Filtering the Anonymous USENET Trolls?

BoneFlower asks: "Anonymous remailers are all well and good, but sometimes people use them to abuse people through email or through trolling newsgroups. I've had limited results filtering "anonymous" on a USENET group I frequent but many anonymous remailer trolls get through. The group was nearly unuseable for over a week due to the volume of anonymous remailer trolls. Does anyone have tips on filtering them out? I personally use Forte Agent 1.9.1, many others use Netscape/Mozilla, OE, and various others. If you could help us out, we'd appreciate it."

Re:Method of filtering

[eamonman]

Use an IRC client to take look at some of the more popular channels's filters in IRC (dalnet for example), to get a sense of troulesome IP domains (at least for IRC) and also a sense of how much effort this course of action might take.

Set up a local spool

[coyote-san]

One option that seems to work fairly well, if you have the resources, is to set up a local news spool, then filter out the crap locally. With a local spool, you can perform checks that are too expensive to perform in the reader, e.g., not just verifying a valid looking sender, but actually performing A and MX record lookups for the domain to eliminate one class of spamware. (Unfortunately other spamware sees nothing wrong with criminally impersonating innocent third parties, but there are other ways to catch them.) Or you could do some regular expression matching looking for suspicious phrases, decoding uuencoded/base64-encoded blocks to check for viral loads, etc.

If you decide to do this, you can usually perform the tests during the ingest process (if it's always running), or as a daemon that periodically runs and checks the most recent messages.

The results can be staggering. I was doing this on a couple alt.* groups as a test, and a few simple rules could reduce the SNR from about 1-in-20 messages to about 2-in-3 messages. More importantly, this approach tends to eliminate the stuff that's mindlessly repeated hundreds of times. Most people don't mind getting a spam message once, but seeing the 247th identical message to make your breasts and penis larger (*who* needs this stuff?!) can make anyone lose it.

Re:How ironic...

[Restil]

everyone knows usenet is only for pr0n and mp3z/w4r3z

Your statement has some element of truth to it. Probably 99% of the usenet data is devoted to these time honored traditions. However, these are generally not the areas that are inflicted with trolls. The binary newsgroups typically are pretty well organized, and most of the commentary is devoted to requests or to flaming those who haven't learned how to post properly yet. Pron newsgroups get a lot of spam and heated discussions as to image quality... or content quality. *Ahem*... or so I've heard.

The trolls prey upon the general discussion groups. That is because they can actually get a voice there. If you're in a binary group, you're there to download binaries, and thus, you're going to download the multipart messages that are visibly 10-15 megs in size. The individual messages you can scroll by in a heartbeat without ever paying attention to anything more than the message size. Even the title won't stand out. Trolls get no audience this way. Now, if the trolls took to posting large binaries for kicks, that would be something different. And while I'm not saying that they don't, I've never encountered this on usenet, although I have seen it done on the various P2P networks. It would appear, that if someone's going to spend 3 days uploading something, they're not going to waste their upstream on something just so one person can download it then post a warning message to the rest of the group to ignore it.

-Restil