be filled with useless and/or hoax messages, difficult for most people to wade through. That is, unless you happen to use a specialty newsgroup service such as http://www.newsguy.com

The instructions below are for the average user who gets newsgroups direct from their local ISP, and wants to bypass the spam.

From: Modemac <modemac@shell1.tiac.net>

Organization: The Internet Access Company, Inc.

[NOTE from Modemac: One pattern of the spam seems to be that the forged
messages are using fake/forged "Reference" headers. (A "Reference" header
indicates that the message is following a previous message in a thread.
The gibberish in the "Reference" header is the Message-ID of the message
being replied to.) Both the "Reference" and the "Message-ID" header give
you a clue: the location of the ISP the spam is coming from. Putting that
in your killfile will kill off most of the spam -- such as the stuff from
"ecconnect.net" and "glasscity.net."]

[ Article reposted from alt.religion.scientology ]
[ Author was Frank Copeland <fjc@thingy.apana.org.au> ]
[ Posted on 5 Nov 1998 21:16:32 +1100 ]

-----BEGIN PGP SIGNED MESSAGE-----

I propose to post this article at short intervals while the current flood
lasts. It contains information on what is going on and tips on how to deal
with it. Comments and suggestions for improvements are Most Welcome.

Introduction
============

ARS is under attack, along with other groups including alt.gothic,
alt.slack, rec.games.mecha and the news.admin.net-abuse.* groups.
<wesfager@aol.com> calls it "electronic jamming" and that's not a bad label
for what we are experiencing. The attack is similar to the ARSBOMB attack of
a couple of years ago, but the scope is broader and it will shortly exceed
it in scale, if it hasn't already done so. Unlike the ARSBOMB attack, there
is no strong reason to suspect that $cientology is involved.

The attack takes the form of a massive flood of articles posted to the
newsgroups. Currently these articles consist of the headers of articles
posted earlier attached to the bodies of completely unrelated articles from
other groups. Previously the articles consisted of a short taunt followed by
a few dozen lines of gibberish. At times the articles have also been
Supersedes, which have the same effect as cancels.

What is being done
==================

There are already many people actively dealing with the flood. It is being
cancelled as fast as it is posted. People are contacting the admins of the
open servers being abused to post the stuff to get them closed down.
Attempts are being made to identify the people responsible and deal with
them appropriately. Any legitimate articles in ARS that are cancelled or
superseded will be resurrected and reposted.

What NOT To Do
==============

* DON'T give up on the newsgroup. Nothing would please the bastards more.

* DON'T follow up to any of the flood articles. Trust me, no-one is
listening.

* DON'T mail any address you find in the headers. All the identification
contained in the articles is bogus, and you will just be hassling people
who are as much victims of the flood as anyone else. Some of the articles
have bogus Reply-To and other headers inserted specifically to generate a
mass of complaint mail to some chosen victim. Don't fall for it.

Things you can do
=================

The most useful thing that most people can do is to carry on as if it were
business as usual. It won't be easy. You may need to change the software you
use for reading news, or you may get away with just spending a bit of time
reconfiguring it. You may need to change the news server you read your news
from. It may even cost you money, although it may well end up being money
well-spent. The important thing is not to give in to the bastards.

* Get your ISP to filter its newsfeed. One very good filter is Cleanfeed,
which can be found at
<URL:http://www.exit109.com/~jeremy/news/antispam.html>.

* Configure your news reader to download ARS from a news server that
filters. Options include:

- news2.lightlink.com
<URL:news://news2.lightlink.com/alt.religion.scientology/>

Homer Smith has very kindly configured news2.lightlink.com to allow
anyone to read from and post to alt.religion.scientology and
alt.clearing.technology.

- Newsguy (formerly known as Zippo)
<URL:http://www.newsguy.com/>

This will cost you money, but it gives you access to a full newsfeed
almost completely devoid of spam of any kind, not just the current flood.

* Configure your news reader to filter out the flood. No matter how you do
it, this option is going to be painful. At best you will have to download
hundreds of extra headers belonging to the flood articles before you can
decide to throw them out. At worst you will end up downloading them all
anyway. Some newsreaders are better at filtering than others; most aren't
very good. The best newsreaders allow you to filter on any header. To have
any hope of dealing with the flood your newsreader must at least be able
to filter articles crossposted to particular groups.

- Forget about filtering if you are using a web browser or AOL's news
client. You will have to either upgrade to a real news client, or try a
filtered server (see above). The same goes for Forte Agent, which can
only kill based on From: or Subject:.

For AOL customers, here's some advice from <noscieno@aol.com> on using a
standard news client in place of AOL's brain-damaged offering:

"You run the newsreader right alongside the AOL client, and connect to
the lightlink news server straight through your AOL connection after
logging on in the normal way, just as you might run your web browser
externally to the AOL client -- alternate sources of usenet news are
*not* blocked in any way, contrary to wild rumor/old wives tale. The
only thing you can't do with a 3rd-party newsreader is access *AOL's*
news servers, because they're a) non-nntp-compliant, and b) paranoically
firewalled."

- Recently the flood articles have been using predictable Message-IDs. If
your newsreader can filter on the Message-ID header, set it to filter
out these:

client1.news.psi.net news.954access.net
news.parkave.net news.metro.net
news.stax.net news.webperception.com
news.web56.net news.powersite.net
news.safari.net news.usmatrix.net
news.web2000.net news.megsinet.net
news.intellistar.net news.glasscity.net
news.binc.net news.integrityonline.com
news.accesspro.net

This list is regularly updated, look for articles with the Subject:
"New flood source".

Newsreaders that allow this level of filtering include:

slrn (Windows, Unix)
Anawave Gravity (Windows)
WinVN (Windows)
Turnpike (Windows)
Gnus/Emacs (Unix)
MT-Newswatcher (Mac)
YARN (OS/2, DOS, Windows, Windows 95)
rn (Unix) [?]
trn (Unix) [?]

- The flood articles are at times crossposted to one or more of a small
number of newsgroups totally unrelated to ARS. If your newsreader can
filter crossposted articles, set it to filter anything posted to these
groups:

alt.fan.karl-malden.nose alt.animals.dolphins
alt.genius.bill-palmer rec.pyrotechnics
alt.test misc.test
han.test rec.games.mecha

Another option if your newsreader allows it is to kill anything
crossposted to more than N groups, where N should be something small
like 3 .. 5.

Newsreaders that allow this level of filtering include:

slrn (Windows, Unix)
Anawave Gravity (Windows)
NewsXPress (Windows)
WinVN (Windows)
Turnpike (Windows)
MT-Newswatcher (Mac)
rn (Unix)
trn (Unix)
Gnus/Emacs (Unix)
YARN (OS/2, DOS, Windows, Windows 95)

- Newsreaders that can filter on arbitrary headers have further options.
However these are much more expensive due to the need to download all
the headers instead of just the smaller "overview" record.

One effective option is to filter any article with a Supersedes: header.
You could also try to keep track of which news server and posting host
the flood is coming from at the moment and filter on the Path:,
Message-ID and/or NNTP-Posting-Host headers.

Newsreaders that allow this level of filtering include:

slrn (Windows, Unix)
Turnpike (Windows)
Gnus/Emacs (Unix)

* If this is really pissing you off, don't get mad, get even. Have a look at
<URL:http://thingy.apana.org.au/~fun/agsf/> for some hints, and good
hunting.

News clients
============

slrn (Unix, Windows)
The source code for the latest version can be found at
<URL:http://space.mit.edu/~davis/slrn.html>. There are also pre-built
binary packages for various Linux distributions. If you can't persuade
your sysadmin to install it you can build and install it in your home
directory.

For information on installing the Windows version, see
<URL:http://thingy.apana.org.au/~fun/slrn/>.

Here's one possible scorefile entry:

; apply to all groups. Or you could use [alt.religion.scientology]
[*]
Score:: -9999
; ^^ Any one of the following expressions matches:
;
; Supersedes header or common misspelling thereof
Supersedes: .
Supercedes: .
; Anything crossposted to 5 or more groups
Newsgroups: .*,.*,.*,.*,.*,.*
; Crossposts to poison groups
Newsgroups: alt\.fan\.karl-malden\.nose
Newsgroups: alt\.genius\.bill\-palmer
Newsgroups: alt\.animals\.dolphins
Newsgroups: intel\..*
; Posted from these servers
Message-ID: client1\.news\.psi\.net
Message-ID: news\.954access\.net
Message-ID: news\.parkave\.net
Message-ID: news\.metro\.net
Message-ID: news\.stax\.net
Message-ID: news\.webperception\.com

Turnpike (Windows)
According to Dave Bird:

"Turnpike is sold and supported by Demon.co.uk in London,
+44-181-371-1234 at a discounted rate of Sterling#30 with
a Demon account or Sterling#50 to everyone else [and there
is a free evaluation version from www.turnpike.(?)com which
apparently never expires]. The only phone support you can get
is from a London UK phone-number, if this affects your decision.
You might also need to know the logon script for a foreign ISP.
Use classify|kill|custom rule, and add a new new rule:

/^Supersedes/h
| |
start of line in whole header, or

/^Newsgroups.*alt\.(gothic|animals|fan|peeves|flame)/h

[you can apply any unixtype regular expression to the whole header]."

MT-Newswatcher (Mac)
Mike O'Connor sez:

"MT-NewsWatcher for the Mac is very popular. It filters on headers such
as NNTP-Posting-Host, Organization, Path and more. You can even color code
and score in numerous ways. Works great, it's free and well maintained.
Find it at:

http://www.best.com/~smfr/mtnw/"

YARN (OS/2, DOS, Windows, Windows 95)
Courtesy of Martin Hunt:

"On the off-chance there's another YARN user left in the world,
a scorefile like this:

-1 Message-ID: client1.news.psi.net
-1 Message-ID: news.954access.net
-1 Message-ID: news.parkave.net
-1 Message-ID: news.metro.net
-1 Message-ID: news.stax.net
-1 Message-ID: news.webperception.com
-1 Message-ID: news.web56.net
-1 Message-ID: news.powersite.net

Works dandy. A small batch file like:

del arscient.bak (substitute the scorefile name for "arscient.0", etc.)
ren arscient.0 arscient.bak
ren arscient.1 arscient.0
ren arscient.bak arscient.1

Can be set up that deletes the spam with a click of the mouse under
Windoze 95 or whathaveyou. Another click, and your original scorefile
for completely despammed enjoyment of ars is restored. It's like the
spam never existed, and it only adds a couple seconds to the newsgroup
processing."

Other Windows News Readers
Anawave Gravity, NewsXPress and WinVN can be got from
<URL:http://www.tucows.com/>. Pick a mirror site close to you.

Other Mac News Readers
Try The Mac Orchard at <URL:http://www.macorchard.com/usenet.html>.

- --
Home Page: <URL:http://thingy.apana.org.au/~fjc/>
Not the Scientology Home Page: <URL:http://thingy.apana.org.au/~fjc/scn/>

Keep it in Usenet. E-mail replies and 'courtesy' copies are not welcome.
If you're selling, I ain't buying.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: latin1

iQCVAwUBNkF644BOXdsElwbdAQHdcQP9HMj3Cm5MLWX5ZLgO6nCO2mxCI5G8a75c
EabVnqDczUxd7kXkvZnVr7Pto8ryhm+jezgrekJELheijeAwe9eGvLTkZFbD5YSb
Vq+T+ahc4fRm4dMU/BTR68jDvo8/BgbUc3G0yeYiXIGfIcXVS4sEoacpm0fCvH72
EIvzH4tupJ8=
=+fCC
-----END PGP SIGNATURE-----

--
Reverend Modemac (modemac@tiac.net)
First Online Church of ?
URL: http://www.tiac.net/users/modemac/

Back to document index

Original file name: The Forgery FlŠod HOWTO v1.3

This file was converted with TextToHTML - (c) Logic n.v.