Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!newsfeed.stanford.edu!nntp.cs.ubc.ca!news.killfile.org!not-for-mail From: tskirvin@killfile.org (Tim Skirvin) Newsgroups: news.admin.net-abuse.bulletins,news.admin.net-abuse.usenet,news.admin.net-abuse.sightings,news.admin.net-abuse.misc,news.answers Subject: Cancel Messages: Frequently Asked Questions, Part 2/4 (v1.75) Supersedes: Followup-To: news.admin.net-abuse.usenet Date: Sat, 15 May 2004 00:00:02 -0500 Organization: Killfiles, Unlimited Lines: 605 Approved: news-answers-request@mit.edu Expires: Sat, 26 Jun 2004 05:00:01 GMT Message-ID: Reply-To: tskirvin@killfile.org X-Trace: victor.killfile.org 1084597206 26761 216.43.25.138 (15 May 2004 05:00:06 GMT) X-Complaints-To: usenet@killfile.org Summary: This is a list of Frequently Asked Question about cancel messages on Usenet. It mainly discusses how cancels work, who issues them, their history, and what to do about them. It is more of a general purpose FAQ than anything else; it's not required reading anywhere, just more of a reference. X-Auth: PGPMoose V1.1 PGP news.admin.net-abuse.sightings iD8DBQFApaPSv1i8LqUfqQURAl1kAJ46+b2BWK6z480A7S2n/Iw0pH2J2wCdEtEW gNm7ddNGXE3Zrx0kYpMcGFs= =sA3p Xref: senator-bedfellow.mit.edu news.admin.net-abuse.bulletins:34808 news.admin.net-abuse.usenet:610099 news.admin.net-abuse.sightings:1406500 news.admin.net-abuse.misc:222755 news.answers:271286 Archive-name: usenet/cancel-faq/part2 Posting-Frequency: monthly Last-modified: 1999/09/30 Version: 1.75 URL: Cancel Messages Frequently Asked Questions Part 2/4 This document contains information about cancel messages on Usenet, such as who is allowed to use them, how they operate, what to do if your message is cancelled, and the like. It does not contain detailed instructions on how to cancel a third party's posts. It is not intended to be a fully technical document; its audience is the average Usenet user, up to a mid-level administrator. This document is not meant to be a comprehensive explanation of Usenet protocols, or of Usenet itself, but a basic knowledge of these concepts is assumed. Please refer to news.announce.newusers, RFC1036, and/or RFC1036bis if you wish to learn them. Disclaimers: The information contained within is potentially hazardous; applying it without the permission of your news administrator may cause the revocation of your account, civil action against you, and even the possibility of criminal lawsuits. The author of this document is in no way liable for misuse of the information contained within, nor is he in any way responsible for damages related to the use or accuracy of the information. Proceed at your own risk. Table of Contents > = In other parts of the FAQ ================= * = Changed since last update >I. What are cancel messages? >II. How do cancels work? >III. So your post was cancelled... IV. What does it take to cancel messages? A. I want to cancel posts! How do I do it? B. I'm not kidding; I really do want to do it. How do I do it?. C. What is a cancelbot? D. Sounds cool. Where do I get one? E. What? Why not? F. Fine then, I'll write it myself. * G. Right; I've got a cancelbot. Now what? V. That idiot forge-cancelled my posts! A. My post is gone; it was forge-cancelled, wasn't it? * B. No, I'm sure, it was cancelled. Why? C. How do I track the bastard down? * D. Who's done this before? E. What, are there only bad guys? F. Is there anything I can do on my own? VI. What moral issues are involved with cancel messages? >VII. What's going to happen to cancels in the future? >VIII. What about these other things? >IX. What are the current cancel issues? >Changes >To Do >Contributors >Pointers >Appendix A: Dave the Resurrector >Appendix B: Retromoderation IV. What does it take to cancel messages? ========================================= A. I want to cancel posts! How do I do it? You must be kidding. B. I'm not kidding; I really do want to do it. How do I do it? *sigh* Well, I'll bet you really haven't thought about it very much yet. Read this section before you do anything, alright? Anyway... On a small scale, you can issue them by hand - see the Newsgroup Care Cancel Cookbook () for the details and warnings you'll need to get started. On a bigger scale, you're going to want a cancelbot. C. What is a cancelbot? A cancelbot is a program that searches for messages matching a certain pattern and sends out cancels for them; it's basically an automated cancel program, run by a human operator. D. Sounds cool. Where do I get one? If you have to ask, you're probably going to have a hard time getting one, and even if you do you probably won't be impressed with the quality. I wouldn't even consider using a cancelbot unless you've written it yourself or know exactly what it's doing (in which case you might as well have written it yourself anyway). E. What? Why not? Giving out a cancelbot is like handing out loaded guns with no safeties. Even if the recipient is well-intentioned, screw-ups are fatal; you need the proper training first. There may be people out there that will still give you that gun without the training, of course, but it's a good idea to question their motives... In general, until you know *exactly* how to use a cancelbot, you shouldn't be experimenting with one - and most people that write the 'bots know this. Cancelbots are dangerous, and can be used irresonsibly; more than that, if you screw up with a cancel-bot you can cause *large* problems, and it's fairly easy to screw up. For these and other reasons, it's generally accepted that only those that are willing and able to write their own cancelbot will ever actually get one. Sidenote: even if you trust the source of the code, it's not a good idea to trust it blindly. What security holes might it have? What bugs may be in it? Is it optimized for the ways that you're planning on using it? It's a lot safer to write your own code than to rely upon others; not only is it easier to modify for yourself, but you at least then have an idea what's still wrong with it... F. Fine then, I'll write it myself. Sure, go right ahead, but a word of wisdom: make sure you know what you're doing. Richard Depew, Usenet's current main bincanceller, was one of the first people to use cancelbots in a large way. One of the most famous bot-related incidents of all time was his ARMM cascade, in which a simple spelling error on his part caused a large spew in news.admin.policy for several hours before it was turned off. It was generally considered a Big Oops. Richard's incident was also far from the worst; that honor would have to go to the incident where a misconfigured cancelbot was auto- cancelling everything from netcom.com. Bigger Oops. And these examples just scratch the surface of what can go wrong when writing a cancelbot... Before you test out your cancelbot on actual Usenet stuff, double and triple check to make sure it *works*. Make sure that you've gone through all the potential bugs and vulnerabilities - add safeties, redundancies, internal logic checks, and what have you. Start a local group, test the 'bot out in that group *only*. Whatever. Just remember, you only get one chance at this, so do it right... While writing a cancelbot, make sure you follow the conventions that you plan on using ($alz, etc). In addition, once you've got the basics down, mail Chris Lewis (clewis@ferret.ocunix.on.ca). He'll give you some more tips. G. Right; I've got a cancelbot. Now what? Well, the obvious thing is to start using it. Don't. Before you do so, make sure you've considered *everything*; cancels raise plenty of interesting questions, and using a cancelbot isn't something to enter into lightly. Before you do anything, make sure you've thought a _lot_ about _all_ of the following issues. Trust me, you'll need it. 1. Who is going to be affected by this, and how will they react? Cancelbots tend to affect a lot of people. By running one, you are messing with a lot of people - and, generally, making them upset. Many are going to complain. Some are going to retaliate. Succinctly, before you start up your cancelbot, make sure you can handle any incoming mailbombs, that your network's security is strong enough to stand up to persistent cracking attempts, that you're on good enough terms with your bosses and administrators that they won't fire you or drop your account the second they get any complaints about you, that you've gotten your phone number made unlisted, and that you've got a good lawyer handy. That's a start, at least. 2. What kinds of problems will this cause legally? In the USA, at least, the current best information/guess about the legality of cancel messages says that non-content-based third party cancels are legal, and that content-based ones are illegal. However, this has just plain not been tested in anything resembling a court of law, and wouldn't apply to other countries even if it had been tested. Even if cancels are legal in your place of work, of course, this doesn't mean that you won't face legal harassment. It's almost trivially easy to find some reason to sue somebody today; if you hork somebody off by cancelling their posts, there is a chance that they'll try this on you. Remember, to many it often doesn't matter if they're going to win or lose the lawsuit; all that is important is that they have forced you to spend money and time to respond to the charges. Regardless - there is definitely some legal risk associated with third-party cancels. This risk is probably enough that you should talk with your higher-ups first, or, if possible, a lawyer. It could save you a lot of trouble down the line. 3. Is this a moral thing to do? Even if cancel messages were perfectly legal, they still aren't the nicest thing in the the world. By issuing a cancel you are deleting somebody else's words; many would call this censorship, and, even if their use is justified, they may be right. The most commonly used moral argument about cancels is known as the "slippery slope". The use of cancel messages leads down the road to censorship, which is a Bad Thing; however, it may be possible to keep the system under control by staying near the top. The further cancels go, however, the more likely it is that they cannot be controlled - and once that happens, any benefit they may have once held will be gone. Common practice says that non-content-based cancels are not censorship. Instead, they are based on how "loud" the message was said; it's not censorship to stop someone from blaring their message out in the middle of the night using a megaphone. This hopefully means spam cancels and their like are not yet out of control, and that we haven't gone so far down that we can't return; then again, this point is certainly up to debate. 4. Do I really have the time to deal with this? Operating a cancelbot takes a lot of time. Just on a technical level, the 'bot has to be written, the parameters have to be set and constantly updated, and the thing watched to make sure it works; that, though, is the least of your worries. Once you get the 'bot running, people are going to take notice. Result: you will get comments, you might get praise, and you will probably get complaints. You *must* listen to them if you want to continue running your 'bot responsibly. No, you don't have to respond to everything, especially the more juvenile flames, but you do have to make sure you listen to suggestions and problems; after all, if your 'bot is cancelling something it shouldn't be cancelling, you'll only find out when somebody tells you. If you don't have time to deal with these comments and complaints, then just give up now. Trust me, you'll be better off. 5. Do I know for *sure* what this program will be used for? If people don't accept the purpose of your cancelbot, then your cancelbot will not be effective for anything except getting a whole lot of flames and your account nuked. As such, before you start cancelling you should make sure you won't get rejected from the job. Make yourself some rules: - What kinds of posts will I be cancelling? - Will I be expanding these criteria later? - How accountable will I be? - What if somebody asks me to include (or exclude) their hierarchy? - Will I give out my code to others? Get these rules down now, before you run out of time to think of them later on down the line. This way, when you're called on them you can respond appropriately. (Recap: the standard uses for third-party cancels are spams, spews, moderated group cleanup, binaries in non-binary groups, and forgeries. See section I.D. for details.) 6. Have I double- and triple-checked my code? Again, screwing up your code can cause *big* problems. Before you're ready to go operational, make absolutely sure that you know that the code works 100% of the time. I'd personally recommend asking yourself "could I operate this while drunk?" There are no second tries here; don't give yourself a chance to screw it up. This is, of course, especially important if your code is ever going to be even viewed by another human being... 7. Do I know what's happened in the past? The history of Usenet and cancels goes back a long, long way; it's not only fairly interesting stuff, but it teaches interesting lessons. Before you start the cancelbots, you should probably know what they were used for before; with knowledge comes power, after all, and this way you won't start repeating the mistakes of your predecessors. 8. Am I following all of the rules? While they may not be conventions, there are certain basic rules that are usually followed by operators of cancelbots that should probably be followed. A notice of the cancels should be posted to news.admin.net-abuse.bulletins; the original poster and their postmaster should be notified; a representative copy, or link to such, should be appended to the notice of cancellation. You should have a reliable contact address, so as to be fully accountable for your actions. And, as usual, all of the official conventions should be followed exactly. If you're not doing them "nicely", you're going to get more complaints than otherwise - and rightfully so. And if you aren't capable of doing them nicely, then you probably shouldn't be issuing cancels at all. Remember, it has been proven time and again that nice, polite cancel notifications make less enemies than angry, flamish ones. It's probably a good idea to make your notifications as kind as possible - though they should always include as much information (or links to information) as you can possibly fit in. 9. Do I actually have to do *this*? If you hadn't figured it out already, cancelbots are a pain in the butt. For this if no other reason, you should probably reconsider whether this is really necessary. If your problem has to do with too much off-topic or irrelevant traffic, maybe cancels aren't the solution. Talk about moderation with the regulars of the newsgroup you're worrying about; someone might be willing to help moderate the group, or maybe they have another idea to solve the problem. Maybe mailing the offenders a polite message saying "your message is off-topic" would help, or perhaps it will take mailing the posters' administrators before they'll stop; either way might be more effective than cancels. Even if reasoning with everyone you can think of doesn't work, you can still try other approaches. Post about it to news.admin.net- abuse.usenet; the regulars there have trained themselves to deal with obnoxious sites, and will help you if necessary. In many cases, you can stop the problem with judicious use of killfiles. And, if all else fails, you can always try NoCeM (section VII.D.). In general, just make sure you've tried *every* alternative before you start cancelling anything. It's a pain to start, it's a bigger pain to continue, and the biggest pain comes when you finally want to stop... V. That idiot forge-cancelled my posts! ======================================= A. My post is gone; it was forge-cancelled, wasn't it? Before you do anything, check section III; double-check to make sure that someone really *did* cancel your post before you get all upset. Remember, no cancel message, no cancel. B. No, I'm sure, it was cancelled. Why? There are as many reasons to cancel a post as there are cancel messages. Most cancels are issued for valid reasons (which are detailed in previous sections), but sometimes they are done for what many people would consider illegitimate reasons. The people that issue such cancels are known as "rogue cancellers"; these are the ones to worry about. Why do they do it? It depends. One popular excuse, started by the infamous Church of Scientology, is that the message was a "Trade Secret" which must be protected. Another excuse has become prevalent in recent years is "if one may cancel, all may cancel" - the theory being that cancel messages themselves are evil and must be stopped, and the way to do this is to abuse the hell out of them so that sites will turn them off. Oddly, both of these excuses generally lead to cancels aimed at those the cancellers have declared "enemy", and usually end up backfiring. All of those reasons, though, are pretty much just excuses. What are the *real* reasons that somebody would do something like this? Simple: they want to keep something out from under public scrutiny, they didn't like what you said, or they just want to destroy a few messages. And yes, those are very bad reasons. In any case, rogue cancellers such as the above are *not* accepted by the Usenet community. End of story. The hunts to track down rogue cancellers often reach near-epic proportions, the searchers often spanning the globe, and virtually all such quests end with, at the very least, the cancels ending. C. How do I track the bastard down? If you have the cancel message, the best first step to tracking down the canceller is to post a (single) copy of the message to news.admin. net-abuse.usenet with a brief explanation of what's going on. The people on that group are veterans at tracing Usenet messages; they can probably help. While they're at it, they may also explain why your message may have been cancelled legitimately, in case there's anything you missed. For rudimentary analysis of who cancelled your post, check the NNTP-Posting-Host: header of the cancel. While it is possible to forge this header, it generally will say which machine was used to issue the cancel message. Other, less-forgable headers include the Path: and Sender: headers, and occasionally the Message-ID: header. D. Who's done this before? In the past, there have been many rogue cancellers of various skill, competence, and intelligence. Some are gone; others are still on the run, but appear occasionally. Here are a few of the most famous. o Kevin Jay Lipsitz: "Krazy Kevin", as he called himself in his spams, cancelled many posts on news.admin.net-abuse.misc concerning his spams. His theory was that, by cancelling the posts, it would take more effort to shut him down; on this point he failed miserably, instead merely causing the implementation of Dave the Resurrector (see Appendix A). During his time as a spammer Kevin was kicked off of many ISPs, but he has not been heard of for several months. o CrackerBuster: in December of 1994, an unknown computer person decided that he didn't like alt.2600, and decided to declare war on the group and anyone that supported it. In one of the first mass newsgroup attacks, CB issued cancels for every message in alt.2600 and alt.current-events.net-abuse and then flooded the groups with thousands of his own messages, effectively ruining them. Chris Lewis did much of the work cleaning up the mess; after he was done, he realized that he had himself a fully working cancelbot; after getting some updated detection software from Jonathan Kamens, Chris began work as Usenet's most prominent major spam canceller. o Crusader: Crusader's actions began with a very large neo-Nazi mass email, sent several times to just about every email address in existance. There were many systems involved in the sending of this unprecedented attack, most of which were cracked; this didn't stop a team of news.admin.* regulars from deciding they were going to track the perpetrators down. To slow down the trace, the people behind Crusader began to cancel all of the messages about the mass mailings; this merely forced the creation of a short-term mailing list and furthered the group's resolve to stop the attack. While the trail stopped at a cracked system in Italy, the mailings eventually stopped and the cancels ended. o Ellisd: soon after the passing of the Communications Decency Act, an anonymous user on Netcom decided to cancel everything in alt.binaries.pictures.erotica.* and alt.sex.* as "indecent filth". The account was shut down within hours; however, Ellisd continued to forge cancels from other machines, forging them to appear to come from his (now non-existant) Netcom account. Ellisd was entirely stopped within another couple of days; his only real effect had been to show that the cancellation of "morally questionable" material would not be tolerated. o The Pseudosite Incident: September of 1996 was a hard month for Usenet. Having endured many varied newsgroup and mail bombs, the next assault came in the form of tens of thousands of cancel messages. Possibly modeled after the ellisd incident of several months before, several parties unknown began issuing cancels using several new pseudosites such as "geekcancel" (in comp.*) and "kikecancel" (in soc.culture.israel). Needless to say, this resulted in a whole pile of ticked off people. The cancels stopped a few days later, and Chris Lewis reposted virtually all of the cancelled messages, but the damage was done. The pseudosite attack has started up several more times since its initial run, most prominently in the "Michael Franowski" continuing forgeries and the cancel/voter fraud attack upon news.lists.nocem. This latter attack eventually forced UUNet to close down its open news port. o The CancelBunny: the Church of Scientology, a remarkably paranoid organization, has several "secret scriptures" that have long been distributed over Usenet. To stop this, the evidence shows that they have called in someone with computer knowledge to cancel posts that contain any of their scriptures -- or anything that they didn't like. This brought the entire religion to the attention of Usenet, and alt.religion.scientology is a very well-read (and high traffic) group as a result. The cancels, however, were generally accepted to be Bad Things. Therefore, a group of people decided that they were going to hunt down the (anonymous) CancelBunny, as it had been named, by checking from bunches of sites. Several CancelBunnies have been tracked down and lost their accounts; more keep popping up, only to be bashed back down just as quickly. The cancels by the CancelBunny are generally on comp.org.eff.talk and alt.religion.scientology. Cancels to a.r.s are reported by Lazarus (VIII.C). o NewsAgent: HipCrime, an anonymous programmer with fairly anarchist views, one day decided to write a publicly available Usenet cancellation engine. His stated reason was the standard "if one may cancel, all may cancel" excuse; however, when he first unleashed his 'bot, he targeted moderated groups, anything administration-related, and everything else that he personally disliked. It quickly became apparent that his work was merely intended to destroy Usenet; as such, some of Usenet's more prominent anti-administration kooks joined him in what they saw as the final anti-Usenet war. It surprised them to no end when they soon found that their cancels had stopped being effective, because too many sites knew how to fight the attack. Since then, NewsAgent has morphed and become more public-domain. The software no longer issues cancel messages; instead, it issues long randomly-generated messages with Supersedes: headers, which destroy posts in a less-tracable and more-destructive manner (and which are almost immediately themselves cancelled, and the original messages reposted). Hipcrime has also written other variants of NewsAgent which send out other Control messages, creating thousands of bogus newsgroups on unwatched servers or causing a few individuals to be mailbombed but otherwise doing little damage. More worrisome is that older versions are in the hands of many people who wish to use the software maliciously, who are now using it to attack individual newsgroups. Even this is generally stopped after a couple of days, however. Overall, NewsAgent has merely made life a bit more difficult for news administrators and a bit more chaotic for standard Usenet users. Too bad. E. What, are there only bad guys? No, of course not; they're just the most prominent. There are plenty of important good guys, too -- the ones that perform the thankless job of cancelling spam, spew, MMF, and all the rest, basically keeping Usenet usable. Among the most famous spam cancellers include the CancelMoose (moose@cm.org) [the first major spam canceller, author of NoCeM, now retired from cancelling], Chris Lewis (clewis@ferret.ocunix.on.ca) [the most prominent spam canceller of all time], and Jonathan Kamens (jik@mit.edu) [writer of the best spam detection software to date]. Most of the other cancellers can be found on news.admin.net-abuse.*. F. Is there anything I can do on my own? Of course. 1. Notify the postmaster at the offending site, or upstream site. If you can determine where the cancels are coming form, mail the postmaster at that site (or abuse@site, if present) with your complaints, If this doesn't work, you may want to try notifying the people that give the site its newsfeed; for details on how to determine this, read the Spam Tracking FAQ. 2. Alias out the offending site. Your news administrator may be capable of making your machine not accept posts from a certain other machine. If necessary, this can be used to ignore the cancel messages on your own site. 3. Ignore the cancels. Most major cancel attacks are fairly easy to categorize, based on a common header or message body. It is possible to run software, such as Cleanfeed (), to ignore those cancels based on the common pattern; if you've got the time to update your filters fairly often, you may even be able to head off further attacks. 4. Write and run a Resurrection 'bot. It is possible to run a 'bot that reposts everything that is cancelled; the most famous example of this is Dave the Resurrector, which protects the news.admin.* hierarchy and is detailed in Appendix A. If you want to do something similar, you can be a great help at stopping rogue cancel attacks. 5. Call in the official authorities. As was previously said, forged cancels are in a legal grey area. If you want to call in the legal authorities, you probably can, and something may be done. The general recommendation of this, though, is "don't do it". Any kind of legal judgment on this matter sets a precedent; at this point, we're almost happier without one. VI. What moral issues are involved with cancel messages? ======================================================== I'll answer this question succinctly: Lots. The moral issues related to cancel messages are among the most interesting, and distressing, part of the issue. Third-party cancels, spam and binary cancels, retromoderation, moderators in general, the full "slippery slope" argument, the "Usenet is an anarchy" argument, "you're violating my first amendment rights!" and "without cancels, Usenet would have died under the weight of the spam long ago"... This FAQ, though, isn't really the best place to get into it. For lack of space and time, I cannot get into these issues in detail here, however important they may be. If you want a start on this matter, read the news.admin.net-abuse FAQ, along with the newsgroups. It's at least a start. -- Copyright 1999, Tim Skirvin. All rights reserved.