Re: IP number question

• Previous message: K Williams: "Re: Neal Stephenson's, the Baroque Trilogy"
• In reply to: Michael J. Pelletier: "Re: IP number question"
• Next in thread: david20_at_alpha2.mdx.ac.uk: "Re: IP number question"
• Reply: david20_at_alpha2.mdx.ac.uk: "Re: IP number question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 27 Jan 2005 21:26:01 GMT

In article <w4cKd.11233$rw.4612@fed1read04>,
Michael J. Pelletier <mjpelletier@mjpelletier.com> wrote:
|> If I can find any system anywhere in the
|> world that is willing to trust me when I send IHAVE verbs, then
|> I can present a posting whose headers *claim* whatever IP address
|> I care to insert. The next hop will copy the forged header, the
|> hop after that will too, and so on until it gets to google or your
|> news server and you retrieve the message and thus display the
|> header that I injected rather than where the posting really came from.

|Yup, but there is an awful lot of sequence numbers to guess in a
|proportionally small amount of time....

No, you've still missed the point.

When you use the NNTP 'POST' verb, then most (but not all)
NNTP servers will take a record of your IP address and will create
new headers (such as NNTP-Posting-Host: or X-Trace:) that include that
IP address. Forging an IP at that level does require no-so-easy
techniques such as sequence-number guessing -- or requires that one
has control over the system one is forging from, which is all too
common a case with all the trojans floating around. It isn't something
you can just casually do either way, unless you happen to have already
gained control over a bunch of hosts.

However, that applies only to the 'POST' verb. If instead you use
the 'IHAVE' verb, then you are telling the remote system that your
machine is running a news server and that you have completely formatted
articles ready to pass along -- articles which might have originated
with your machine, or articles which might have been passed on to you
from elsewhere. When you use IHAVE suggesting an Article-Id: and
the nntp server doesn't have that ID in it's database and the nntp
server is willing to accept articles from you, the nntp server will
respond with a SENDME command, which is your cue to beam over the
contents of the article *with full headers*. When you IHAVE/SENDME,
the remote server does NOT add an NNTP-Posting-Host: to the headers,
because the remote server doesn't think of it as being a "new" posting:
it thinks of it as being something handed on from downstream that already
has all headers it needs. All that the remote server does is add a
component to the path header... which, of course, you might have
completely forged up to that point.

:Interesting. I thought that news servers operated like mail servers. True
:you can forge the envelope from, etc but the mail server will record the IP
:address that connected to it and record it into the header.

That's a bit of a misconception. MTA's are not -required- to add the
IP address to headers of email messages, and there are literally tens
of thousands of them out there which do not. The Received-By: headers that
are commonly added are a convention, not a requirement, and it isn't
rare to find systems that do not add the headers or which throw away
the Received-By: headers they were handed.

:I guess what you are saying is that news servers are not as "smart". True?
:If so, thanks for the explanation. I guess you learn something everyday!

There is nothing that would -prevent- nntp servers from adding trace
headers such as Received-By:. It just hasn't been done. It wouldn't
require any change to the protocol at all, just minor changes to
the handling software.

Conversely, smtp servers haven't proven particularily "smart" about
weeding out bogus claims about how the mail got to them. The convention
is better than nothing, when it is followed, but it isn't always followed.

-- 
   Come to think of it, there are already a million monkeys on a million
   typewriters, and Usenet is NOTHING like Shakespeare.  -- Blair Houghton.

• Previous message: K Williams: "Re: Neal Stephenson's, the Baroque Trilogy"
• In reply to: Michael J. Pelletier: "Re: IP number question"
• Next in thread: david20_at_alpha2.mdx.ac.uk: "Re: IP number question"
• Reply: david20_at_alpha2.mdx.ac.uk: "Re: IP number question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [XNEWS]Retain headers & articles? ... I would like to have Xnews save headers downloaded from a given ... saved after they expire on the server. ... I haven't yet figured out how to archive articles. ... (news.software.readers) Re: Should this be here? ... This is a series of messages, called, "articles", which are posted ... to an NNTP, or "news" server. ... The reason that you can't see the full headers is because you are not ... But a real news client, like my "Super Gravity", or even just MS Outlook ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress) [XNEWS]Retain headers & articles? ... I'm learning to drive Xnews and there are a couple of things I ... To this end I've tried using the 'Storage Option' for each server; ... I've set it to 'Store Headers and Articles'. ... (news.software.readers) Re: [XNEWS]Retain headers & articles? ... To this end I've tried using the 'Storage Option' for each server; ... I've set it to 'Store Headers and Articles'. ... Problem is that Xnews ... (news.software.readers) Re: Problem Updating New Messages from NTTP News Server OE ... > as far as I know and he doesn't have a server in his setup. ... download the answer to a problem he had posted in the Outlook group and I had seen the answer almost immediately on July 1. ... sure how taking the check out of the download headers boxes would have helped. ... pane 3) Get headers at a time 4) No check in mark all messages as read when exiting newsgroup ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress)