NNTP is the abbreviation for "Network News Transfer Protocol". TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) NNTP is resident on port 119 for most systems and it is the transfer protocol for Usenet newsgroups. For those who are interested, RFC 977 (February 1986) covers NNTP while RFC 850 (June 1983) describes Usenet.

Usenet, for those who don't know, resembles a bulletin board, where any person (depending upon how the newsgroup is set up) can post a comment/question for anyone else to see. Some newsgroups of particular interest to the hacking community are the alt.2600* newsgroups, as well as alt.hacking (and other similar groups) and newsgroups dedicated to such subjects as operating systems or system security (Though this is not intended to be a definitive list).

Usenet replaces the more bulky mailing lists, which take up a great deal of bandwidth, are difficult to maintain (If only for the amount of time it takes out of your day), and are very annoying when you find a huge message or group of messages in your in box.

There are many problems associated with Usenet, however, not the least of which is a preponderance of advertisements by porn webmasters or other low-lifes who will gladly kill off your bandwidth to make a buck and get a few more hits on their site, or find a few more marks for their scam of the week. There is also the problem of flame wars, which have been the major content of alt.2600 of late, unfortunately.

Amidst all the fighting and the slime, lets suppose you've found a gem of a post that you would very much like to respond to. However, if you post to that group with your valid e-mail address then you will surely be the target of spammers for weeks to come. This is easily dealt with, luckily... I will address this problem in a moment.

There are other reasons one might wish to do more than just mask their e-mail address. For example, suppose you wanted to post to a hacking newsgroup (NG) but your ISP doesn't approve of such activities, or you don't want to draw any more attention to your real identity than you absolutely have to. In cases like this, more drastic measures are called for, i.e. fake posts. This will be the latter subject of this lesson.

---Dealing with Spammers---

The issue of spammers and Usenet is fairly well documented. CNET has done pieces on it for it's television show, and an extended article was on their web site (It may still be there, I didn't check at the time of this lesson). There is an extremely simple method to post to newsgroups without suffering the consequences to your in box. The solution lies withing your newsgroup reader...

Every news reader (That I have used at least) has a section for your identity online. This has information like your e-mail address and your name/nickname. Now, spammers aren't going to waste their precious time actually reading posts in newsgroups when they could be dedicating their bandwidth to spamming you with advertisements or spending their ill gotten gains. Instead, the spammer will run what is called a "bot".

Most of you will know what a bot is, and I hope you will forgive me for this and any other explanation that you might find fairly rudimentary. However, as the purpose of this lesson is to inform all, I feel the need to explain such things to those who are newer to the internet and the hacking community.

A bot is a script/program that performs a certain action (Somewhat analogous to daemon's in Unix). On IRC, the term "bot" generally referrs to a program that connects to the IRC and performs certain basic functions. Sometimes, they are just mindless entertainment (Such would be the case with a bot loaded full of magic 8 ball scripts, and the like), sometimes they serve more administrative functions, such as tReMoRz from dal.net's #hacked (#Hackerz_Rulez's sister channel), who greets every "newcomer" to the room with the channel rules.

In the case I mentioned reguarding newsgroups, the spammer's bot would search through Usenet posts for something of the form [email protected] then plug it into a list of e-mail addresses to be spammed.

The solution? Don't give them a valid e-mail address. That identity field in your browser isn't what's important for you to get news posts. Just as long as it knows where to look for posts it'll work just fine. If you want people to be able to reply by e-mail, add something like "nospam" to your address. People know to remove that when replying, but most bots aren't designed to strip that from your address... yet. You can add a comment to the bottom of your post, explaining how to decypher your e-mail address for less computer literate NGs. But don't just type it straight out within the post, as bots will look there as well.

However changing your identity in your browser's preference settings doesn't hide your trace on the internet. Posts generally contain information on the nntp server that it was sent from, and some browsers (e.g. Netscape) include the IP address that the post was sent from (i.e., your IP at the time you signed on and sent the post) in the header. At the very least, the Message-ID will contain information on the server it was sent from, as well as a number that will identify it to that server.

Also, you should consider the fact that your ISP will most likely contain general info on every post sent from it's nntp port. It will be able to put a post to an IP address using Message-ID, and then from that IP address to your account by simply checking logs. In general, this is not much of an issue, however should it become so this lesson will, hopefully, help you to deal with it.

---Fake Newsgroup Posts---

As I stated before, the contact port for NNTP is port 119. Commands resemble those for SMTP, and are case insensitive (RFC977).

-Understanding NNTP Responses-

Server responses are preceeded by a three digit number and may also contain a string response.

The end of a text response (i.e., the contents of a message) is shown by a period (.) on alone on a line. For example:
.

The numeric responses can be, in large part, interpreted by the first of three numbers. Following is a list of possible responses and their meanings:

      1xx - Informative message
      2xx - Command ok
      3xx - Command ok so far, send the rest of it.
      4xx - Command was correct, but couldn't be performed for
            some reason.
      5xx - Command unimplemented, or incorrect, or a serious
            program error occurred.

      x0x - Connection, setup, and miscellaneous messages
      x1x - Newsgroup selection
      x2x - Article selection
      x3x - Distribution functions
      x4x - Posting
      x8x - Nonstandard (private implementation) extensions
      x9x - Debugging output

      200 server ready - posting allowed
      500 command not recognized
      501 command syntax error
      502 access restriction or permission denied

-Post Commands-

To begin posting, connect via telnet to the NNTP port of your news-server of choice. The command to tell the server you are posting a new message to it is POST. To mark the end of a post, use a single period on a separate line (As mentioned in the last section). To let the server know you have nothing more to send (i.e., to disconnect from the server), the command is QUIT.

Here is a sample server/client exchange from RFC977 using the POST command:

   S:      (listens at TCP port 119)

   C:      (requests connection on TCP port 119)
   S:      200 BANZAIVAX news server ready, posting allowed.

   C:      POST
   S:      340 Continue posting; Period on a line by itself to end
   C:      (transmits news article in RFC850 format)
   C:      .
   S:      240 Article posted successfully.

   C:      QUIT
   S:      205 BANZAIVAX closing connection.  Goodbye.

One thing I would recommend before trying this is to save a post from an NG, then use it as a template. Set up the headers of your fake post to resemble those of the real post. Format for Usenet posts is defined in RFC850. Here is an excerpt:

  An article consists of several header lines, followed by a
  blank  line,  followed  by  the  body of the message.  The
  header lines consist of a keyword, a colon, a  blank,  and
  some  additional  information.   This  is  a subset of the
  ARPANET standard, simplified to allow simpler software  to
  handle  it.   The   "from"   line may optionally include a
  full name, in the format above, or use the  ARPANET  angle
  bracket syntax.  To keep the implementations simple, other
  formats (for example, with part  of  the  machine  address
  after the close parenthesis) are not allowed.  The ARPANET
  convention of continuation header lines (beginning with  a
  blank or tab) is allowed.

  Certain  headers  are  required,   certain   headers   are
  optional.   Any unrecognized headers are allowed, and will
  be passed through unchanged.   The  required  headers  are
  Relay-Version,  Posting-Version,  From,  Date, Newsgroups,
  Subject,  Message-ID,  Path.   The  optional  headers  are
  Followup-To,  Date-Received,  Expires,  Reply-To,  Sender,
  References, Control, Distribution, Organization.

The truth of the matter is that you don't need all that mess to post a message... Here is what you need:

From: [email protected] (Optional name here)
Newsgroups: alt.test
Subject: Subject of post
Date: Fri, 20 Mar 1998 00:29:45 +0800
Message-ID: 

And that's it... Some servers might not be quite as satisfied as others with just that bit, so you may need to add a few more... generally the error message will bitch at you about whatever the problem is, so you won't be totally in the dark.

Now, for those of you who are familiar with SMTP, when you enter a header, NNTP won't spit back a result code at you like SMTP would. It'll just drop to the next line for you to enter the next header (or the empty line that separates the headers from the body).

OK, now here is the problem... some versions of NNTP will post a header automatically, the NNTP-Posting-Host header... which contains your real IP number at the time you posted to the news-server... So, your mission, should you choose to accept it, is to track down a version that doesn't post that header for you. Just watch NGs for posts that don't have the header, then check their domain for an NNTP port. If you can't find it, check with InterNIC to see if they have a news.* server registered, then try that one... Try a couple test posts to alt.test to see that everything is working the way you want it to.

---Using NNTP for Evil instead of Good---

So, perhaps you are wondering just how haxorly all this newfound information really is. "Sure, I can post anonymously to Usenet. Woo-phuqin'-hoo..." Well, lemme tell ya a little story...

A while back I was in the alt.2600* newsgroups, and I made a few enemies (Don't bother hunting for posts by Golden_Eternity, you won't find them). Now, these people weren't out to destroy me, they're hackers after all, not crashers. So instead, they just decided to play a bit of a trick on me to make me look bad.

Now, as long as NNTP gets all the headers it needs, it doesn't give a damn what else is in the post. It's happy. So, if you get ahold of someone's old post, you can fairly easily mimic that post and add content of your own. In my case, they had me declaring my 31337 status as well as my homosexuality. Well, after I stopped laughing I realised that was a pretty neat trick to learn, and so here I am.

If that's not enough for you, feel free to tell me how lame I am. I profess nothing to the contrary.