|
195.19.10.49 (Moscow, Russia)
clash Posted 16-09-2004 06:24 The colors on this board make it look like a porno site. It's bad enough being seen at work on the web, much less have it look like your on a porno site. |
|
195.19.10.49 (Moscow, Russia)
clash Posted 16-09-2004 18:15 You can be as snotty as you like, but I am making an accurate point. |
| (Note: the IP 195.19.10.49 (Moscow, Russia) is from Moscow, Russian Economic Academy named after Plekhanov. Probably a proxy.) |
|
24.97.221.218 (Binghampton, NY)
clash
Posted 16-09-2004 21:38
Well, if you have never seen it, then take my word for it. To you it's like a pretty Easter egg. To many people who have either seen it on the web, glimsed it in movies, magazines, the TV news, etc., it's color scheme is very similar to a porn site. So if you admittedly don't know what a porn site looks like but think this is easter eggish, that would make you a total rather foolish. |
|
(Note: the IP 24.97.221.218 (Binghampton,
NY) is a proxy/spoof.)
Both IPs were blocked after these posts, and after some time he found more proxies and returned. Shutting the door on anonymizersWith an IP address, I can tell who your ISP is, and where the connection is, unless you are an AOL user, where everyone shows up as living in Manhattan,as far as I can tell. Remember this bit about AOL, this fact will come up later.Like an email address, IPs can be faked. There are two ways to do this:
This door had to be closed. I found a list of anomymizer service domains, like “anomymizer.com”. Since you can’t ban a domain, only IPs, I needed their IPs.To do this, I “pinged” their domain and obtained their IPs, and added them to the my list of banned links. Domains can be pinged for their IP on a site such as this one: Network Tools.com. I asked fellow webmasters who use these services to test. They could view the forum, even register, but not post. Below is the list of services that were banned:
Anonymous Proxies/IP spoofingClosing the door on anonymizers leaves the troll the possibility of anonymous proxies and IP spoofing. How this is done is rather technical, and though it is relatively commonplace, you need to have good knowledge of computer networks to do it, and even then it takes some effort. Basically, you have to hone in on a computer connection and crack some numerical connection “password” that is not user-defined.They are easy to crack, and we owe a lot of spam to this weakness of the web protocols. Once you have an IP you can spoof, you will use it over and over again, unlike an anonymizer IP that is literally all over the place. Anonymous proxies are easier to use, and there are thousands available.Ruse #1 - Playing dumb and fishing for the computer expertI wrote a post claiming that I found that the malicious poster’s IP came from NYC. The purpose was twofold; it was a veiled warning to one "minor troll" I knew lived in Long Island and to make myself look stupid and harmless. Now, anyone capable of using anonymous proxies or spoofing IPs knows that all AOL IPs show up as originating in Manhattan. (To locate an IP on the map, a site like Geobytes can be very useful)My troll was a computer analyst, and he deliberately chose NOT to set me straight on this “mistake” that was leading away from him. Read what he posts, UNDER HIS NORMAL ALIAS, instead (irrelevant parts removed for brevity): |
|
69.38.159.145 (Wellesley Hills, MA)
Wayne_FL Posted 21-10-2004 15:05 I know the intention is meaningful and, in most cases, outlined to keep people in line.... The reality is that is not as easy and possible as stated or even guessed at here. If things could be controlled that easily, our governments would save millions locating people in this media.... For example, several hundred proxy servers are excluded from the forum. So now there are several thousand remaining. A really good proxy server does not tell the inquiry query that it is a proxy server. Thus, there is a level 2 included now. One usually would not select a proxy server in the same town as his/her location. Get the idea? Are proxy servers used by trolls and by people who want to get away with something? Not really. They are becoming really popular because they allow the person to surf the net and not have their location, mail, computer, browser, etc information left on web sites. Using a proxy is just the first part of the sequence of things one must do. |
|
69.38.159.145 (Wellesley
Hills, MA)
Wayne_FL Posted 21-10-2004 15:25 However, the methods one would use to locate a person via a proxy are out of the hands of most people. The reason is they don't have the contacts to the various CISCO internet servers thoughout the net to track various packets. Then when the packets are found, one must force the owner of the isp or proxy to allow access to the logs. A court order is usually the method chosen. When the user uses a spoofed IP address, things become more complicated and tracing them is much more difficult. Most of the spam we receive has spoofed addresses in them. (spoofed means hijacked or stolen addresses). The above two are the common cases. |
|
69.38.159.145 (Wellesley Hills, MA)
Wayne_FL Posted 21-10-2004 15:25 CISCO makes most of the heavy duty internet routers and switches. They are sold to anyone needing such a piece and having the cash. Anyone in this case is the line vendor who allows the internet traffic over their lines, eg, verizon, ATT, Tellus, etc. |
|
69.38.159.145 (Wellesley Hills, MA)
Wayne_FL Posted 21-10-2004 15:44 To track an IP address thru routers requires the authority of the FBI or an inside person working in the exact area of the traffic. Remember that every time you hit 'submit' on this screen, your data is sent to the sever and each time may take a different route! There are a lot of factors which determine which route your data may take and some of them are the time of day, over load problem in one area, streaming router, etc. Here is an example of how it could work: All of the above information will be broken down into pieces and sent as packets to your server, two or three packets anyway. All of them may go a different route. However if I used a packet editor, I could replace the sending address with another one like 216.86.100.254 and send the message. Then it would be considered a spoofed message posted on your server. |
|
69.38.159.145 (Wellesley Hills, MA)
Wayne_FL Posted 21-10-2004 15:58 However, just randomly selecting a person to watch a router is like going to Vancouver and sitting by a randomly selected traffic light and waiting for [a poster he hates] to drive through it while he was visiting the city. The FBI can do that and gets the support of the line vendors. Most people select proxy servers by the traffic they have on them and how fast they are. Usually the Canadian and American ones are fast for north American users. To track the users on your forum like [the troll destructive alias], [another poster], etc would be a waste of time in my opinion. It would be easier to delete the messages when they appear. |
| (Note his labelling of “[another poster]” who correctly guessed his ID on another board, as a “troll”, lumped with his destructive alias) |
|
69.38.159.145 (Wellesley Hills, MA)
Wayne_FL Posted 21-10-2004 18:25 The trend does seem that they ([the poster that correctly guessed the troll's ID on another board] is as bad as [the troll's destructive alias]) seem to follow you to the different boards. Are they after you or stained glass? I don't know but a guess is they are after you! I don't think either of the two I mentioned even do [hobby].... |
| (Again he brings up [the poster that correctly guessed the troll's ID on another board] and speculates on [the troll's destructive alias] motives - harassing another poster HE himself hates) |
|
69.38.159.145 (Wellesley Hills, MA)
Wayne_FL Posted 21-10-2004 [another poster], As [his enemy poster] says, he knows who his disrupters are and they seem to follow him around. ([the poster that correctly guessed the troll's ID on another board], yes I know the net I am also a systems analsyt) |
| He leaves no doubt as to his ability to spoof IPs. The IP used in these posts maps to Wellesley Hills, MA, US. Not exactly Tampa where he claims to live. It is highly likely that he was posting about spoofing IPs with a spoofed IP, unless he’s not from Florida. Even if posting his own name, the adversarial nature of his comments and the bizarre references to the one poster who correctly guessed his ID ring alarm bells and decide to follow him closely. |
The troll comes back with new aliasesThe new alias, “Connector” had a few precursors: |
|
62.132.1.121 (Leipzig,Germany - Anony-Mouse)
No Apology Needed Posted 19-10-2004 06:47 Certainly [another poster the troll hates] did nothing to apologize on the Canadian Glass board to apologize for. However you and [a female posted the troll hates] posted some pretty inflamatory messages. What did you think the response would be? It's a true statement to say one of the few boards you have not been kept out of eventually had to be shut down and you played no small part in it. Just my observation. |
|
65.167.248.14 (Raleigh, NC - "Greenpoint Catholic Schools")
Hunter Posted 06-11-2004 19:50 [another poster the troll hates] do you have any idea what you have put in writing for all to see? You have called the world's foremost terrorist, the one who has killed thousands of victims from so many countries YOUR BUDDY? Are you kidding? |
|
62.132.1.121 (Leipzig,Germany - Anomy-Mouse)
Busboy Posted 07-11-2004 07:55 Good one on Tora Bora [poster he hates]. Even [another poster he hates] wouln't touch that one. |
|
62.132.1.121 (Leipzig,Germany - Anony-Mouse)
Connector Posted 07-11-2004 21:28 [Poster he hates], your post that there are lovely people in Tora Bora should be great for business. I think we should find a way to get your message out beyond this chat board, don't you? I know, I know. All Candadians think like you. Heard it umpteen times already. So how's about a big howdy from are friend from the north. Now lets get you some publicity. For all your [hobby] shopping needs: |
|
65.161.65.104 (New Port Richey, FL, 37 km from Tampa,where Wayne_FL claims to reside, website of "Micropaytech")
Connector Posted 08-11-2004 06:27 Tora Bora is being cute in referring to Osama Bin Laden and Al Qaeda of course, and if [a poster he hates] thinks there are lovely people there, that's his right. Same way [a poster he hates] has praised Adolph Hitler. So if you think like [a poster he hates] does, drop him a line to say 'good point!'. You can delete this post or part of it all you want, but it's been put in a bottle and tossed in the sea. Delete the entire thread. That's in another bottle. |
|
62.132.1.121 (Leipzig, Germany - Anony-Mouse)
Connector Posted 08-11-2004 20:37 Where's the justice. You allow people on your board to attack the board you want to post on, you allow the text of the latest speech by Osama Bin Laden to reamain on your website, let people refer to him as 'Buddy' and want to post on the Stained Glass Message Board?? You might attack trolls? Wonder why? [Poster he hates] got you in this messs. He only comes here to take a crap. Do you think he would allow the Osama junk you have on your board on his? Do you think you will ever see him make another post with the word Hitler in it? Don't think so. In fact, if you moderated this board the way he, and the others do, his whole group would have no place to post their garbage. |
|
62.132.1.121 (Leipzig,Germany - Anony-Mouse)
Connector Posted 08-11-2004 20:42 Gotta go. Busy posting quotes by [poster he hates] on other sites, along with his contact details. Maybe the folks who make cyber security reccomendations and set best practices by the US government for people on web chat boards know a bit more than [another poster he hates] and his kid on the subject. Do you think?? |
|
62.132.1.121 (Leipzig, Germany - Anony-Mouse)
Connector Posted 08-11-2004 23:04 The poor slob has spoken fondly of Hitler, Osama Bin Laden (no games, please), American draft dodgers, American deserters. Now his address and telephone number are out there. Good job [poster he hates]. It's good that you did that for him [a poster he hates]. Why, he should thank you. I wonder if [a poster he hates] knows what a favor you did for him. Note to [another poster he hates]: having your address, phone number and email address will be great for your financial future, despite all the hate threads you have been involved in. Why are you two dumbwads still posting here anyway. Now that you have your own board, why do you need to post here??? Better bandwidth? Or is it you don't want to crap on your own board, which is the only type of posts your attracting. Know any other people running their own boards who spend more time posting on boards being run by others. I'd say [other forum] is a fiasco. Give your kid a raise. Maybe he will work harder. |
|
62.132.1.121 (Leipzig, Germany - Anony-Mouse)
Connector Posted 09-11-2004 06:43 [The poster he ahtes] only comes here to take a ****. Do you think he would allow the Osama junk you have on your board on his? My point has been proven within minutes. This is just a place he can use to get his usual garbage out. He can't post the hate he does here on his own board. If it's no problem for him, why doesn't he? Why bother to come here to do it. I have been responding to what I see here. It brings traffic. If he tells you it's to repond to a troll, that's bull. He's got his own board, it's a failure, member's private information is at risk, and he's gotten [a poster he hates]'s contact information along with famous quotes by [a poster he hates] in a bottle bobbing around the ocean. It would be a great experiment to not allow him to post his venom here for a week or so just to see what would happen. Where would he go???? |
|
65.161.65.104 (New Port Richey, FL, 37 km from Tampa "Micropaytech.com" - spoof? Anonymizer?)
Connector Posted 10-11-2004 21:55 [Post is a link for car rental.] |
|
I had seen the Leipzig anonymizer service often enough. I decided to ban it, and see what happens. 6:45 AM is trolling timeKeeping track of the troll's times can be very revealing. Note the very specific clusters in posting times, with the troll's "real alias" posting withing that narrow "early" posting cluster (there were hardly any visitors on the board at the time, especially not this early in the day): |
| clash | 06:24 |
| Connector | 06:27 |
| Connector | 06:43 |
| TheBigGuy | 06:45 |
| Wayne_FL | 06:47 |
| No Apology Needed | 06:47 |
| Busboy | 07:55 |
| clash | 18:15 |
| Hunter | 19:50 |
| Connector | 20:37 |
| Connector | 20:42 |
| Connector | 21:28 |
| Hunter | 21:38 |
| Hunter | 21:55 |
| Connector | 23:04 |
Note the interesting cluster of troll posts between 06:24
and 06:47. The troll has to get to work? Comes home late?
The peculiarity of the timing exculpates
anyone from the West Coast, and looks very bad for a professional in the
Eastern Time Zone. It is revealing that Wayne also posted his putty answer in that very narrow time
period beween approx. 6:30-7:00, a time where there is usually no one but me online.
Ruse #2: Falling into the puttyI now have a collection of spoofed IPs with the troll alias. But Wayne_FL hasn’t posted in a while, and I need more IPs from him.Here was my ruse: looking through the archives from another board, conveniently searchable and with archives dating back 1999, hoping to find speech and punctuation patterns I am instead amused to discover that Wayne_FL just loves to answer putty questions. I post a phony putty question in the evening (prime time for him), hoping that he will answer and I will harvest another IP. Other pesky posters answer instead. But I remembered that he once claimed to possess several scientific degrees, including one in Chemistry (quote from the other board: I have a degree in Chemistry, a degree in Math, a minor in Physics and a minor in Philosophy. I do understand these things too!), so I asked whether chalk and gypsum were one and the same.> This proved to be irresistible. In his excitement to answer a putty question, he forgot to check his notes on spoofed IP use: |
|
65.167.248.14 (Raleigh, NC "GreenPoint Catholic Schools")
Wayne_FL Posted 10-11-2004 06:47 chalk is calcium carbonate gypsum is calcium sulfate (hydrated, meaning there are water molecules attached to the structure |
Wait a minute... I’ve seen this IP before! Raleigh, NC?
I couldn’t believe it.
The troll was Wayne_FL.
I especially couldn’t believe how quickly he
made a mistake.
His response, so farNow having proof of his identity rather than mere suspicions, I made his identity public. I closed the forum to posting by non-registered users, and made some sensitive areas "members-only."After he read the forum and realized he’d been found, he spoofs the IP again to access my website, as shown by this line from my raw logs: 65.167.248.14 - - [11/Nov/2004:06:19:55 US/Mountain] "GET http://mywebsite.com HTTP/1.1" 200 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)" "http://excoboard.com/exco/xxxxx; He retrieves the email address from the site, and sends me this email within minutes after accessing the site: 65.167.248.14 (spoofed) I am glad you found who the troll was. However, I see on [the troll's enemy's]'s board you have indicated it is ME? How can you say it is me? Wayne My only response was to block his hotmail address. I suspect he was fishing for my IP so that he can spoof it. Good luck. Conclusion:With similar tactics, patience and meticulous record-keeping, the identity of your forum troll can be discovered. |