The first header line to look at is the path
header. The path is fairly easy to forge, so it should be checked
for authenticity.
Path:wnb1!wnmaster2!wn4feed!worldnet.att.net!128.230.129.106!news.maxwell.s
yr.edu!newsfeed.icl.net!diablo.theplanet.net!news.theplanet.net!newspost.the
planet.net!not-for-mail
The Path shows that the message was inserted at theplanet.net.
Look at the path it
goes through theplanet.net servers. Does it make sense?
Using Sam Spade:
Canonical name: newspost.core.theplanet.net
Aliases:
newspost.theplanet.net
Addresses:
195.92.192.201
09/10/99 20:22:04 dns news.theplanet.net
Canonical name: newscore.theplanet.net
Aliases:
news.theplanet.net
Addresses:
195.92.192.211
195.92.192.209
194.152.65.250
09/10/99 20:22:43 dns diablo.theplanet.net
Canonical name: diablo.core.theplanet.net
Aliases:
diablo.theplanet.net
Addresses:
195.92.192.200
|
These are all reasonable internal handoffs.
It leaves theplanet.net and goes to icl.net. Both theplanet.net
and
icl.net are located in England, so this one is logical too.
It then jumps from icl.net to Syracuse University. Again, very
logical,
most edu servers have big newsfeeds.
The next address in line is an IP address that the WorldNet servers got
it from.
09/10/99 20:26:11 dns 128.230.129.106
nslookup 128.230.129.106
Canonical name: news.maxwell.syr.edu
Addresses:
128.230.129.106
128.230.129.107
|
The IP address is the Syracuse machine. The path is logical, it
is
either valid or a really good forgery. Next check the NNTP posting
host. It is a lot harder to forge:
NNTP-Posting-Host:
modem-37.gallium.dialup.pol.co.uk
The Posting Host is a dial-up. Check it to see if there is any
relation to theplanet.net
Run a DIG on the NNTP Posting Host
09/10/99 20:30:52 dig
modem-37.gallium.dialup.pol.co.uk @
209.150.129.3
Dig modem-37.gallium.dialup.pol.co.uk@pluto.theplanet.net
(194.207.6.30) ...
Authoritative Answer
Query for modem-37.gallium.dialup.pol.co.uk type=255 class=1
modem-37.gallium.dialup.pol.co.uk A (Address) 62.136.15.37
dialup.pol.co.uk NS (Nameserver) venus.theplanet.net
dialup.pol.co.uk NS (Nameserver) pluto.theplanet.net
dialup.pol.co.uk NS (Nameserver) earth.theplanet.net
venus.theplanet.net A (Address) 194.152.65.222
pluto.theplanet.net A (Address) 194.207.6.30
earth.theplanet.net A (Address) 195.92.192.222
|
| This tells us that modem-37.gallium.dialup.pol.co.uk
belongs to theplanet.net which is consistant with the path.
The X-Trace is inserted by the posting host and is also a good back
check. It is difficult to forge.
X-Trace: news8.svr.pol.co.uk 936923506 18315
62.136.15.37 (10 Sep
1999 00:31:46 GMT) |
whois -h whois.nic.uk pol.co.uk ...
Domain Name: POL.CO.UK
Registered For: Planet Online Ltd
Domain Registered By: PLANET
Record last updated on 08-Jul-1998 by andrew@planet.net.uk.
Domain servers listed in order:
EARTH.THEPLANET.NET
195.92.192.222
VENUS.THEPLANET.NET
194.152.65.222
PLUTO.THEPLANET.NET
194.207.6.30
nslookup 62.136.15.37
Canonical name: modem-37.gallium.dialup.pol.co.uk
Addresses:
62.136.15.37
The headers are a complete circle. Path, posting host and
X-trace all match.
X-Complaints-To: abuse@theplanet.net
This is another line is that is added by the posting host and is also
difficult to forge.
In this case it is perfectly correct and that is where the report
would go.
|
