[OT] Annexcafe User2User newsgroup

On Wed, 6 May 2009 08:46:06 +0100, "~BD~"
wrote:

"Grybeard" wrote in message
...

"Reckon he finally figured it out?"

******

That is what 'Grybeard' posted after I had been bannished from YET_ANOTHER_FORUM_THAT_BANISHED_ME_FOR_STALKING .

*Is* CUT_STALKING_LINK a safe place for folk to go to get help with their
computer problems?

I don't know, Bl&^&^%dy De&^%îL. But it was probably MUCH
safer after they BANNED you.
So *WHY* did you state you had *NEVER* been banned for
stalking ? And *WHY* did you CHANGE your nick to post ?
[]'s

PS I noticed you recently tried to revive the SEVEN YEAR OLD
STALKING thread in a completely unrelated forum.

Message-ID:

I'm posting to your usual forums, so people can get to know you
better.
I'm sure everybody will want to help you. I mean, you are
after the "bad guys", right ?

--
Don't be evil - Google 2004
We have a new policy - Google 2012

On 09/11/2016 15:00, Shadow wrote:
On Wed, 6 May 2009 08:46:06 +0100, "~BD~"
wrote:

"Grybeard" wrote in message
...

"Reckon he finally figured it out?"

******

That is what 'Grybeard' posted after I had been bannished from YET_ANOTHER_FORUM_THAT_BANISHED_ME_FOR_STALKING .

*Is* CUT_STALKING_LINK a safe place for folk to go to get help with their
computer problems?

I don't know, Bl&^&^%dy De&^%îL. But it was probably MUCH
safer after they BANNED you.
So *WHY* did you state you had *NEVER* been banned for
stalking ? And *WHY* did you CHANGE your nick to post ?
[]'s

In my opinion, the Annexcafe User2User group had been infiltrated by
some dishonest folk and I was attempting to expose them. The site
pretended to be 'safe' for the users of the group when, of course, it
was nothing of the kind.

When first I went there, I had never even HEARD of a 'header' and had no
idea how the folk there new it was me posting regardless of whatever nym
I chose to use. It was a great learning experience though!

PS I noticed you recently tried to revive the SEVEN YEAR OLD
STALKING thread in a completely unrelated forum.

Message-ID:

I'm posting to your usual forums, so people can get to know you
better.

Had you actually READ the thread, you would have realised that what I
had tried to describe to Tim Jackson at that time was _identical_ to
what I more recently found in the IdentIt.ca web page.

I wanted to draw matters to his attention if he was still monitoring the
'alt.computer.security' group. I shall email him shortly, now that
Microsoft have at last grasped the nettle.

I'm sure everybody will want to help you. I mean, you are
after the "bad guys", right ?

Good guys *DO* help me ..... and I very much appreciate that help. :-)

It's a shame that you do not read at the links I post, but here's a
pertinent example in full. I hope this helps folk understand.

=

Here's some more background, lifted from a Usenet group:-

Path: eternal-september.org!mx02.eternal-september.org!.POSTED!not-for-mail
From: Paul
Newsgroups: alt.windows7.general
Subject: windows7 upgrade loop
Date: Fri, 11 Sep 2015 05:45:00 -0400
Organization: A noiseless patient Spider
Lines: 228
Message-ID:
References:








Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 11 Sep 2015 09:43:09 +0000 (UTC)
Injection-Info: mx02.eternal-september.org;
posting-host="b67457fd2129c9f432d3358443878287";
logging-data="16262"; ";
posting-account="U2FsdGVkX190Uc9gb75CicrJx5Z/7E0UjdV4PiQvYuk="
User-Agent: Ratcatcher/2.0.0.25 (Windows/20130802)
In-Reply-To:
Cancel-Lock: sha1:rFPBp0eHXeN8JV4ylqTxMVj6XKQ=

~BD~ wrote:
On 11/09/2015 09:35, Paul wrote:
~BD~ wrote:
On 07/09/2015 20:25, Eternal Hope wrote:
On 07/09/2015 15:53, ~BD~ wrote:
On 05/09/2015 17:06, Eternal Hope wrote:
You need to understand something.

I'm the person who takes your ballpoint pen to bits to see how it
works,
then I'll dismantle and reassemble your lawnmower to make it less
noisy
when you insist on cutting your grass at 8:00pm on a summer Sunday
evening.

I don't need an excuse to try and figure out how something works
(or not
as the case may be)

Hello

I suspect we have a vaguely similar mindset! :-)

Once, when in Australia, I repaired a non-functioning Distributor on
our
Ford Estate car by using a spring from a Biro and a 'sculptured' lead
pencil. That was to transfer power from the ignition coil to the
rotor
arm and thus to the spark plugs! ;-)

I've spent much of my working life taking other peoples crappy,
uncommented, broken source code to bits and putting it back
together so
that it works as it should have done (i.e complies with the spec)

However, I have NOT worked in the IT/computing field and I've had to
learn from other folk, people perhaps much like yourself.

May I ask if you have ever explored the website described here?


http://answers.microsoft.com/en-us/w...15243dd?auth=1






Do you have the skills to detect if all is as it should be there?

I confess some surprise when I was confronted by THIS page!

https://www.dropbox.com/s/kq08kp1t6k...t%21.tiff?dl=0

I'd welcome your view(s).

David

Well now this *is* interesting

One apparently benign approach and three warning shots.

What is your point.

You are more than welcome to look me up on LinkedIn! You'll find me
he uk.linkedin.com/in/boaterdave

If you really are as 'curious' as you first intimated, may I encourage
you to visit here (it's affiliated with the Malwarebytes operation).
The facility "Quickly and safely dissect malicious or suspect websites"

http://vurldissect.co.uk/?url=3194361

It will probably take around one minute to load! It appears to give
Aumha a 'clean sheet'!

However, if one uses the same facility to 'investigate' www.Identit.ca
one gets a completely different story! For a start, there is
apparently no PTR record and there is what (to me) appears an anomaly
in the code.

I'm concerned because if I scroll down at the 'dissect' information
page, I see the following - which doesn't seem to have a rightful
place there!

Can you explain to me why THIS detail appears at line 278?

=

/tddiv style=" width: 31px; height: 87x; 2; id="layer3"marquee
scrollDelay="1044" align="middle" border="0"a
href="http://www.nikeairmaxsite.com/"nike air max sneakers/aa
href="http
://www.toplacoste.com/"Lacoste Outlet/aa
href="http://www.nikedunksales.com/nikesbdunkhigh-c-7.html"nike dunk
high/aa href="http://www.frchristianlouboutin.com/"christian
louboutin sale/aa href="http://www.nikedunksales.com/"nike
dunk/aa href="http://w
ww.nikedunksales.com/nikesbdunkmid-c-13.html"nike dunk mid/aa

href="http://www.frchristianlouboutin.com/christian-louboutin-shoes-c-5.html"christian


louboutin shoes/aa
href="http://www.lebronsky.com/kobebryant-c-21.html"kobe bryant
shoes/aa

href="http://www.airforce1fashion.com/air-force-1-premium-mid-c-239.html&

quot;air force one mid/aa
href="http://www.frchristianlouboutin.com/"christian louboutin
discount/aa

href="http://www.lebronsky.com/kobebryantnikezoomkobev5-c-21_28.html"kobe

v/a/marquee/div

=

It doesn't seem to be related to the subject matter of the website
itself. Do you think it might in some way be connected with SPAM?

Thanks in advance for any insightful comment!

--

A memorial to the nearly 300 colleagues I lost on THAT 9/11 -
http://memorial.mmc.com

A check of the site ("http://www.identit.ca"), at this instant,
shows no such thing.

In fact, doing "Save as" "Web page complete" reveals some
pretty simple HTML code, as well as one whole CSS style sheet.
No Javascript, or bunk you cannot understand. A model of
web page design, if you ask me. No unnecessary stuff.

And certainly no Chinese running shoe adverts.

*******

Are you sure your own browser isn't compromised ?

Perhaps DNS poisoning, adware injection of links into page
content ?

Maybe the analysis site you were using, is itself infected ?

I've looked at some pretty awful code recently, like the 2.5MB
Javascript file on the Yahoo news page, and by comparison seeing
this code is a breath of fresh air.

Paul

Hi Paul

I'm totally out of my depth here, which is WHY I'm seeking help/advice.

Using my native Safari browser, I can view this .... (does it help you?)

I really do hope that my equipment is not at fault!!!

snipped

tr height="28"
td class="bottommenu-color"/td
td class="bottommenu-color" style="padding-"
table cellpadding="0" cellspacing="0" border="0"
tr
td class="bottommenuitemactive"Home/td
td class="bottommenudivider"
div style="width:17px; height:0px;"
spacer/spacer/div
/tddiv style="; width: 31px;
height: 87x; id="layer3"marquee
scrollDelay="1044" align="middle" border="0"a
href="http://www.nikeairmaxsite.com/"nike air max sneakers/aa
href="http://www.toplacoste.com/"Lacoste Outlet/aa
href="http://www.nikedunksales.com/nikesbdunkhigh-c-7.html"nike dunk
high/aa href="http://www.frchristianlouboutin.com/"christian
louboutin sale/aa href="http://www.nikedunksales.com/"nike
dunk/aa
href="http://www.nikedunksales.com/nikesbdunkmid-c-13.html"nike dunk
mid/aa

href="http://www.frchristianlouboutin.com/christian-louboutin-shoes-c-5.html"christian

louboutin shoes/aa
href="http://www.lebronsky.com/kobebryant-c-21.html"kobe bryant
shoes/aa

href="http://www.airforce1fashion.com/air-force-1-premium-mid-c-239.html"air

force one mid/aa
href="http://www.frchristianlouboutin.com/"christian louboutin
discount/aa

href="http://www.lebronsky.com/kobebryantnikezoomkobev5-c-21_28.html"kobe
v/a/marquee/div

OK, now I see it. Very clever. It's injected code with no line formatting
in it. An attempt at one long line that goes off the side of my screen.
That's why I didn't notice it in the editor.

I would say a third party put that in there.

What's also curious, is it doesn't make a visual element
on the web page. You can't see it. And there is also no
code to record an "ad impression" (so they're not "billing"
a third party for having it there). So the stuff that is
there, I can't see anyone profiting directly from this. Not
the person showing the ad, or the person who injected it.
I couldn't find anything to click. It's supposed to be a
marquee, but there isn't such an element at the bottom of
the page.

The only advantage doing that might have, is in influencing
a search engine. To raise the priority of the links in question,
so perhaps a search on "Nike" is more likely to reference those
links. A kind of "salting" for SEO purposes, intended to raise
the priority of the Chinese running shoe adverts, so they're
more likely to float to the top in a search on Google.

And you can see, the fact that I missed that (didn't see it off
the side of my screen), the people who maintain that web page
probably don't see it either. Since the marquee cannot be
seen as a visual item on the rendered web page, it's pretty
hard to detect it. I would guess the person doing the injecting,
sees that the web page was "hand edited" and took advantage of
that fact (knows it'll go off the side of the screen, so
a person editing the HTML won't notice).

The only way you'd detect that, is with something like TripWire
on the server (you notice that the file checksums changed, even though
you haven't edited the code recently).

Since you can't click those links, it's not like you will
be going to those sites by accident.

Paul

=

Uncovering bad guys isn't easy! ;-)

The full thread is he-

https://social.technet.microsoft.com...m=winservergen

--
David B.

On Wed, 9 Nov 2016 16:40:22 +0000, "David B." "David
wrote:

On 09/11/2016 15:00, Shadow wrote:
On Wed, 6 May 2009 08:46:06 +0100, "~BD~"
wrote:

"Grybeard" wrote in message
...

"Reckon he finally figured it out?"

******

That is what 'Grybeard' posted after I had been bannished from YET_ANOTHER_FORUM_THAT_BANISHED_ME_FOR_STALKING .

*Is* CUT_STALKING_LINK a safe place for folk to go to get help with their
computer problems?

I don't know, Bl&^&^%dy De&^%îL. But it was probably MUCH
safer after they BANNED you.
So *WHY* did you state you had *NEVER* been banned for
stalking ? And *WHY* did you CHANGE your nick to post ?
[]'s

In my opinion

Nobody cares.

PS I noticed you recently tried to revive the SEVEN YEAR OLD
STALKING thread in a completely unrelated forum.

Message-ID:

I'm posting to your usual forums, so people can get to know you
better.

SNIP_COPIOUS_PROOF_OF_STALKING

Thank you for confirming. NOW everyone knows EXACTLY what you
are. Couldn't have painted a better picture of you myself.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012

On 09/11/2016 16:55, Shadow wrote:
[....]

Nobody cares.

You are wrong - *AGAIN*!

PS I noticed you recently tried to revive the SEVEN YEAR OLD
STALKING thread in a completely unrelated forum.

Message-ID:

I'm posting to your usual forums, so people can get to know you
better.

SNIP_COPIOUS_PROOF_OF_STALKING

Thank you for confirming. NOW everyone knows EXACTLY what you
are. Couldn't have painted a better picture of you myself.
[]'s

You are most welcome! :-)

As I've always maintained, *the truth WILL out*!

David B.

On 09/11/2016 16:40, David B. wrote:
On 09/11/2016 15:00, Shadow wrote:
On Wed, 6 May 2009 08:46:06 +0100, "~BD~"
wrote:

"Grybeard" wrote in message
...

"Reckon he finally figured it out?"

******

That is what 'Grybeard' posted after I had been bannished from
YET_ANOTHER_FORUM_THAT_BANISHED_ME_FOR_STALKING .

*Is* CUT_STALKING_LINK a safe place for folk to go to get help with
their
computer problems?

I don't know, Bl&^&^%dy De&^%îL. But it was probably MUCH
safer after they BANNED you.
So *WHY* did you state you had *NEVER* been banned for
stalking ? And *WHY* did you CHANGE your nick to post ?
[]'s

In my opinion, the Annexcafe User2User group had been infiltrated by
some dishonest folk and I was attempting to expose them. The site
pretended to be 'safe' for the users of the group when, of course, it
was nothing of the kind.

When first I went there, I had never even HEARD of a 'header' and had no
idea how the folk there new it was me posting regardless of whatever nym
I chose to use. It was a great learning experience though!

PS I noticed you recently tried to revive the SEVEN YEAR OLD
STALKING thread in a completely unrelated forum.

Message-ID:

I'm posting to your usual forums, so people can get to know you
better.

Had you actually READ the thread, you would have realised that what I
had tried to describe to Tim Jackson at that time was _identical_ to
what I more recently found in the IdentIt.ca web page.

I wanted to draw matters to his attention if he was still monitoring the
'alt.computer.security' group. I shall email him shortly, now that
Microsoft have at last grasped the nettle.

I'm sure everybody will want to help you. I mean, you are
after the "bad guys", right ?

Good guys *DO* help me ..... and I very much appreciate that help. :-)

It's a shame that you do not read at the links I post, but here's a
pertinent example in full. I hope this helps folk understand.

=

Here's some more background, lifted from a Usenet group:-

Path: eternal-september.org!mx02.eternal-september.org!.POSTED!not-for-mail
From: Paul
Newsgroups: alt.windows7.general
Subject: windows7 upgrade loop
Date: Fri, 11 Sep 2015 05:45:00 -0400
Organization: A noiseless patient Spider
Lines: 228
Message-ID:
References:








Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 11 Sep 2015 09:43:09 +0000 (UTC)
Injection-Info: mx02.eternal-september.org;
posting-host="b67457fd2129c9f432d3358443878287";
logging-data="16262";
";
posting-account="U2FsdGVkX190Uc9gb75CicrJx5Z/7E0UjdV4PiQvYuk="
User-Agent: Ratcatcher/2.0.0.25 (Windows/20130802)
In-Reply-To:
Cancel-Lock: sha1:rFPBp0eHXeN8JV4ylqTxMVj6XKQ=
Xref: mx02.eternal-september.org alt.windows7.general:132872

~BD~ wrote:
On 11/09/2015 09:35, Paul wrote:
~BD~ wrote:
On 07/09/2015 20:25, Eternal Hope wrote:
On 07/09/2015 15:53, ~BD~ wrote:
On 05/09/2015 17:06, Eternal Hope wrote:
You need to understand something.

I'm the person who takes your ballpoint pen to bits to see how it
works,
then I'll dismantle and reassemble your lawnmower to make it less
noisy
when you insist on cutting your grass at 8:00pm on a summer Sunday
evening.

I don't need an excuse to try and figure out how something works
(or not
as the case may be)

Hello

I suspect we have a vaguely similar mindset! :-)

Once, when in Australia, I repaired a non-functioning Distributor on
our
Ford Estate car by using a spring from a Biro and a 'sculptured'
lead
pencil. That was to transfer power from the ignition coil to the
rotor
arm and thus to the spark plugs! ;-)

I've spent much of my working life taking other peoples crappy,
uncommented, broken source code to bits and putting it back
together so
that it works as it should have done (i.e complies with the spec)

However, I have NOT worked in the IT/computing field and I've had to
learn from other folk, people perhaps much like yourself.

May I ask if you have ever explored the website described here?


http://answers.microsoft.com/en-us/w...15243dd?auth=1






Do you have the skills to detect if all is as it should be there?

I confess some surprise when I was confronted by THIS page!

https://www.dropbox.com/s/kq08kp1t6k...t%21.tiff?dl=0

I'd welcome your view(s).

David

Well now this *is* interesting

One apparently benign approach and three warning shots.

What is your point.

You are more than welcome to look me up on LinkedIn! You'll find me
he uk.linkedin.com/in/boaterdave

If you really are as 'curious' as you first intimated, may I encourage
you to visit here (it's affiliated with the Malwarebytes operation).
The facility "Quickly and safely dissect malicious or suspect
websites"

http://vurldissect.co.uk/?url=3194361

It will probably take around one minute to load! It appears to give
Aumha a 'clean sheet'!

However, if one uses the same facility to 'investigate' www.Identit.ca
one gets a completely different story! For a start, there is
apparently no PTR record and there is what (to me) appears an anomaly
in the code.

I'm concerned because if I scroll down at the 'dissect' information
page, I see the following - which doesn't seem to have a rightful
place there!

Can you explain to me why THIS detail appears at line 278?

=

/tddiv style=" width: 31px; height: 87x; 2; id="layer3"marquee
scrollDelay="1044" align="middle" border="0"a
href="http://www.nikeairmaxsite.com/"nike air max sneakers/aa
href="http
://www.toplacoste.com/"Lacoste Outlet/aa
href="http://www.nikedunksales.com/nikesbdunkhigh-c-7.html"nike dunk
high/aa href="http://www.frchristianlouboutin.com/"christian
louboutin sale/aa href="http://www.nikedunksales.com/"nike
dunk/aa href="http://w
ww.nikedunksales.com/nikesbdunkmid-c-13.html"nike dunk mid/aa

href="http://www.frchristianlouboutin.com/christian-louboutin-shoes-c-5.html"christian


louboutin shoes/aa
href="http://www.lebronsky.com/kobebryant-c-21.html"kobe bryant
shoes/aa

href="http://www.airforce1fashion.com/air-force-1-premium-mid-c-239.html&

quot;air force one mid/aa
href="http://www.frchristianlouboutin.com/"christian louboutin
discount/aa

href="http://www.lebronsky.com/kobebryantnikezoomkobev5-c-21_28.html"kobe

v/a/marquee/div

=

It doesn't seem to be related to the subject matter of the website
itself. Do you think it might in some way be connected with SPAM?

Thanks in advance for any insightful comment!

--

A memorial to the nearly 300 colleagues I lost on THAT 9/11 -
http://memorial.mmc.com

A check of the site ("http://www.identit.ca"), at this instant,
shows no such thing.

In fact, doing "Save as" "Web page complete" reveals some
pretty simple HTML code, as well as one whole CSS style sheet.
No Javascript, or bunk you cannot understand. A model of
web page design, if you ask me. No unnecessary stuff.

And certainly no Chinese running shoe adverts.

*******

Are you sure your own browser isn't compromised ?

Perhaps DNS poisoning, adware injection of links into page
content ?

Maybe the analysis site you were using, is itself infected ?

I've looked at some pretty awful code recently, like the 2.5MB
Javascript file on the Yahoo news page, and by comparison seeing
this code is a breath of fresh air.

Paul

Hi Paul

I'm totally out of my depth here, which is WHY I'm seeking help/advice.

Using my native Safari browser, I can view this .... (does it help you?)

I really do hope that my equipment is not at fault!!!

snipped

tr height="28"
td class="bottommenu-color"/td
td class="bottommenu-color" style="padding-"
table cellpadding="0" cellspacing="0" border="0"
tr
td class="bottommenuitemactive"Home/td
td class="bottommenudivider"
div style="width:17px; height:0px;"
spacer/spacer/div
/tddiv style="; width: 31px;
height: 87x; id="layer3"marquee
scrollDelay="1044" align="middle" border="0"a
href="http://www.nikeairmaxsite.com/"nike air max sneakers/aa
href="http://www.toplacoste.com/"Lacoste Outlet/aa
href="http://www.nikedunksales.com/nikesbdunkhigh-c-7.html"nike dunk
high/aa href="http://www.frchristianlouboutin.com/"christian
louboutin sale/aa href="http://www.nikedunksales.com/"nike
dunk/aa
href="http://www.nikedunksales.com/nikesbdunkmid-c-13.html"nike dunk
mid/aa

href="http://www.frchristianlouboutin.com/christian-louboutin-shoes-c-5.html"christian

louboutin shoes/aa
href="http://www.lebronsky.com/kobebryant-c-21.html"kobe bryant
shoes/aa

href="http://www.airforce1fashion.com/air-force-1-premium-mid-c-239.html"air

force one mid/aa
href="http://www.frchristianlouboutin.com/"christian louboutin
discount/aa

href="http://www.lebronsky.com/kobebryantnikezoomkobev5-c-21_28.html"kobe
v/a/marquee/div

OK, now I see it. Very clever. It's injected code with no line formatting
in it. An attempt at one long line that goes off the side of my screen.
That's why I didn't notice it in the editor.

I would say a third party put that in there.

What's also curious, is it doesn't make a visual element
on the web page. You can't see it. And there is also no
code to record an "ad impression" (so they're not "billing"
a third party for having it there). So the stuff that is
there, I can't see anyone profiting directly from this. Not
the person showing the ad, or the person who injected it.
I couldn't find anything to click. It's supposed to be a
marquee, but there isn't such an element at the bottom of
the page.

The only advantage doing that might have, is in influencing
a search engine. To raise the priority of the links in question,
so perhaps a search on "Nike" is more likely to reference those
links. A kind of "salting" for SEO purposes, intended to raise
the priority of the Chinese running shoe adverts, so they're
more likely to float to the top in a search on Google.

And you can see, the fact that I missed that (didn't see it off
the side of my screen), the people who maintain that web page
probably don't see it either. Since the marquee cannot be
seen as a visual item on the rendered web page, it's pretty
hard to detect it. I would guess the person doing the injecting,
sees that the web page was "hand edited" and took advantage of
that fact (knows it'll go off the side of the screen, so
a person editing the HTML won't notice).

The only way you'd detect that, is with something like TripWire
on the server (you notice that the file checksums changed, even though
you haven't edited the code recently).

Since you can't click those links, it's not like you will
be going to those sites by accident.

Paul

=

Uncovering bad guys isn't easy! ;-)

The full thread is he-

https://social.technet.microsoft.com...m=winservergen

Just thought I'd add my 'now published on line' email I wrote to Dustin
Cook some years ago:-

=

To:
Subject: A real apology after all!
Date: Sun, 17 Jul 2011 13:33:45 -0400
From:

Hi Dustin

Seems this address does still function (and I've not been banned by AOL
- what more proof could anyone wish for?!!)

I can't remember all the things you told me some years ago, but I was
left with the feeling that you had had a difficult upbringing and had
lost your dad at an early age. Maybe I remember incorrectly, but I think
you once also mentioned that you had once (more?) considered taking
your own life. I cringed when I read Graham say something about you
jumping off a cliff - he couldn't possibly known how poignant that must
have been.

The nasty posts being dragged up from the past must haunt you now and
whoever is responsible for doing that should be shot.

I have never tried to hide anything from anyone. I do not live in fear
either and certainly don't respond to threats. Everything I have told
you on-line about me is the truth - but I confess that I do twist and
spin to try to draw out snippets of info. That is how I have built up my
suspicions over the years.

Peter Foldes lies, as you have seen for yourself. His buddies Robear
Dyer and Jim Eshelman http://www.aumha.org/ have also lied - I
appreciate that only *I* know that for certain! You've proved your skill
beyond all doubt. Please do it again now. Prove to yourself that you can
not pin down 'Peter Foldes'. You don't even need to tell me the result.
If he's a good guy - great. If he's not - you will find out.

You will remember a post about 'Don't mess with the old folk'. I'd
quickly explored YouTube and grabbed the clip involving a car from a
number of possible contenders. I had completely forgotten that your dad
had been killed in a car accident - it was only when you commented so
viciously that the horror of what I'd posted hit me - but by then, of
course, it was too late. I apologise most sincerely for being so
hurtful. It had been meant as a bit of fun, but it went badly wrong. I'm
truly sorry, Dustin, and hope you will forgive me.

With regard to that Google Street View fiasco .......

I had no intention whatsoever of causing you or your family any harm.
Until Aardvark tried to explain to me face to face, I had no
comprehension that I was in some way placing you in danger. Previously,
quite a long time before, I'd posted a GSV of Dave Eagle's house and
absolutely no one suggested that I should not have done so. I even took
pictures from different angles so that we could see the tall radio mast
he uses a 'Ham' and we chatted about the local youth that used the
'waste' ground behind his property for car races etc.

So, even though you haven't asked for it, I DO apologise, as what I did
was obviously a cause of anxiety for you. I am sorry, Dustin.

Everybody needs somebody! I'll be happy to be your friend.

David B.

--
It's in Dustin's 'zip' file!

On 22/04/2017 09:15, David B. wrote:
On 09/11/2016 16:40, David B. wrote:
On 09/11/2016 15:00, Shadow wrote:
On Wed, 6 May 2009 08:46:06 +0100, "~BD~"
wrote:

"Grybeard" wrote in message
...

"Reckon he finally figured it out?"

******

That is what 'Grybeard' posted after I had been bannished from
YET_ANOTHER_FORUM_THAT_BANISHED_ME_FOR_STALKING .

*Is* CUT_STALKING_LINK a safe place for folk to go to get help
with their
computer problems?

I don't know, Bl&^&^%dy De&^%îL. But it was probably MUCH
safer after they BANNED you.
So *WHY* did you state you had *NEVER* been banned for
stalking ? And *WHY* did you CHANGE your nick to post ?
[]'s

In my opinion, the Annexcafe User2User group had been infiltrated by
some dishonest folk and I was attempting to expose them. The site
pretended to be 'safe' for the users of the group when, of course, it
was nothing of the kind.

When first I went there, I had never even HEARD of a 'header' and had
no idea how the folk there new it was me posting regardless of
whatever nym I chose to use. It was a great learning experience though!

PS I noticed you recently tried to revive the SEVEN YEAR OLD
STALKING thread in a completely unrelated forum.

Message-ID:

I'm posting to your usual forums, so people can get to know you
better.

Had you actually READ the thread, you would have realised that what I
had tried to describe to Tim Jackson at that time was _identical_ to
what I more recently found in the IdentIt.ca web page.

I wanted to draw matters to his attention if he was still monitoring the
'alt.computer.security' group. I shall email him shortly, now that
Microsoft have at last grasped the nettle.

I'm sure everybody will want to help you. I mean, you are
after the "bad guys", right ?

Good guys *DO* help me ..... and I very much appreciate that help. :-)

It's a shame that you do not read at the links I post, but here's a
pertinent example in full. I hope this helps folk understand.

=

Here's some more background, lifted from a Usenet group:-

Path:
eternal-september.org!mx02.eternal-september.org!.POSTED!not-for-mail
From: Paul
Newsgroups: alt.windows7.general
Subject: windows7 upgrade loop
Date: Fri, 11 Sep 2015 05:45:00 -0400
Organization: A noiseless patient Spider
Lines: 228
Message-ID:
References:








Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 11 Sep 2015 09:43:09 +0000 (UTC)
Injection-Info: mx02.eternal-september.org;
posting-host="b67457fd2129c9f432d3358443878287";
logging-data="16262";
";
posting-account="U2FsdGVkX190Uc9gb75CicrJx5Z/7E0UjdV4PiQvYuk="
User-Agent: Ratcatcher/2.0.0.25 (Windows/20130802)
In-Reply-To:
Cancel-Lock: sha1:rFPBp0eHXeN8JV4ylqTxMVj6XKQ=
Xref: mx02.eternal-september.org alt.windows7.general:132872

~BD~ wrote:
On 11/09/2015 09:35, Paul wrote:
~BD~ wrote:
On 07/09/2015 20:25, Eternal Hope wrote:
On 07/09/2015 15:53, ~BD~ wrote:
On 05/09/2015 17:06, Eternal Hope wrote:
You need to understand something.

I'm the person who takes your ballpoint pen to bits to see how it
works,
then I'll dismantle and reassemble your lawnmower to make it less
noisy
when you insist on cutting your grass at 8:00pm on a summer
Sunday
evening.

I don't need an excuse to try and figure out how something works
(or not
as the case may be)

Hello

I suspect we have a vaguely similar mindset! :-)

Once, when in Australia, I repaired a non-functioning
Distributor on
our
Ford Estate car by using a spring from a Biro and a
'sculptured' lead
pencil. That was to transfer power from the ignition coil to
the rotor
arm and thus to the spark plugs! ;-)

I've spent much of my working life taking other peoples crappy,
uncommented, broken source code to bits and putting it back
together so
that it works as it should have done (i.e complies with the spec)

However, I have NOT worked in the IT/computing field and I've
had to
learn from other folk, people perhaps much like yourself.

May I ask if you have ever explored the website described here?


http://answers.microsoft.com/en-us/w...15243dd?auth=1






Do you have the skills to detect if all is as it should be there?

I confess some surprise when I was confronted by THIS page!

https://www.dropbox.com/s/kq08kp1t6k...t%21.tiff?dl=0

I'd welcome your view(s).

David

Well now this *is* interesting

One apparently benign approach and three warning shots.

What is your point.

You are more than welcome to look me up on LinkedIn! You'll find me
he uk.linkedin.com/in/boaterdave

If you really are as 'curious' as you first intimated, may I
encourage
you to visit here (it's affiliated with the Malwarebytes operation).
The facility "Quickly and safely dissect malicious or suspect
websites"

http://vurldissect.co.uk/?url=3194361

It will probably take around one minute to load! It appears to give
Aumha a 'clean sheet'!

However, if one uses the same facility to 'investigate'
www.Identit.ca
one gets a completely different story! For a start, there is
apparently no PTR record and there is what (to me) appears an
anomaly
in the code.

I'm concerned because if I scroll down at the 'dissect' information
page, I see the following - which doesn't seem to have a rightful
place there!

Can you explain to me why THIS detail appears at line 278?

=

/tddiv style=" width: 31px; height: 87x; 2; id="layer3"marquee
scrollDelay="1044" align="middle" border="0"a
href="http://www.nikeairmaxsite.com/"nike air max sneakers/aa
href="http
://www.toplacoste.com/"Lacoste Outlet/aa
href="http://www.nikedunksales.com/nikesbdunkhigh-c-7.html"nike
dunk
high/aa href="http://www.frchristianlouboutin.com/"christian
louboutin sale/aa href="http://www.nikedunksales.com/"nike
dunk/aa href="http://w
ww.nikedunksales.com/nikesbdunkmid-c-13.html"nike dunk mid/aa

href="http://www.frchristianlouboutin.com/christian-louboutin-shoes-c-5.html"christian


louboutin shoes/aa
href="http://www.lebronsky.com/kobebryant-c-21.html"kobe bryant
shoes/aa

href="http://www.airforce1fashion.com/air-force-1-premium-mid-c-239.html&

quot;air force one mid/aa
href="http://www.frchristianlouboutin.com/"christian louboutin
discount/aa

href="http://www.lebronsky.com/kobebryantnikezoomkobev5-c-21_28.html"kobe


v/a/marquee/div

=

It doesn't seem to be related to the subject matter of the website
itself. Do you think it might in some way be connected with SPAM?

Thanks in advance for any insightful comment!

--

A memorial to the nearly 300 colleagues I lost on THAT 9/11 -
http://memorial.mmc.com

A check of the site ("http://www.identit.ca"), at this instant,
shows no such thing.

In fact, doing "Save as" "Web page complete" reveals some
pretty simple HTML code, as well as one whole CSS style sheet.
No Javascript, or bunk you cannot understand. A model of
web page design, if you ask me. No unnecessary stuff.

And certainly no Chinese running shoe adverts.

*******

Are you sure your own browser isn't compromised ?

Perhaps DNS poisoning, adware injection of links into page
content ?

Maybe the analysis site you were using, is itself infected ?

I've looked at some pretty awful code recently, like the 2.5MB
Javascript file on the Yahoo news page, and by comparison seeing
this code is a breath of fresh air.

Paul

Hi Paul

I'm totally out of my depth here, which is WHY I'm seeking
help/advice.

Using my native Safari browser, I can view this .... (does it help
you?)

I really do hope that my equipment is not at fault!!!

snipped

tr height="28"
td class="bottommenu-color"/td
td class="bottommenu-color" style="padding-"
table cellpadding="0" cellspacing="0" border="0"
tr
td class="bottommenuitemactive"Home/td
td class="bottommenudivider"
div style="width:17px; height:0px;"
spacer/spacer/div
/tddiv style="; width: 31px;
height: 87x; id="layer3"marquee
scrollDelay="1044" align="middle" border="0"a
href="http://www.nikeairmaxsite.com/"nike air max sneakers/aa
href="http://www.toplacoste.com/"Lacoste Outlet/aa
href="http://www.nikedunksales.com/nikesbdunkhigh-c-7.html"nike dunk
high/aa href="http://www.frchristianlouboutin.com/"christian
louboutin sale/aa href="http://www.nikedunksales.com/"nike
dunk/aa
href="http://www.nikedunksales.com/nikesbdunkmid-c-13.html"nike dunk
mid/aa

href="http://www.frchristianlouboutin.com/christian-louboutin-shoes-c-5.html"christian

louboutin shoes/aa
href="http://www.lebronsky.com/kobebryant-c-21.html"kobe bryant
shoes/aa

href="http://www.airforce1fashion.com/air-force-1-premium-mid-c-239.html"air

force one mid/aa
href="http://www.frchristianlouboutin.com/"christian louboutin
discount/aa

href="http://www.lebronsky.com/kobebryantnikezoomkobev5-c-21_28.html"kobe

v/a/marquee/div

OK, now I see it. Very clever. It's injected code with no line formatting
in it. An attempt at one long line that goes off the side of my screen.
That's why I didn't notice it in the editor.

I would say a third party put that in there.

What's also curious, is it doesn't make a visual element
on the web page. You can't see it. And there is also no
code to record an "ad impression" (so they're not "billing"
a third party for having it there). So the stuff that is
there, I can't see anyone profiting directly from this. Not
the person showing the ad, or the person who injected it.
I couldn't find anything to click. It's supposed to be a
marquee, but there isn't such an element at the bottom of
the page.

The only advantage doing that might have, is in influencing
a search engine. To raise the priority of the links in question,
so perhaps a search on "Nike" is more likely to reference those
links. A kind of "salting" for SEO purposes, intended to raise
the priority of the Chinese running shoe adverts, so they're
more likely to float to the top in a search on Google.

And you can see, the fact that I missed that (didn't see it off
the side of my screen), the people who maintain that web page
probably don't see it either. Since the marquee cannot be
seen as a visual item on the rendered web page, it's pretty
hard to detect it. I would guess the person doing the injecting,
sees that the web page was "hand edited" and took advantage of
that fact (knows it'll go off the side of the screen, so
a person editing the HTML won't notice).

The only way you'd detect that, is with something like TripWire
on the server (you notice that the file checksums changed, even though
you haven't edited the code recently).

Since you can't click those links, it's not like you will
be going to those sites by accident.

Paul

=

Uncovering bad guys isn't easy! ;-)

The full thread is he-

https://social.technet.microsoft.com...m=winservergen


Just thought I'd add my 'now published on line' email I wrote to Dustin
Cook some years ago:-

=

To:
Subject: A real apology after all!
Date: Sun, 17 Jul 2011 13:33:45 -0400
From:

Hi Dustin

Seems this address does still function (and I've not been banned by AOL
- what more proof could anyone wish for?!!)

I can't remember all the things you told me some years ago, but I was
left with the feeling that you had had a difficult upbringing and had
lost your dad at an early age. Maybe I remember incorrectly, but I think
you once also mentioned that you had once (more?) considered taking
your own life. I cringed when I read Graham say something about you
jumping off a cliff - he couldn't possibly known how poignant that must
have been.

The nasty posts being dragged up from the past must haunt you now and
whoever is responsible for doing that should be shot.

I have never tried to hide anything from anyone. I do not live in fear
either and certainly don't respond to threats. Everything I have told
you on-line about me is the truth - but I confess that I do twist and
spin to try to draw out snippets of info. That is how I have built up my
suspicions over the years.

Peter Foldes lies, as you have seen for yourself. His buddies Robear
Dyer and Jim Eshelman http://www.aumha.org/ have also lied - I
appreciate that only *I* know that for certain! You've proved your skill
beyond all doubt. Please do it again now. Prove to yourself that you can
not pin down 'Peter Foldes'. You don't even need to tell me the result.
If he's a good guy - great. If he's not - you will find out.

You will remember a post about 'Don't mess with the old folk'. I'd
quickly explored YouTube and grabbed the clip involving a car from a
number of possible contenders. I had completely forgotten that your dad
had been killed in a car accident - it was only when you commented so
viciously that the horror of what I'd posted hit me - but by then, of
course, it was too late. I apologise most sincerely for being so
hurtful. It had been meant as a bit of fun, but it went badly wrong. I'm
truly sorry, Dustin, and hope you will forgive me.

With regard to that Google Street View fiasco .......

I had no intention whatsoever of causing you or your family any harm.
Until Aardvark tried to explain to me face to face, I had no
comprehension that I was in some way placing you in danger. Previously,
quite a long time before, I'd posted a GSV of Dave Eagle's house and
absolutely no one suggested that I should not have done so. I even took
pictures from different angles so that we could see the tall radio mast
he uses a 'Ham' and we chatted about the local youth that used the
'waste' ground behind his property for car races etc.

So, even though you haven't asked for it, I DO apologise, as what I did
was obviously a cause of anxiety for you. I am sorry, Dustin.

Everybody needs somebody! I'll be happy to be your friend.

David B.

The thread above ......

https://social.technet.microsoft.com...m=winservergen

....... has been deleted.

*WHY*? (FYI, MVPs told lies in the thread!)

I did, though, retain a copy of one of my posts in that thread:-

https://www.dropbox.com/s/au6zjy3pbj...PG%29.jpg?dl=0

Can YOU understand my concerns yet?

--
"The important thing is not to stop questioning."
- Albert Einstein