Menu Close

Tracking the Trolls: Usenet Headers

This is the fourth in a series of arti­cles on read­ing inter­net mes­sage head­ers. If you haven’t already done so, please read the pre­vi­ous arti­cles: Read­ing Inter­net Mes­sage Head­ers, Where’d That Email Come From? and So It Came From a Mail­ing List — Where Did It Come From Before That?

Mes­sages post­ed to Usenet (news­groups) have some head­ers in com­mon with email mes­sages. They will look slight­ly dif­fer­ent to each per­son who reads them depend­ing on the news serv­er used to receive the message. 

Newsgroups: soc.support.fat-acceptance,atl.general,
	mindspring.local.atlanta
Path: mindspring!firehose.mindspring.com!newsfeed1-hme1!
	newsfeed.internetmci.com!128.174.5.49!vixen.cso.uiuc.edu!
	uchinews!news
From: Suzy Smith <user@uiuc.edu>
Subject: Re: Help with headers?
Nntp-Posting-Host:  ip14.an4-atlanta2.ga.pub-ip.psi.net
Message-ID: <32146bef.20423023@news.interamp.com>
Reply-To: suzy@other.place
Organization: Anything You Like
References: <19970901140100.KAA29407@ladder02.news.
	aol.com> <EFy5Ar.3pq@world.std.com> <
	340DC46C.3A62@wco.com> <5umekl$44m@dfw-ixnews9.
	ix.netcom.com> <5v3g50$hsl$1@news.smart.net>
Date: Tue, 9 Sep 1997 21:17:39 GMT
X-Newsreader: AOL Offline Reader
X-No-Archive: yes
Lines: 24

Okay, let’s take these one at a time. None of these head­ers will nor­mal­ly appear more than once in any message. 

  • News­groups: soc.support.fat-acceptance,atl.general,mindspring.local.atlanta

    The news­groups: head­er is simple–it shows where the mes­sage is being post­ed. It can be just one news­group or many–if there’s more than one, there will be com­mas between each news­group’s name. This mes­sage was post­ed to three news­groups (that’s referred to as cross-post­ing).


  • Path: mindspring!firehose.mindspring.com!
    newsfeed1-hme1!newsfeed.internetmci.com!
    128.174.5.49!vixen.cso.uiuc.edu!uchinews!news

    The path: head­er shows, from first to last, the news serv­er from which you read the mes­sage, all the news servers through which it was passed, and last­ly the news serv­er where the mes­sage orig­i­nat­ed (vixen.cso.uiuc.edu, in this case). You can look at this exam­ple and see that I read the mes­sage on a news serv­er at Mind­Spring Enter­pris­es (mindspring.com) and that it was orig­i­nal­ly post­ed on a news serv­er at the Uni­ver­si­ty of Illi­nois at Urbana Cham­paign (uiuc.edu).


  • From: Suzy Smith <user@uiuc.edu>

    The from: line is sup­posed to be the name and email address of the per­son who post­ed the mes­sage. Unfor­tu­nate­ly, it is one of the eas­i­est things to fake in any message–it only requires chang­ing a set­ting in your news soft­ware and voilá! you’re Bill Clin­ton! Or Suzy Smith, or Lib­er­ace, as you please. It does­n’t even have to con­tain a valid email address.

  • Sub­ject: Re: Help with headers?

    The sub­ject line is cho­sen by who­ev­er post­ed the orig­i­nal mes­sage in the thread. If this had been the first mes­sage in the thread, the sub­ject line would prob­a­bly have looked more like
    Sub­ject: Help with headers?

  • Nntp-Post­ing-Host: ip14.an4-atlanta2.ga.pub-ip.psi.net

    This one’s impor­tant. The NNTP-post­ing-host: is sup­posed to tell us with which machine, and some­times from which user, a mes­sage orig­i­nat­ed. It might be a name address, like the exam­ple above, or it might be the IP address of the machine in question–like so:

    NNTP-Post­ing-Host: 38.6.4.14

    If there’s a numer­ic address, use a tool like Sam Spade’s whois to fig­ure out what it trans­lates to and who owns that IP address. In this case, both the numer­ic and Eng­lish address­es giv­en refer to the same machine. We can tell that it’s a machine owned by PSINet, Inc. and that it’s prob­a­bly at their Atlanta point-of-pres­ence (POP). The NNTP post­ing host can be faked, but not eas­i­ly (by the aver­age user, anyway).

  • Mes­sage-ID: <32146bef.20423023@news.interamp.com>

    Again, the mes­sage-id: field is impor­tant, and is one that can be faked but not eas­i­ly. It’s a unique ID assigned to this par­tic­u­lar mes­sage by the news serv­er on which it orig­i­nat­ed. If it were, for instance, a forged post, or spam, who­ev­er owns that news serv­er (interamp.com is owned by PSINet) should be able to look at their serv­er logs to see who post­ed that mes­sage. This mes­sage-id: indi­cates that it came from a news serv­er at interamp.com. That does­n’t match what was in the path: state­ment, remem­ber? So one or the oth­er might well be forged.

  • Reply-To: suzy@other.place

    In most cas­es, the reply-to: will be the email address of the per­son who post­ed the message–just like the from: line. But it isn’t always, and again it is incred­i­bly sim­ple to fake. It does­n’t have to be a valid email address at all.

  • Orga­ni­za­tion: Any­thing You Like

    Orga­ni­za­tion: is one of those fields where the user can enter any­thing he or she likes. If the user does­n’t spec­i­fy any­thing, it’ll usu­al­ly be filled in by the news serv­er with a default val­ue, like “Mind­Spring Enter­pris­es” or “Inter­net America.”

  • Ref­er­ences: <19970901140100.KAA29407@ladder02.news.aol.com> <EFy5Ar.3pq@world.std.com> <340DC46C.3A62@wco.com> <5umekl$44m@dfw-ixnews9.ix.netcom.com> <5v3g50$hsl$1@news.smart.net>

    The ref­er­ences: line gives the mes­sage-ID num­bers for each mes­sage in the thread to which the user is reply­ing. Let’s say that a user at smart.net post­ed the first mes­sage, and some­body at netcom.com replied, then a user at wco.com fol­lowed up to that, and final­ly some­one at std.com answer­ing him. This mes­sage is in reply to all of those, so it shows all of those mes­sage-IDs. It can be very help­ful in fig­ur­ing out how a thread got start­ed, espe­cial­ly when one or more mes­sages aren’t avail­able any­more. Also, some news­read­ers arrange mes­sages by mes­sage-IDs instead of sub­ject lines.

  • Date: Tue, 9 Sep 1997 21:17:39 GMT

    The date: head­er usu­al­ly gives the date and time that the mes­sage was post­ed. “GMT” is the time zone in ques­tion (Green­wich Mean Time). It can be con­fus­ing, though, because some­times it isn’t clear as to whether the date and time are that from the serv­er, or are from the user’s machine–and you can set your machine to say it’s any date and time you like (although most servers won’t accept a mes­sage post­ed in what they deem the future). If there is also an X‑Server Date: line, that tells you the time the mes­sage was post­ed accord­ing to the news serv­er on which the mes­sage originated.

  • X‑Newsreader: AOL Offline Reader

    You’ll usu­al­ly see X‑Newsreader:, if it is present, is the name and some­times the ver­sion of the soft­ware the poster used. Some peo­ple have hacked the code on their news read­ers so it’ll say some­thing odd, and some folks have removed that line altogether.

  • X‑No-Archive: yes

    The X‑No-Archive: head­er tells the scripts for archives like Deja.com to ignore the mes­sage so it won’t be archived. It’s an hon­or sys­tem, though — there are almost cer­tain­ly archives that ignore that header.

  • Lines: 24

    The num­ber of lines in the mes­sage. It’ll gen­er­al­ly be a fair­ly low num­ber unless it’s a bina­ry post (a pic­ture, a program–anything but a plain text mes­sage). For instance, a text post might only be 10 lines. A post con­tain­ing a pic­ture, though, might be three to four thou­sand lines.

Cancel Messages

Can­cel mes­sages are the same as oth­er usenet mes­sages with an impor­tant addi­tion. They are a spe­cial sort of mes­sage, called a con­trol mes­sage, that go to a news­group called control.cancel. They are used to delete mes­sages that were post­ed to oth­er newsgroups. 

From @ Fri Aug 16 03:26:45 1996
Path: nntp0.mindspring.com!news.mindspring.com!
	gatech!usenet.eel.ufl.edu!news-res.gsl.net!
	news.gsl.net!news.sgi.com!swrinde!
	howland.erols.net!newsfeed.internetmci.com!
	in3.uu.net!psinntp!psinntp!interramp.com!usenet
From: Cyn
Newsgroups: atl.general
Subject: cmsg cancel <3213eced.1824837@news.atl.
	mindspring.com>
Control: cancel <3213eced.1824837@news.atl.
	mindspring.com>
Date: Fri, 16 Aug 1996 07:26:45 GMT
Organization: PSI Public Usenet Link
Lines: 1
Message-ID: <321422ad.1651917@news.interamp.com>
NNTP-Posting-Host: 38.6.4.10
X-No-Archive: Yes
X-No-Archive: Yes

The addi­tion, of course, is this line:
Con­trol: can­cel <3213eced.1824837@news.atl.mindspring.com>
It will always con­tain the mes­sage-ID: of the mes­sage that is being can­celed. If the domain in that mes­sage-ID: and the can­cel mes­sage’s mes­sage-ID: don’t match, it’s a very good bet that the can­cel mes­sage is a forgery. In this case, the orig­i­nal mes­sage was one I’d post­ed from Mind­Spring. The can­cel mes­sage is a forgery issued by an interamp.com user. This time, the orig­i­nal mes­sage’s ID is also in the sub­ject line, but that will not always be so. 

In the last part of the series, we’ll talk a lit­tle about anony­mous remail­ers.

Orig­i­nal­ly pub­lished 14 Feb­ru­ary 2001. Last updat­ed 17 Feb­ru­ary 2019.