2021-04-19 19:48:12 UTC
love this, so they can hide where they injected their turds.
Q: What is your policy on Path: pre-loading?
A: If a customer of Altopia performs Path: pre-loading on their Path:
lines with valid (or valid looking) site names before "news.alt.net"
they should end their path-preloading with "news.alt.net", so that it
appears twice and it is obvious the post originated at Altopia.
Oooh, a "should" condition, which means no one has to honor it.
"should" is nothing like "we will actively block the violation".
Nowhere have I ever found a declaration by Altopia that they will
automatically reject submissions with pre-load strings in the PATH
header that are not postfixed with alt.net. Their policy just shakes a
finger at abusive users, but still allows the abuse.
Even if it only looked like an article got peered through alt.net,
malcontents could falsify the PATH header by adding a string and NOT end
it with alt.net, and Altopia would accept the falsified submission.
That is, alt.net would appear in the PATH, but it would look like a
peering node, not the injection node.
All of the marked portion of the above string could be falsified. The
malcontent preloads the indicated portion without appending alt.net, so
the article appears to have been injected elsewhere. This made Altopia
a spam- and malcontent-friendly Usenet provider. Whether PATH showed
the article originated at alt.net (the injection node was alt.net), or
"looked" like it only peered through alt.net (alt.net appears anywhere
within in PATH), the source could not be trusted, so I filtered out all
posts that had alt.net anywhere in the PATH header. They supported
falsification of the injection node which made them an untrusted source.
Don't believe me about the abuse of pre-loading the PATH header? Go
online to search on articles on why preloading is a nasty trick used by
spammers to hide from where they inject their turds.
Do any other Usenet providers allow PATH pre-loading, or is Altopia the
Know of any Usenet providers that accept the client's PATH header as-is
(that is, they let the client specify the PATH header)? My assumption,
validated by many articles, is that each server through which an article
passes is supposed to prepend itself to the PATH header, so the servers
build the PATH header. Any NNTP server that accepts a client-specified
PATH header would violate the PATH header as an info header for routing
information and constitutes complicity to forgery. Pre-loading is also
a violation of that premise and also constitutes forgery.
Altopia says they died; see: https://www.altopia.com/. Well, that's
what they claim. They say they turned off their servers on March 1,
2020. Yet I still see posts that appear to have been peered through
them (not sourced by them) for articles up to April 17. Over a month
and a half of their proclaimed shutdown, alt.net is still appearing in
the PATH header. They allowed their posters to lie regarding the
injection node. Not a huge surprise they're still peering over a month
and a half despite their professed shutdown.