NNTP IP Address spoofing, tracing abuse
Alex Miller
bind-users-nospam at bannerclub.com
Thu Feb 17 16:21:00 UTC 2000
Oh, I forgot, a specific question is this.
The IP address of an NNTP host is reported,
but the server names in the long bang path
have no IP address.
In zone records that I've made, multiple
server names can have the same IP address,
simply by specifying;
sub IN A 123.123.123.123
another IN A 123.123.123.123
or by specifying an alias
sub IN CNAME domain.org.
another IN CNAME domain.org.
but can the in-addr record
similarly have MULTIPLE PTR records?
In other words, is there one and only
IP address per name but multiple names
per IP address, a one-to-many mapping
or can there be multiple IP addresses
per name, creating a many-to-many mapping.
If there is the possibility that the NNTP
host has many names, then the reverse lookup
will lead to the wrong place.
Alex Miller
alex at hatewatch.org
-----------------------------------------
Signature:
the email address this is sent from
is may be an anti-spam defense. Ignore it
completely. Instead, rely on an email
address I have already provided or
<mailto:reply-nospam at bannerclub.com>
removing the "-nospam"
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Alex Miller
> Sent: Thursday, February 17, 2000 10:47 AM
> To: Bind-Users
> Subject: NNTP IP Address spoofing, tracing abuse
>
>
> Dear bind users,
>
> I am trying to identify a person who posted a really
> bad usenet posting on the internet. Of course, this
> happens frequently, so I'm asking questions because
> it is a general problem, not just a specific one.
>
> The usenet posting was posted to dozens of different
> usenet groups with the username bonnie_jouhari at my-deja.com
> and a subject of "I'm Sorry". Bonnie Jouhari is a housing
> activist who has been stalked by neo-nazis, and this
> posting, using her name, is a death threat against her.
>
> Here's my methodology on searching, any suggestions would be
> helpful.
>
> 1) Using deja.com, I search for bonnie_jouhari at my-deja.com
> 2) I identify news groups that contain the "I'm Sorry"
> posting. There are a LOT of them, since it was posted
> many times, cross-posting about 4 times each.
> 3) Look up those newsgroups using a non-browser based usenet
> reader like Netscape Messenger.
> 4) Find the "I'm Sorry" posting and look at the NNTP IP address.
> 5) Perform an reverse lookup on the IP address, either through
> a product like WS_PING, or nslookup with in-addr.
> 6) Use a whois database to find the contact person for that
> nntp server.
>
> Then from there?
>
> For information on the real Bonnie Jouhari, check out
> http://www.hatewatch.org/interviews/jouhari.html
>
> You may email me at alex at hatewatch.org
>
> Thanks,
>
> Alex Miller, director of cybergood.net, non-profit
> ISP for hatewatch.org
>
> -----------------------------------------
> Signature:
> the email address this is sent from
> is may be an anti-spam defense. Ignore it
> completely. Instead, rely on an email
> address I have already provided or
> <mailto:reply-nospam at bannerclub.com>
> removing the "-nospam"
>
>
>
More information about the bind-users
mailing list