The Rogue Supersede Problem

NOTE: "Hipcrime" himself is not responsible for the supersedes. He merely wrote the software that others are abusing for this purpose. The problem acquired the name "Hipcrime" because that is the tool that the vandals are using. In fact, more than one vandal could be involved.

Uncle Rom says, "Supersede Vandals Delenda Est"

Background

If you are a newsgroup subscriber, especially in the alt. newsgroups, you're familiar with the problem. Your messages (and everybody else's) are being cancelled and replaced by gibberish. Not only that, messages from OTHER newsgroups are being cancelled, replaced with gibberish, and crossposted to your newsgroup. The net effect is to make the newsgroups almost unusable.

"A lot of things can happen to dog doo"

(Clint Eastwood as Harry Callahan in "Sudden Impact." "doo" was not the word he used, but this is supposed to be a PG-rated site.)

The individual who is doing this- I've seen the name "Hipcrime" in news.admin.net-abuse.usenet- may want to think about what he is doing. He is interfering with telecommunications that cross state lines. Doubleplus ungood, bad medicine, heap bad juju. He may want to check out the following link:

National Computer Crimes Squad (part of the Federal Bureau of Investigation):
Federal Bureau of Investigation
Washington Metropolitan Field Office
601 4th Street, N.W.
Washington, D.C. 20535-0002
(202) 278-2000

It also looks like he is helping himself to other people's servers (open servers), also across state lines. Could be interesting if those servers' owners decide to do something about it.
 

What you can do to help deal with him/them: Header Tutorial

View the full headers of the superseded postings. Here are some examples of what to look for.

A full header: you want the Path and any NNTP-posting-host. (He may be able to forge the NNTP posting host, or remove it entirely, as he is doing here)

From - Fri Oct 23 20:52:52 1998
Message-ID: <1Q3ZOQCMujnN.HCgLRE1pyszMYxO.aGGugyhyqcBLF@news.gate.net>
Supersedes: <36410e96.2199452@news.gate.net>
Subject: Re: DOS com in WinNT
From: bill@websoftware.com (Bill Barnes) [Forged address, affects path]
References: <70pkgm$dh2$1@eskinews.eskimo.com>
Date: 23 Oct 1998 08:59:58 GMT
Newsgroups: alt.gothic,alt.slack,alt.animals.dolphins,alt.genius.bill-palmer,intel.etc,comp.dcom.modems
Lines: 19
Path: ix.netcom.com!netnews.com!europa.clark.net!206.55.3.15!news.clark.net!newsgroups.intel.com!websoftware.com!bill
Xref: ix.netcom.com alt.gothic:584009 alt.slack:272674 alt.animals.dolphins:71077 alt.genius.bill-palmer:44802 comp.dcom.modems:248215

Other headers' paths:
Path: ix.netcom.com!howland.erols.net!feed1.news.rcn.net!rcn!newsxfer.visi.net!news.clark.net!newsgroups.intel.com!yahoo.com!femlove

Path: x.netcom.com!news.webspan.net!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!cpk-news-hub1.bbnplanet.com!
news.news.gtei.net!europa.clark.net!206.55.3.15!news.clark.net!newsgroups.intel.com!xfpqvaxm.edu!TouchMe

Path: ix.netcom.com!netnews.com!europa.clark.net!206.55.3.15!news.clark.net!newsgroups.intel.com!camsSPAMOFF.nwnet.co.uk!gary

The entries at the far right of the paths (the supposed origin of the message) are fake, since the abuser is forging the addresses of the messages' posters. In the complete example, the abuser has forged bill@websoftware.com, so websoftware.com!bill appears as the rightmost entry. You want the rightmost entry that is COMMON to ALL the supersedes. This is newsgroups.intel.com, so you would forward the supersedes to abuse@intel.com and postmaster@intel.com. This could well be the open server that the bad guy is abusing. I copied postmaster@clark.net for good measure.

Here's one with an NNTP posting host:

Path:    ix.netcom.com!news.maxwell.syr.edu!xfer.kren.ne.kr!news.lginternet.net!alumni.rpi.edu!furlos
 NNTP-Posting-Host: 166-88-133.ipt.aol.com 152.166.88.133

lginternet.net is probably the injection point (open server), per examination of other headers. AOL could be the message's origin (if the vandal is using throwaway AOL accounts), but he also may be forging this part of the header. I notified AOL anyway, they may want to take legal action against this individual. If you use the Windows '95 Traceroute utility (in the Windows directory), TRACERT 152.166.88.133 does indeed lead to AOL.
 

New! Watch out for decoys in the path!

Path:     ix.netcom.com!su-news-hub1.bbnplanet.com!news.gtei.net!xfer.kren.ne.kr!news.lginternet.net!internet.com!me
 NNTP-Posting-Host:     201-27-225.ipt.aol.com 152.201.27.225

One would normally report this to lginternet.net. Problem: I tried http://www.lginternet.net, and it does not exist! If the vandal can modify his path headers, he may have inserted a nonexistent domain as a decoy to deflect complaints. http://www.kren.ne.kr does exist, and it may be the actual injection point.

Update: I received a couple of E-mails that say lginternet.net is indeed a valid domain, but I couldn't resolve it with a traceroute. To be thorough, consider reporting to the two rightmost domains in the path (if the rightmost one, in this case lginternet.net, cannot be contacted from your browser or by Traceroute).
 

Gibberish Example (notice that he doesn't like Uncle Rom's sponsor)

From - Fri Oct 23 20:52:52 1998
Message-ID: <1Q3ZOQCMujnN.HCgLRE1pyszMYxO.aGGugyhyqcBLF@news.gate.net>
Supersedes: <36410e96.2199452@news.gate.net>
Subject: Re: DOS com in WinNT
From: bill@websoftware.com (Bill Barnes)
References: <70pkgm$dh2$1@eskinews.eskimo.com>
Date: 23 Oct 1998 08:59:58 GMT
Newsgroups: alt.gothic,alt.slack,alt.animals.dolphins,alt.genius.bill-palmer,intel.etc,comp.dcom.modems
Lines: 19
Path: ix.netcom.com!netnews.com!europa.clark.net!206.55.3.15!news.clark.net!newsgroups.intel.com!websoftware.com!bill
Xref: ix.netcom.com alt.gothic:584009 alt.slack:272674 alt.animals.dolphins:71077 alt.genius.bill-palmer:44802 comp.dcom.modems:248215

William A. Levinson is a SPAMMER!
 

Dvtxu bgqr gbsm botwf
ab ebeziae li xy?

Vaelzx ltue yia fkjp bjto bt
lli lasr qvu ely ep.

Pnec ymk ev ydezm
eeebn fgr ybi iepap rluipe fjzn
mlu erp pqu cyh mmb fvf
ckp koe heo uylu ijnr ye
pta tnpr te zhtdo wdju?

Hdevsw fokiu bmfii eupg mj
azqtn ml iddp acec xlflc
esv ooliv eudypl eolph
ipcc dcm pfp tyfq ylwk fuwvz
ucbazi lhd ftzdfu xrioib nkdiw pcf
wii fig yfb axa vawt xm?

Zibc ebskir ei ohgu
dlt tqeyppu eub pibu ebds ru
lss bei rqse zaofwi trnp ygeii
ysbp pemtalt gap sq aed
ir wl ethq laa my iei
sii mmel vkkm rkel rtljn
umpt nixl ext cxfqk tt ls
birks ritnpp ie hxplur alj
rulfva dtf sea haiz ru eb
eioe jnk mvtk ywse pfey oxlmd?
 
 

Uncle Rom is the spam fighter of "Spam Delenda Est," it's short for "Romulus." Cheerful facts about the Roman Empire:

• After taking Carthage, killing the men, and selling the women and children as slaves, the Romans burned the city and salted the fields so nothing would ever grow there again.
• Did you know that Latin includes a word, "decimate," which means, "kill every tenth person?"
• The gates of the Temple of Janus were open when Rome was at war and closed when it was at peace. Romans came to rely on the gates as a regular thoroughfare.
• Caligula wished that all Rome had but one neck (so he wouldn't have to cut off heads one at a time). Would that all spammers had but one neck...
• "Odirent, dum metuent" = "Let them hate, as long as they fear."
• The gladius (Roman short sword, adopted from Spain) is reputed to be responsible for more deaths than any other weapon until the invention of firearms.
• Cato the Elder ended every speech (no matter what the topic) with "Carthage Delenda Est"- "Carthage must be destroyed."
• Star Trek's Romulans are simply Imperial Romans with green blood, pointed ears, and spaceships.
Those Romans had such nice ideas when applied to spammers and other Internet vermin...