So one day, Joe came to me and said, "Waider, someone got mail about posting X to alt.random.newsgroup, and he says he didn't post it. The post definitely came from here. Any chance you could find out who forged the post?"
"Sure, I'll give it a go."
So I looked at the message and checked when it was posted, and figured, okay, all I need to do is see what machine was using the news gateway at that time.
See, back then we ran the TIS firewall toolkit to allow assorted net access. It's a pretty decent kit, but it logs stuff like this:
May 8 16:27:55 rizzo plug-gw[4720]: connect host=unknown/XX.XX.XX.XX destination=XX.XX.XX.XX/5000 May 8 16:29:32 rizzo plug-gw[4720]: disconnect host=unknown/XX.XX.XX.XX destination=XX.XX.XX.XX/5000 in=1448 out=180 duration=97
which is fine when the lines occur together but not so fine when they're separated by 50-100 similar lines from different hosts to different directions. So I thought:
"A little perl should fix this."
Uh-huh. It did. The part that does most of the exciting stuff looks like this:
if (/^(\w+\s+[0-9]+\s+[0-9][0-9]:[0-9][0-9]:[0-9][0-9])\s+\w+\s+(plug|tn|ftp)-gw\[([0-9]+)\]: ((dis)?(connect|exit))(ed)? host=([^\/]+)\/([0-9.]+)( dest[^=]*=([^\s]+))?/) {
which matches all the lines I wanted to know about, and made Joe's head explode as a side effect. No, I didn't come up with it off the top of my head, nor can I recall how long it took to evolve. But hey. It does the job, as I expected it would.
Oh yeah. We found out whose machine had done the posting, but we couldn't pin down who had been using it at the time. So much for logging.