Resisting the flood of letter campaigns

Sacramento Bee ^ | October 2, 2004 | John Hughes jhughes@sacbee.com

[AmericanHombre]

There is a possibility that the democrats.org 'email campaign' originated from individuals within the sacbee.com internal network or the people writing those letters are "spoofing" the headers.

Some quick points: 1) the 192.168 address is reserved for internal (private networks) RFC 1918 http://www.faqs.org/rfcs/rfc1918.html The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

2) A search for democrats.org's IP address also reveals that it is not 192.168 but instead: 65.221.0.200 http://network-tools.com/default.asp?prog=trace&Netnic=whois.arin.net&host=democrats.org

3) This means one of two things, either the headers from the emails were spoofed/forged using software or they originated from machines from within the Sac Bee editorial network.

Without knowing what sort of internal network the Bee has, nor by checking the full headers, it would be difficult to determine this.

[AmericanHombre]

I'm a long time reader, very very rare poster.. but my curiousity was piqued this morning reading this. Since I work with networks a lot, I figured I'd email them and see what they say. The body of the thread above is what I sent them. I'd like to see what the rest of you think. Thanks!

[bcoffey]

Ummm... most every home network in the country uses 192.168.xxx.xxx.

[ladyinred]

This is very interesting and frankly I am surprised that the Bee would actually tell this story. I am not at all surprised that Democrats.com and moveon.org did this, they sent out emails before the debates asking supporters to spam papers, call in shows, media of all types, etc. It seems they took things into their own hands and sent the letters themselves. The Bee is liberal rag, but at least someone there is halfway honest.

[oolatec]

192.168.xxx.xxx is the address that every commercial router sold at Best Buy/CompUSA etc. has.

[68-69TonkinGulfYachtClub]

HANOI KERRY
CLICK HERE TO SIGN FORM 180

BUSH DID

WHAT ARE YOU HIDING?
WHAT IS YOUR SECRET?
WHAT DON'T YOU WANT
AMERICA AND THE PRESS TO KNOW?

Free online version of
Kerry's "The New Soldier"
You can read it online right now.


John F. Kerry
Timeline of a traitor.
Click Here

[harpo11]

I read the SadSac Bee article this morning.
Quite an admission on the behalf of the Letter's Editor.

He stated all of the letters were pro-Kerry, either coming from Move On.Org or Democrats.org...very interesting and
absolutely really wonderful that the editor, Hughes, Sherlocked it..

Makes me respect his intuition, training and decision.

Sort of strange though, he mentions the fact that pro-Bush letters were non-existent.

I laughed...unfortunately, the Sac Bee does have a flamboyant reputation for being a flaming leftist sympathetic rag.

But, hey, bravo...Letters Editor for tellin' it like it is, man. Deepens my respect.

[willk]

snip....When I searched for all headers containing "democrats.org," I found 47 of the 82 debate letters had been sent from that Web site. (The mail came from six specific machines - 192.168.10.21 through 192.168.10.26.)

snip....Further checking revealed that an additional 22 letters had been generated by moveon.org (machine 64.124.204.39). The number of moveon.org mail swelled to 77 pieces by noon.

Can the DNC and Moveon (or any 527)collude like this?

[Mo1]

This is not the first time an Internet-generated letter campaign has sought to game the system. When these are identified, e-mail filters are created that automatically discard the mail.

Go to any of the leftie sites and you will find threads pushing a letter writing campaign

[Tarpon]

I think if you read the sacbee article you will get some good tips what to do to get your letter considered. Basically write it yourself and use your own ideas. It works for me, but takes time and effort. Form letters won't work. I know, I show people how to delete them as spam.

The dims are stuffing newspaper 'letters to the editor' in boxes? Who woulda thunk it.

I can say I have email my local cbs station general manager 3 times now, and got replies back that they are not happy with cbs and Dan Rather. So do it right it works.

[Cultural Jihad]

I don't understand that part of the story. The IP address listed on the header of an email is the external address, whereas 192.168.x.x are internal addresses. How is it that 'democrats.org' emails show an internal address? As AmericanHombre said, either they were forged, or originated in the SacBee local area network. Hijacked by a trojan virus?

[thoughtomator]

Ok... given that I run a network I think I can lend some perspective here.

First, let's be clear about the significance of 192.168.*.* addresses - those are internal-network addresses ONLY - nothing from the Internet would have those addresses, unless it were later forwarded by a machine that had an external IP address.

Second, without having the headers to inspect firsthand, I will take an educated guess and say that the 192.168.*.* addresses were only one of several in the headers, assuming they were not sent through the internal sacbee network. (Limited to the information in the article there is no way to tell for sure.)

What's I'd guess from my experience is that the machines addressed 192.168.10.21-26 from the sending network are all servers (or multiple addresses pointing to one server) designed to create mass-email type letters to send to media orgs, of the 'check-here-to-email-200-newspapers' variety. They're probably webservers with independent external IP addresses, but without an SMTP server - the SMTP is probably done by a single machine, the one with the noted external IP address.

However, it is possible - if grossly foolish - that a department inside sacbee itself sent those letters in an effort to manipulate their own editors. The key to determining this is in the headers - are there any external addresses at all in the headers from the emails in question? (Truth be told, even then those are possibly spoofed - one would have to check the server logs and compare SMTP connections against the timestamps on the e-mails to be fully sure, and even then the logs could possibly be altered by a good hacker.)

Bottom line here though is that the presence of a 192.168.*.* address in the headers alone is not enough to make any determination about where they came from in the absence of knowledge of the full contents of the headers and the evidence from the server logs.

[Redcloak]

Office intranets use the same block of IP addresses. The SacBee mailserver, however, doesn't seem to append this address to mail it receives from the outside world. Mail he received from MoveOn.org had the MoveOn.org IP address. The 192.168.xxx.xxx mail had to have come from boxes at SacBee.com. If their IT guys set up everything with static IP addresses, then hunting down the guilty parties will be a simple matter. If they use dynamically assigned IP addresses, then it will just take a little longer, assuming that the server keeps a log of which box was using which IP and when.

[AmericanHombre]

Well everyone, I got a follow up, I haven't written him back yet. However I intend to let him know that while he considers it a "laugh" in these days of rathergate and DNC operated media, it's not that far off the mark to wonder "what if" AH

Well, you win the "Technology Wizard" prize for figuring out that I had failed to noticed that the IP addresses were not the public addresses for the machines.

However, your suggestion that someone at The Bee is spoofing this is too far off the mark to be considered anything more than a laugh. (We also don't use the 192.168. range at The Bee, but I do use it at home for my personal network and I should have noticed.)

Here's the pertinent line that is duplicated (except for the IP address) in all of the mail:

Received: from democrats.org (192.168.10.23) by mailer.democrats.org with ESMTP; 01 Oct 2004 19:56:00 -0400 Message-Id: <3f3s8b$265c@mailer.democrats.org>

The machine mailer.democrats.org does exist and, as you suggest, this machine is in the range of democrats.org -- 65.221.0.212.

Since several weeks ago I warned democrats.org that I was going to filter all of its mail, I wouldn't be surprised that they attempted to find a way to hide the real IPs. At the time, their mail could be identified as coming from composer.democrats.org, which is a machine with the IP address of 65.21.0.215, again in the range for democrats.org.

But it is also just as easy to believe that democrats.org gets so much traffic that it is shared by six servers and these IPs are the internal IPs and useful inside the organization to debug any problems.

One thing I forgot to mention in the article is that there's another Kerry-related server that is used to send letters. I started filtering it a few weeks ago and forgot about it since no one complains that their letter wasn't used. I was looking through the "filtered" basket and saw a bunch of post-debate emails. That server is identified as alston.kerrytech.net and resolves to 69.20.84.211, which is a server rented from Rackspace.

Headers look like this:

Received: from thorson ([10.236.23.143]) by alston.kerrytech.net (8.11.6/8.11.6) with SMTP id i92IPOi09141 for ; Sat, 2 Oct 2004 14:25:24 -0400

The domain is registered to JK Inc. (37595603O) P.O. Box 77247 Washington, DC 20003 US Phone: 202-712-3000 Fax: 202-712-3001

I may print some of your stuff in a followup column, but I'm not sure whether it will fly with the boss, since the discussion of IPs and servers is far removed from the general readership's expertise.

Again, thanks for pointing out my error.

John Hughes
Letters Editor