Re: Firewall that blocks specified IP's

hummingbird wrote:


>>
>>>>> There are reasons to fake headers to hide from public view what
>>>>> posting s/w he uses to deter stalkers,

~~~~~

>>>> Nonsense.
>>> That response from you sure is.
>>> I refer you to my previous comments.
>>
>> If you can tell me any logical connection between header faking and detering
>> stalkers... but well, you can't, since there is none.
>
> I never used the term "detering", you did.


Ouch! The word "deter" even appears in the quoting above...

> Suffice it for me to say that the contents of one's headers can be
> used by stalkers and troublemakers against you.


How so?

> It therefore makes
> some sense to prevent them from doing that. I realised that many
> years ago and took action to protect myself early on in Usenet.


So that's why your headers are defective, as well as your mail address in
the From header...

>> Obviously "Microsoft Outlook Express 6.00.2900.3138" is not a random string,
>> especially not if it's repeated among two postings.
>
> I meant that the other poster may insert a random news client string
> into his header each time he posts (or whenever he wants to) to help
> anonymise himself better.
>
> So today he might insert OE and tomorrow he might use Thunderbird.
> The day after tomorrow he might insert some other news client.
>
> Get the picture?


No. It leaves an obvious trace over the cause of one day.

Even further, drawing it from a limited set makes it pretty void.

On Mon, 24 Mar 2008 20:53:04 +0100 'Sebastian G.'
wrote this on alt.comp.freeware:

>hummingbird wrote:
>> Suffice it for me to say that the contents of one's headers can be
>> used by stalkers and troublemakers against you.

>How so?

Well you'll just have to accept my word on that Sebastian because
I'm not going to post stuff here which is of use to the small group
of sick stalkers we have on <alt.comp.freeware>. These people only
have to find one header in several posts that match, to declare they
were posted by the same person. Now, you and I may think that is
ridiculous and is only trivial or circumstantial evidence, but on
ACF it's more than enough for the dorks to declare proven guilt and
to accuse that person of sockpuppeting or spoofing to smear their
name and discredit them.

Thus, it can be useful for a person to be able to deliberately
manipulate their headers to *deter* stalker attack and to retain
a level of anonymity.


>> It therefore makes
>> some sense to prevent them from doing that. I realised that many
>> years ago and took action to protect myself early on in Usenet.
>
>
>So that's why your headers are defective, as well as your mail address in
>the From header...

That's really a non-sequitur, but I'm not aware that my Headers and
From: field are defective. The only general rule I'm aware of is to
ensure a unique MID to avoid such things as hash collisions etc.
Otherwise if the news server accepts a post and propagates it, then
it's OK.


>>> Obviously "Microsoft Outlook Express 6.00.2900.3138" is not a random string,
>>> especially not if it's repeated among two postings.
>>
>> I meant that the other poster may insert a random news client string
>> into his header each time he posts (or whenever he wants to) to help
>> anonymise himself better.
>>
>> So today he might insert OE and tomorrow he might use Thunderbird.
>> The day after tomorrow he might insert some other news client.
>>
>> Get the picture?
>
>
>No. It leaves an obvious trace over the cause of one day.

Well, maybe a person will change his headers for each post. Bear in
mind, he's only protecting himself against a dork-stalk attack, not
NSA or CIA etc. That would require more sophisticated measures.

>Even further, drawing it from a limited set makes it pretty void.

I was only giving a simple example...in practice one might use a
more complex set of variants in the headers.

"hummingbird" wrote:

> On Mon, 24 Mar 2008 20:53:04 +0100 'Sebastian G.'
> wrote this on alt.comp.freeware:
>
>>hummingbird wrote:
>>> Suffice it for me to say that the contents of one's headers can be
>>> used by stalkers and troublemakers against you.
>
>>How so?
>
> Well you'll just have to accept my word on that Sebastian because
> I'm not going to post stuff here which is of use to the small group
> of sick stalkers we have on <alt.comp.freeware>. These people only
> have to find one header in several posts that match, to declare they
> were posted by the same person.

So what?

> Now, you and I may think that is
> ridiculous and is only trivial or circumstantial evidence, but on
> ACF it's more than enough for the dorks to declare proven guilt and
> to accuse that person of sockpuppeting or spoofing

Who cares?

> to smear their name and discredit them.

What tosh. Any regular poster keeps the same handle and is judged by
the articles they post, not by trolls.

> Thus, it can be useful for a person to be able to deliberately
> manipulate their headers to *deter* stalker attack and to retain
> a level of anonymity.

I always post as "Ant" but you know nothing about me apart from the
ISP I use.

On Mon, 24 Mar 2008 22:49:02 -0000 'Ant'
wrote this on alt.comp.freeware:

>"hummingbird" wrote:
>
>> On Mon, 24 Mar 2008 20:53:04 +0100 'Sebastian G.'
>> wrote this on alt.comp.freeware:
>>
>>>hummingbird wrote:
>>>> Suffice it for me to say that the contents of one's headers can be
>>>> used by stalkers and troublemakers against you.
>>
>>>How so?
>>
>> Well you'll just have to accept my word on that Sebastian because
>> I'm not going to post stuff here which is of use to the small group
>> of sick stalkers we have on <alt.comp.freeware>. These people only
>> have to find one header in several posts that match, to declare they
>> were posted by the same person.
>
>So what?

Who are you? I was having a debate with Sebastian.

>> Now, you and I may think that is
>> ridiculous and is only trivial or circumstantial evidence, but on
>> ACF it's more than enough for the dorks to declare proven guilt and
>> to accuse that person of sockpuppeting or spoofing
>
>Who cares?

Ditto. If you don't care, why bother posting at all?

>> to smear their name and discredit them.
>
>What tosh. Any regular poster keeps the same handle and is judged by
>the articles they post, not by trolls.

You obviously are a little naive about these matters.

>> Thus, it can be useful for a person to be able to deliberately
>> manipulate their headers to *deter* stalker attack and to retain
>> a level of anonymity.
>
>I always post as "Ant" but you know nothing about me apart from the
>ISP I use.


You forgot these headers of yours which all help to ID you:

X-Usenet-Provider: http://www.giganews.com
NNTP-Posting-Host: 80.189.16.24
X-Postfilter: 1.3.37
X-Newsreader: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200


Now what were you saying?

Ant, if you have some constructive views on this debate please
express them, otherwise go away.

"hummingbird" wrote:

> On Mon, 24 Mar 2008 22:49:02 -0000 'Ant'
> wrote this on alt.comp.freeware:
>
>>"hummingbird" wrote:
>>> These people only
>>> have to find one header in several posts that match, to declare they
>>> were posted by the same person.
>>
>>So what?
>
> Who are you?

I am anonymous.

> I was having a debate with Sebastian.

You posted to usenet where anyone can join in.

>>> Now, you and I may think that is
>>> ridiculous and is only trivial or circumstantial evidence, but on
>>> ACF it's more than enough for the dorks to declare proven guilt and
>>> to accuse that person of sockpuppeting or spoofing
>>
>>Who cares?
>
> Ditto. If you don't care, why bother posting at all?

Because I'd like you to explain what the problem is.

>>> to smear their name and discredit them.
>>
>>What tosh. Any regular poster keeps the same handle and is judged by
>>the articles they post, not by trolls.
>
> You obviously are a little naive about these matters.

Pleas explain, then.

>>I always post as "Ant" but you know nothing about me apart from the
>>ISP I use.
>
> You forgot these headers of yours which all help to ID you:
>
> X-Usenet-Provider: http://www.giganews.com

I post through giganews, along with many others, one of the largest if
not *the* largest news provider.

> NNTP-Posting-Host: 80.189.16.24

24.16.189.80.in-addr.arpa domain name pointer 189.16.24.fdial.global.net.uk.

Belongs to Brightview who are the resellers of bandwidth that my ISP
uses. So, in fact, you don't even know my ISP.

> X-Newsreader: Microsoft Outlook Express 5.50.4522.1200

An old version of OE. So what?

> Now what were you saying?

See above.

Ant wrote:


>> X-Newsreader: Microsoft Outlook Express 5.50.4522.1200
>
> An old version of OE. So what?

Seems like you didn't even bother to read this thread, did you?

On Tue, 25 Mar 2008 02:00:58 -0000 'Ant'
wrote this on alt.comp.freeware:

>"hummingbird" wrote:
>
>> On Mon, 24 Mar 2008 22:49:02 -0000 'Ant'
>> wrote this on alt.comp.freeware:
>>
>>>"hummingbird" wrote:
>>>> These people only
>>>> have to find one header in several posts that match, to declare they
>>>> were posted by the same person.
>>>
>>>So what?
>>
>> Who are you?
>
>I am anonymous.
>
>> I was having a debate with Sebastian.
>
>You posted to usenet where anyone can join in.

True, but my comments were addressed to Sebastian and you know
how it is trying to hold two conversations at once and how muddled
things can get.

>>>> Now, you and I may think that is
>>>> ridiculous and is only trivial or circumstantial evidence, but on
>>>> ACF it's more than enough for the dorks to declare proven guilt and
>>>> to accuse that person of sockpuppeting or spoofing
>>>
>>>Who cares?
>>
>> Ditto. If you don't care, why bother posting at all?
>
>Because I'd like you to explain what the problem is.

Ooh so you *do* care.

I think I posted enough clues for most folks to get the picture.
If either of you want more explanation, send an e-mail
to hellhole2007 AT libero.it

>>>> to smear their name and discredit them.
>>>
>>>What tosh. Any regular poster keeps the same handle and is judged by
>>>the articles they post, not by trolls.
>>
>> You obviously are a little naive about these matters.
>
>Pleas explain, then.

See my previous comments.

>>>I always post as "Ant" but you know nothing about me apart from the
>>>ISP I use.
>>
>> You forgot these headers of yours which all help to ID you:
>>
>> X-Usenet-Provider: http://www.giganews.com
>
>I post through giganews, along with many others, one of the largest if
>not *the* largest news provider.
>
>> NNTP-Posting-Host: 80.189.16.24
>
>24.16.189.80.in-addr.arpa domain name pointer 189.16.24.fdial.global.net.uk.
>
>Belongs to Brightview who are the resellers of bandwidth that my ISP
>uses. So, in fact, you don't even know my ISP.
>
>> X-Newsreader: Microsoft Outlook Express 5.50.4522.1200
>
>An old version of OE. So what?
>
>> Now what were you saying?
>
>See above.

Indeed but your statement was that I only know who your ISP is.
I pointed out that your headers reveal more about you than that.
(not more about you personally but more about you on Usenet).

On Mon 24 Mar 2008 14:42:21, Krazee Brenda <brendaroguska@gmail.com>
wrote:

> On Sun, 23 Mar 2008 20:46:34 -0000, Nomen Nescio wrote:
>
>> "Krazee Brenda" <brendaroguska@gmail.com> wrote in message
>> news:1ek017lye46kr.1ka8y6xahhrbo.dlg@40tude.net...
>>> On Fri, 21 Mar 2008 17:49:09 -0000, Nomen Nescio wrote:
>>>
>>>>> Only two ways. Look up the range of IP addresses from the
>>>>> IP-ISP and block them by wildcards or grab them one by one as
>>>>> they come in.
>>>>>
>>>>> The other way is to switch and *allow* only certain IP and
>>>>> port combos incoming, snapin remote access and add a third
>>>>> credential as to how ppl are trying to get in (e.g. logins a
>>>>> SysAdmin).
>>>>
>>>> You know jack shit.
>>>> Whitelists and SORBS-RBL. Dummy head.
>>>> Don't post if you don't know
>>>
>>> All this from an Outlook Express user.
>>
>> Dummy head. You don't know what I post with.
>> "Outlook Express". You know jack shit about my
>> headers/newsreader. Don't post if you don't know anything
>
> Hi Franklin. LOL


Hello Brenda, sorry to reply so late. I've been away and had a nice
very rest, thank you very much. Sorry no postcard but you know how
I'd rather not spend money on you. A bit like hubby maybe? Will
try and catch up with your weird postings shortly.

On Mon 24 Mar 03:02, Cecil SeaSerpent <cecil@beanyland.net>
wrote:
> "Nomen Nescio" <nomen.nescio@nomen.nescio> wrote in message
> news:fs6fiq$b70$2@aioe.org...
>> "Krazee Brenda" <brendaroguska@gmail.com> wrote in message
>> news:1ek017lye46kr.1ka8y6xahhrbo.dlg@40tude.net...
>>> On Fri, 21 Mar 2008 17:49:09 -0000, Nomen Nescio wrote:
>>>>>
>>>>> Only two ways. Look up the range of IP addresses from the
>>>>> IP-ISP and block them by wildcards or grab them one by one as
>>>>> they come in.
>>>>> The other way is to switch and *allow* only certain IP and
>>>>> port combos incoming, snapin remote access and add a third
>>>>> credential as to how ppl are trying to get in (e.g. logins a
>>>>> SysAdmin).
>>>>
>>>> You know jack shit.
>>>> Whitelists and SORBS-RBL. Dummy head.
>>>> Don't post if you don't know
>>>
>>> All this from an Outlook Express user.
>>
>> Dummy head. You don't know what I post with.
>> "Outlook Express". You know jack shit about my
>> headers/newsreader. Don't post if you don't know anything
>
> Hi "Unknown Name":
> MID Xns9A18D83EF64ABHummingbirdisak00k@0.0.0.0
> seems to have the same aioe NNTP Posting Host as this post. Since
> you place such confidence in tracking Hunmingbird's sock puppets
> this way, you'll probably want to confess that this is actually
> you, Franklin.
>


Hi Cecil

It doesn't even read like one of my posts. Looks more like
something from Hummingbird.

You say I have confidence in tracking Hunmingbird's sock puppets
through his posting host but that not quite right. I don't think
I've ever said I use that approach although there was an example
recently from another poster which seemed to say exactly that.
Maybe you could be mixing that up with what I've posted.

I don't identify Hummingbird's posts using servers because he has
become more adept at munging his headers and has recently taken to
openly discussing how he can fake any header with his tools.
http://preview.tinyurl.com/22x7xk

If you look at a my recent post http://tinyurl.com/2hbsnu you will
see a way I prefer to use to confirm Hummingbird's posts. It's
worhta quick look especially at the data part.

You might even wish to try the same approach on Aracari posting in
uk.politics.misc. If you interleave Aracari's posts with
Hummingbird's posts over the same period then you'll see a very
strong correlation in posting times. Try it and you can see the
result is persuasive.

Other Hummingbird's sockpuppets can be seen this way too. From
memory I think "Derald" is one. This approach means you don't need
to go thru Hummingbird's fake headers or follow newsreader names or
posting servers or any of that.

I used the headers so little that I hadn't noticed Aracari's posting
server and not even his giveaway ROT-13 header until someone listed
them here recently. Timestamp matching can be enough although some
relay servers will deliberately wait a random period of time.

In fact, I think I used that randomness for another sockpuppet.
Hummingbird and the sockpuppet were never posting at the same time
even though the posting times of each was quite irregular. Chance
alone would suggest that at some stage they would post at more or
less the same time. But it never happened. This negative
correlation was too high to ignore.

On Mon 24 Mar 2008 19:53:04, Sebastian G. <seppi@seppig.de> wrote:
At Monday 24th March 2008, Hummingbird wrote:
>>
>>>> It therefore makes
>> some sense to prevent them from doing that. I realised that many
>> years ago and took action to protect myself early on in Usenet.
>
>
> So that's why your headers are defective, as well as your mail
> address in the From header...



Sebastian,

In case you don't know him, Hummingbird sems to prefer to get his
revenge in before any transgressions have occurred.

In other words, he posts a spoof or uses a sockpuppet with fake
headers to attack a problem from another poster which does not yet
exist except in his predictions.

I too get someother defective headers from Hummingbird but in a
diffent way. It's in their very punctuation. I see spaces
appearing in the middle of Hummingbird's header text but I've tended
to attribute this to my newsreader and it's lack of UTF-8 support
because I've seen Hummingbird use both 7-bit and 8-bit encoding
recently.

However, I'm a bit surprised at the extent of messing up I see.
Google Groups also seems to get a bit muddled by some of
Hummingbird's "specially written" headers.

On Mon 24 Mar 2008 01:47:54, hummingbird <hummingbird@127.0.0.1>
wrote:
>
> There are reasons to fake headers to hide from public view what
> posting s/w he uses to deter stalkers, and the poster may have
> chosen OE for no particular reason (ie a random choice). I'm not
> aware of the compatibility problems you refer to.


Hummingbird, pardon me for being late to this thread but if I read
your comments correctly you are saying that you are entitled to
falsify headers in order to make trouble for those whom you
designate as "stalkers"?

If you recall there was a new poster here whom I looked up in Google
Groups and clicked the "profile" link. In your eyes that allowed
you to claim I was a stalker.

On other occassions I have been called a "professional stalker" by
you - although I always thought I made a living by other means.

Your allegations mean that once you have demonised me or my motives
then you are entitled to attack me in any way you see fit. And so
you have posted using my own name several times before and now your
toolkit of header-fixing apps allows you to be even more creative
with other headers too.

I recall telling you that it was suspicious you were so interested
in local proxy servers and you had the chutzpah to say you didn't
know what a proxy server was. You were running one!

What is the matter?