stalking image
Back to stalking
~ Stalking Lore ~
         Petit image    Stalking
Updated in March 2008
General stalking techniques
Enemy tracking, a difficult art, can be divided into various lore: stalking, reversing language patterns and luring. In order to stalk people (especially messageboards' characters) you need a thorough knowledge of Usenet spamming (and war) techniques like flaming, trolling, avatar mobbing (socketpuppets) and crossposting.
A good reverser can moreover try to 'reconstruct' (part of) the snailtrail of his enemies and defeat their smoke curtains applying some semantical reverse engineering tricks.
Finally the reverser will lure his targets into the open web and identify them. Slowbombing them, or applying other sort of web-attacks may follow.
Stalking, an introduction
Some simple stalking tools (Traceroute, Lookup)
Yellow pages, White pages (stalking people on the web)
Simple email stalking techniques
Reversing language patterns
Stalking through images
Luring Lore and other social engineering tricks
Usenet Lore
Trolling Lore

"...they track us, our interests and our hosts, we track them,
 their interests and their hosts, it's an interesting match and we'll 
 always win, coz we do not do it for money...              +ORC"

[Stalking, an introduction]
[Searching through headers and other tricks]
[An older simple stalking attempt]
[Stalking the stalkers' tool] [Balif's stalking masterpiece]
[Other links and tools] [Fravia's antispamming related page]
[how to keep in exercise]

Stalking, an introduction 

Identity plays a key role on the web. The Internet offers instant communication with people all over the world through a plethora of channels: messageboards, email, chat rooms. In communication, which is the primary scope of any web-related activity, knowing the identity of those with whom you communicate is essential for understanding and evaluating an interaction. Yet in the disembodied world of the virtual community, identity is extremely ambiguous. The recipients are provided only with the information the sender wants them to see. Many of the basic visual and aural cues about personality and social role we are accustomed to in the physical world are absent. And we regularly use exactly such cues -though often not consciounsly aware of it- to make attributions. Other cues are present on the web, yet difficult to interpret.
If you receive an email from a guy whose address is with an attached image of a middle aged man sitting comfortably on the patio of his house, you may be fooled into thinking that you have to do with a guy named Bill Olderson. It could be, yet you'll never have any real proof of it. One can have, on the web, as many electronic personas as one has time and energy to create (and memory to recall :-)

Even more complicated pranks are possible on the web. You could create a complete faked university with little work. The web is full of NON EXISTING universities, insitutions, groups and associations. You may easily create ex novo a totally bogus university, with nice name, good looking seals, imaginary list of professors.
Each one of them would of course be you, and yet answer to any inquiry with ad hoc pre-prepared emails: John W. Krasnjewsky, University of Salsaparilla, Department of Advanced Internet Studies, Dean.
Just build a "professional website", foresee adequate fees for entrance, courses and examinations, and offer "accredited" MBAs and diploms for money (create an "accrediting entity" ad hoc if needs be).
You think I am kidding? Think again: many people do just that already.
The web is full of gullible morons, and -what's even worse- the real world is full of administrative idiots that would trust such MBAs: ("Distance Online MBA Certification for who (sic) are studing a MBA or for who already did (sic) a MBA") in your curriculum vitae. You want a MBA for 150 euro?

Hence the importance of stalking, also in order to bust pranks and prankers.

Yet, while it is true that a single person can create multiple electronic identities that are linked only by their common progenitor, that link, almost invisible in the virtual world, is of great significance, and can often be quickly individuated.

That is the weak point of any virtual created identity. It's easy to say that your avatars should have 'coherent' personalities , i.e. if you create a 'lorry driver' personality and a 'university professor' personality, the two should have COMPLETELY different speech patterns, yet this is very difficult to implement.
Stalkers should be very versatile experts, ready to read and recognize voluntarily altered write patterns.

Usenet, for obvious reason is the field you should peruse to learn the first elements of the stalking art. These you'll be able to apply, later, to any messageboard or email exchange. See, once again: the basic premise is that the users are who they claim to be. There are, however variances between the different newsgroups as to what constitutes a real or "legitimate" identity. And there are numerous cases of identity deception, from the pseudo-naive trolls to the shills and kooks and board spammers.

See for a more detailed explanation the ad hoc related sections of searchlores: Usenet Lore and Trolling Lore

Boring as most of these little silly wars are, there are GREAT lessons in stalking hidden in there. That's why you too will have to deal with this. Actually, as usual in the Web, many of our techniques cross and merge reciprocally: Anonymity techniques, how to search general knowledge, reality cracking tricks, usenet techniques, anti-spamming and anti-advertisement knowledge are ALL required to tackle some of the tasks that you'll have to perform if you really intend to master what you are trying to learn now. Let's, moreover not forget how useful will be our holy software reversing skills each time we'll decide to use some of the many tools that the Web offers to track down our targets (tools that are unfortunately at times crippled or simply too short-lived :-)

If you are an experienced 'global' reverser you'll have more survival chances that many others, but only your own complementary work, and your own experience, will keep you acting as a hunter while keeping at the same time your target acting as a game and not the other way round.

Some professional spammers may turn quite nasty AGAINST you, when you'r chasing them, if you're not careful -and powerful- enough.

In order to gather more material, just search for 'avoiding flaming' and 'trolls flames' on any good search engine or follow some of the links provided here. As you'll see there are plenty of documents and faqs on these subjects all over the web.

Trolling, in the stalking context, deserves a special mention: the verb denotes, originally, a style of fishing in which one trails bait through a likely spot, hoping for a byte. Real, able and powerful, Master trolls have a double audience: the idiots (newbies and flamers) that bait the bait and the 'trolls-savy' (often silent) that enjoy the troll. It is indeed possible, albeit difficult, to identify and track down experienced trollers. They are in fact among the most interesting game out there (together with professional spammers on rogue ISP) for any 'professional' stalker.

So, as said, the basic premise is actually, often enough, that the counterpart, on the web, is NOT who he/she claims to be... the danger is that the limited identity cues of the netherworld may make people accept at face value a writer's claims of credibility: it may take a long time - and a history of dubious postings - until people start to wonder about the actual knowledge of a self-proclaimed expert.

This said it is also true that - for web related matters - 'official' experts are often FAR inferior to clever autodidacts, so you never know :-)

When examining communications, it is important to try to distinguish between the 'expressions given' and the 'expressions given off'. The former are the deliberately stated messages indicating how one wishes to be perceived; the latter are the much more subtle - and sometimes unintentional - messages communicated via action and nuance in the real world. Both forms of expression are subject to deliberate manipulation, but the "expression given off" is much harder to control. This is true for the cyber world as well, even if we lack, here, the many clues offered by "real world" body language. One can write "I am female", but sustaining a mind set and reactions that are convincingly a woman's may prove to be quite difficult for a man.

Writing style can identify the author of an posting. A known and notorious net personality hoping to appear online under a fresh name may have an easier time disguising his or her header ID than the identity revealed in the text. The introduction to the cypherpunks newsgroup includes this warning:

The cypherpunks list has its very own net.loon, a fellow named L. Detweiler. 
The history is too long for here, but he thinks that cypherpunks are evil 
incarnate. If you see a densely worded rant featuring characteristic words 
such as ``medusa'', ``pseudospoofing'', ``treachery'', ``poison'', or ``black lies'', 
it's probably him, no matter what the From: line says. 
							- Cypherpunks mailing list
In this case, where the usual assessment signal - the name in the header - is believed to be false, language is used as a more reliable signal of individual identity. See also how spammers use multiple identities on the very nice "Kook of the Month" site.

One newsgroup that contains many business-card signatures is The discussion here is about how to make unix systems secure - and about known system flaws. Many of the participants are system administrators of major institutions, others are just learning how to set up a system in a fledgling company and some other, of course, are just hoping to learn how to break into systems :-)

A posting suggesting that administrators improve their sites by changing this or that line of code in the system software could be a furtive attempt get novice administrators to introduce security holes. Identity deception is a big concern of the participants in this group, and this makes it VERY interesting for any advanced studiosus of these matters, to try soon or later his luring abilities in this group. (When you'll do it, if you want to be taken seriously (and you'll probably don't go very far even so :-) first create 'really' your own company, say 'Software Alternative Limited', then name yourself 'Director of Software Development', create your domain and sign with something like "".

Many varieties of identity deception can be found within the Usenet newsgroup. Some are quite harmful to individuals or to the community; others are innocuous, benefitting the performer without injuring the group. Some are clearly deceptions, meant to provide a false impression; others are more subtle identity manipulations, similar to the adjustments in self-presentation we make in many real world situations.

Until recently, header information was quite reliable. Most people accessed Usenet with software that inserted the account name automatically - one had to be quite knowledgeable to change the default data. Today, many programs simply let the writer fill in the name and address to be used, making posting with a false name and site is much easier. The astute observer may detect suspicious anomalies in the routing data (the record of how the letter passed through the net) that can expose a posting from a falsified location. Yet few people are likely to look that closely at a posting unless they have reason to be suspicious about its provenance.

It is useful to distinguish between pseudonymity and pure anonymity. In the virtual world, many degrees of identification are possible. Full anonymity is one extreme of a continuum that runs from the totally anonymous to the thoroughly named. A pseudonym, though it may be untraceable to a real-world person, may have a well-established reputation in the virtual domain; a pseudonymous message may thus come with a wealth of contextual information about the sender. A purely anonymous message, on the other hand, stands alone.

There are some useful tricks to narrow down the number of suspected targets in order to stalk a pseudonym user. One of the best ones I know of is the time trick, but in order to understand it you mist first know the elementary elements of an email header.

Searching through headers and other tricks (This part -I should have checked- comes directly from Symantec's page ~ begin)

Here is a sample email header (colors added). The final receiver's address is ''.

Received: (2228 bytes) by <> via sendmail with P:stdio/D:user/T:local (sender: <>) id m0xUFxr-001cL6C@your.domain.dom for; Sat, 8 Nov 1997 10:50:35 -0800 (PST) (Smail- 1997-Oct-16 #12 built 1997-Oct-28) Received: from ( []) by (8.8.7/8.7.3) with ESMTP id KAA01565; Sat, 8 Nov 1997 10:43:34 -0800 (PST) From: Received: from ( []) by with ESMTP id CAA25373; Sun, 9 Nov 1997 02:44:51 +0800 (SGT) Received: from ( []) by with SMTP id CAA12179; Sun, 9 Nov 1997 02:43:10 +0800 (SGT) Received: from ( ( by (8.8.5/8.6.5) with SMTP id GAA04211 for <>

It may look confusing, but there are some patterns that tell you everything you need to know. The header can be broken into several sections, each beginning with the word "Received".

The first 'Received' is from your email server. This section lists the supposed sender, the message ID number, and when the message came in. The other 'Received: from' tags are from remailers that the spammer used to make it more difficult to track him/her down.

  1. Find the last 'Received: from' entry in the header. This usually shows the originating server.
  2. Find and write down the server domain and its IP address. This information appears in parenthesis in each 'Received: from' entry.

Machine Name

IP Address

(This part -I should have checked- comes directly from Symantec's page ~ end)

Of course you should by all means read Gandalf's info, which is far superior to the Symantec information above, at

More URLs to help you figure out how to look at the headers:

Time pattern matters (fravia's trick)
Now, all the above can be easily faked, what could be really important is that you may be able (unfortunately NOT always :-) to discern the TIMES of the day "patterns" when these operations have been performed that you can read above. See: if your target updates his web page, or mails letters to usenet, he will mostly tend to do it on a REGULAR basis. Even if he uses automated dynamic providers like Compuserve or AOL (which is always a good idea), and even if he writes to the usenet groups through an anonymous remailer, or DejaNew itself or whatever, he will tend to do it at FIXED TIMES. It is sometime incredibly easy to find out in which part of the world a target lives just studying his timing patterns!.
Most of the people work on Internet in the evening hours, say between 21 and 24:00 local time.
A common used 'luring' techniques consists in publishing or emailing to your target some 'luring baits' (in order to get the target to react) indicating a (faked and bogus) page of yours on some free server, where you have -supposedly- put something that the target badly needs or is interested into. Examining the loggings for that page you'll be able to see WHEN the target has accessed it. Many targets will access it anonymously just in case, yet few targets are careful enough to do that at an "abnormal" hour of the day.
Deleted postings (Balif's trick)
It may at times be useful to check which cancel messages have been sent to the newsgroups.

As Balif pointed out in a famous posting on alt.2600: to examine all the cancel messages, you can use Dejanews, which does not honor them but actually archives them. Do a power search on group alt.2600, for "control cancel", sorted by date. You can see there all cancel messages coming from a given address.

Unfortunately Dejanews strips important headers. On your news server, cancel messages do not appear in the newsgroup, and are unseen to you. However you can view them by looking in the group "control.cancel". Beware, this group will most likely be enormous. It contains every cancel message your news server has received for all groups. Mine had 75,000 some messages. Here you can examine the headers of the cancel message. Yet it takes feeling and time to stalk information in this way.

Sharp edges (SPUTUM's trick)
Say you have as your target your; do Altavista and Dejanews searches for looking for eventual postings where you may find his real name. Especially check all various alt.test.whatever groups, as these may contain at least one instance of 'rough' preparatory postings, when the target fine-tuned her newsreader's configuration.

Do Altavista and Dejanews searches on any "sharp edge" that sticks out.
"Sharp edges" are, according to SPUTUM "unique characteristics which can lead one to the real poster". Example: may use as Organization: "balooney inc." on all his Usenet posts. Maybe he forgot to remove this info when posting later. You search for "Organization: balooney inc." (as well as for posts containing his sig), and maybe find all his fatuous posts to alt.fetish.threelegs, and from thence you will find (if you'r lucky) his narcissistic website chock full of juicy personal information (or at least of many more "sharp edges").

Other promising "sharp edges": trailing user name in path (...!!imamoron), funky newsreaders (ZippityDooDah News Alpha 0.9), unique signature components.
You may add signature patterns, and even particular emoticons like      :-->      :*)      8-[
Look hard. Be clever. Reverse your target.

There is a whole section of mine, about sharp edges:
read my Language patterns and the stalking tablet section.

3) What if the target used "X-No-Archive: yes" in her headers and all previous steps fail? You may get lucky, and find a follow-up to a previous post which was posted without the "no-archive" clause. Otherwise, the old fashioned 'heavy' way might work: go to the relevant Usenet newsgroup, sort the posters by author name, and look for your target "by hand". Yes the task can be extremely tedious...which is why real stalking is for the patient hunter.

__Enemy identification__
An interesting example: the "Bokler guy" identification
This is an old 'historical' example, yet it will quickly show you the power of Dejanew stalking: was one of the links on my old links.htm page: an "enemy" wich I described as "worth investigating". In reality this guy is not an "enemy" of anybody (he only produces in visual basic pretty simple encryption software) and his "cracker page" is not so bad at all, he use it as "scarecrow" for the potential buyer of his software. Hope he will not grudge me if I use him as an ideal subject for this lesson... anyway he makes money scaring people with our work, I'll scare him for free showing him what I know about him :-)
Here is the original link to his page if you want to visit it:
An enemy worth investigating
If we hit the page above we'll see as only reference a post office box:
	Bokler Software Corp.
            P.O. Box 261
         Huntsville, AL 35804
          Tel: (205) 539-9901 
          Fax: (205) 882-7401 
Now, let's say we want to know who is the guy behind all this...
1) Fire DejaNews
2) Search for something on his page
(he makes software, he surely did not resist the temptation to publicize it in some usenet, ideal DejaNews target... let's search for "haschipher")
And here is the answer:
Subject:      Re: How to store passwords encrypted in file?
From: (James A. Moore)
Date:         1996/06/26
Message-Id:   <>
References:   <4qltu1$>
Organization: HiWAAY Information Services
Newsgroups:   comp.lang.basic.visual.misc

See for encryption tools: DEScipher/VBX & /OCX,
and HASHcipher.

James Moore
Now we have some more interesting data: (James A. Moore)
SO, "real" name and a "real" email... what can we get more?
Well, let's have a look at his *RECENT* interests...
Number of articles posted to individual newsgroups (slightly skewed by cross-postings): 
          11 comp.lang.basic.visual.misc 
          6 comp.lang.basic.visual.3rdparty 
          3 comp.unix.bsd.freebsd.misc 
          2 sci.crypt 
          1 alt.lang.delphi 
          1 comp.infosystems.www.servers.unix 
          1 comp.unix.questions 
Uugh! A Visual Basic buff... can we gather something more searching for James Moore? Let's try and let's poke around a little using a search inside the most used newsgroup:
6 Hits for Query on DESchipher inside comp.lang.basic.visual.misc

       Date   Scr        Subject              Newsgroup           Author
  1. 96/08/12 017 Re: Form1.Show(1) and En comp.lang.basic.vis (Jam
  2. 96/06/18 017 Re: Encryption for Visua comp.lang.basic.vis (Jam
  3. 95/10/21 017 Visual Basic Control (VB comp.lang.basic.vis (Bo
  4. 96/04/27 016 Re: Password encrypting  comp.lang.basic.vis (Jam
  5. 95/11/23 016 Re: Protection from pass comp.lang.basic.vis dbrockle@compusense
  6. 96/01/09 013 VBX for Data Encryption. comp.lang.basic.vis (Jam

Well, let's have a look at this suspicious (from november 1995) Darren Brocklehurst (email address -> Darren Brocklehurst), this is the only old letter about DESchipher, is a bad concealed publicity of Bokler software as you can yourself read Re: Protection from password cracks? i.e. alt.cracks (Ah! What they would not do for some more money, the commercial programmers!) and there is something interesting in this name (Brockle-->Bokler): and see his profile!

Number of articles posted to individual newsgroups (slightly skewed by cross-postings): 
          123 comp.lang.basic.visual.misc 
          35 comp.lang.basic.visual.3rdparty 
          26 comp.lang.basic.visual.database 
          1 comp.lang.basic.misc 
          1 comp.lang.basic.visual 
          1 sci.electronics 

His profile is almost identical with our "James A. Moore"! Where does our Brocklehurst live? (Yahoo search)
 D M Brocklehurst
 Albuquerque,NM 87112
So, he lives in New Mexico too...
And do we have a James. A. Moore in New mexico somewhere?
 James Moore
 701 W San Mateo Rd, Santa Fe, NM 87505-3921
MMM.. Sounds good: Do we have here the real guy and his pal? Let's first check out something else: using whowhere and the previous address we'll find the following:
Bokler Software Corp
Santa Fe, New Mexico
United States of America

good! So the Bokler company is actually registered in New Mexico, who answers the Alabama telephon? (Four11 search)
Jim Moore 
United States Of America 
E-Mail Address: bockler_1@HIWAAY.NET 

So is simply his HIWAAY provider, rerouting email. Telephon may also be rerouted in the same way.
Anyway if we use Infospace we get the address and the real provider of the web space the other way round:
CompanyName:  Bokler Software Corp 
Address:      1570 Pacheco, Suite E-4 
City:         Santa Fe 
State:        New Mexico 
Contact:      bockler_1@HIWAAY.NET 
Domains:      BOKLER.COM 
There it is: the company is registered in Santa Fe, the provider is in Alabama. Obviously such a small thing does not have a real server, and is hosted by somebody, in this case everything on the Bokler page comes through the "hiwaay" business spider, so we can now definitely narrow in on and confirm New Mexico.
Now we started with almost nothing and we found two names, two addresses, two private telephon numbers. Brocklehurst should be the real identity only if the "James Moore" name is just an Avatar (which I do not really believe given the "Visualbasicality" of these guys). "Darren Brocklehurst" is more probably a co-worker at Bokler or a good friend of James Moore and this is the guy we searched for... all in all a pretty good "counter intelligence" work!

__Enemy investigation__
You'll be able to find interesting examples about Dejanews itself [on some pages written long ago]

Well, yes, Dejanew, as you'll learn on [this] page is a very powerful stalking tool indeed, and the question "who hides behind dejanew?" is therefore particularly legitime. (Watch it, part of the relative info needs to be updated: Dejanews has changed a lot in recent times!)

__Enemy investigation__
An EXTREMELY interesting example (now disappeared) was "Balif's debunking".

You need a little background information about this: back in the nineties alt.2600 (an old Usenet hacking group) was heavily spammed by a guy known as 'Archangel', that used some of the most widespread techniques: flaming, trolling, crossposting, faked avatars and gang emailing, in order to gain some dubious personal fame. Of course, in the eyes of any reverser worth is weight, Archangel's claims (on an Usenet group!) of having worked for the CIA and his 'attention seeking' activities did disqualify him immediately (no really competent person would ever 'seek attention' on Usenet), yet hundred of lusers and newbyes believed the whole archangelology to be "cool and interesting stuff". It is amazingly easy, on the web, to brag about things you do not know nothing about. Until some years ago it was still possible to peruse the results of Balif's stalking activity. Balif, a promising hacker and an incredibly good stalker, used intensively the usenet repositories in order to reconstruct the 'history' of the spammer Archangel. Mind you: the whole Archangel saga was pretty boring (a typical case of 'flogging a dead horse' on usenet: taking topics that have been done to death and rehashing them), and DEFINITELY not worth investigating per se yet Balif's pages represented an effective example of a thorough stalking work.

BTW, if you want to investigate an earlier stalking project, here you go with an older search, where, with Brian's and "electel balif's plot" (among other things), you can also see what a good stalker gets out of a picture found on the web!

__Enemy investigation__
Some other examples: if you are interested in stalking you'll always get quite interesting info from the 'antispammers' fronts: DSPAM (open source!)
DSPAM is an adaptive filter which means it is capable of learning and adapting to each user's email. Instead of working off of a list of "rules" to identify spam, DSPAM's probabilistic engine examines the content of each message and learns what type of content the user deems as spam (or nonspam). This approach to machine-learning provides much higher levels of accuracy than commercial "hodge-podge" solutions, and with minimal resources. Audit's antispam. Mailwasher's free antispam.

redSPUTUM: Spamkilling Personal Interface (Tactical, Enhanced) The three basic spammer types and how to stalk them. (This is the fundamental tutorial on analyzing usenet headers!)

__Let's find out who__ Interesting various links

red Gandalf's 'Dealing with Trolls'
redsearch_forms (heavy)
red The warez faq, useful also for stalking purposes.
redHow to search
red How to avoid flaming.
Internet red Address finder
red Stalker page
red Reverse Telephone Search page

red Usenet DejaNews and other usenet stalking tools
red another stalking tool
red yet another one
red yet another one

red Whowhere people finder
red All1one people finder

__How to keep in exercise__

For a reverser, stalking can as much great fun as reversing software protections.

Next time you receive some spamming email DO NOT throw it away. Be cool, and try some of the tricks/techniques described above to stalk the spammer. If you have time you may even try the 'go for it' trick: most spammers, even among the most capable forging dudes, are infact trying to SELL you something, aren't they? There dwells the real weak point of these assholes. Somewhere, at a given moment they have to give you either a real address or a real telephone number or whatever in order for you to send them your money.

Fishing spammers can be real fun therefore, especially if you have time, patience, flair and a little dose of social engineering capabilities.

Once you have them you can administer your favoured punishment, from denouncing them to their upstream ISPs supplying service (not always useful) to slowbomb them (until they change real address) with faked clients requests and bogus orders for whatever product they sell (very funny and frustrating for them). This is also IMHO the best method to deal with pyramid schemes: just let a dozen postmaster@[] or whatever enter the scheme eh eh.

A word of advice: don't choose too dangerous gamebirds at the beginning: real nasty people can be quite dangerous on the net. It is one thing to stalk a peaceful experienced troller, it is a completely different thing to stalk a ring of high-level protected commercial paedophiles. Learn your stalking, luring and logical reversing ABCs first and don't go around shooting yourself in your feet.

You'll be able to read some other interesting options (in order to retaliate against spammers) when you visit my [Elementary anonymity steps for beginners] page

Stalking tools

Have now their page [ad hoc]

Petit image

(c) 1952-2032: [fravia+], all rights reserved