I was at first *very* confused by how some information was implied but not stated in David's email. The mixed top/bottom posting order also confused me.
I'd like to rephrase what David wrote, for the record -- just in case others might be as confused as I was: 1. David privately replied to the disgruntled.develop...@googlemail.com email address in response to the email that started this thread. He sent the following to that "disgruntled.developers" address: > On Sun, Aug 15, 2010 at 7:25 PM, David Hill <dh...@openbsd.org> wrote: > >> Sooooo, do you start this troll thread too? http://tinyurl.com/2uhlqpy >> (trollaxer) 2. > Well, tinyurl redirects to my box which redirects to trollaxer. As can also be seen at http://preview.tinyurl.com/2uhlqpy , this tinyurl.com redirect in turn redirects to http://www.mindcry.org/why.html -- which David created and at that point hadn't told anyone else about. Mindcry.org is David's own web site. He set up that why.html page to in turn immediately redirect to http://www.trollaxor.com/2010/06/why-i-left-openbsd.html : > # cat why.html > <html> > <head> > <meta http-equiv="refresh" > content="0;url=http://www.trollaxor.com/2010/06/why-i-left-openbsd.html"; /> > </head> > > </html> So by making the "disgruntled.developers" sender go to mindcry.org first instead of right to trollaxor.com, David could see in his HTTP server logs what IP address the "disgruntled" person had. And by using tinyurl.com, David could hide the fact that his site was involved at all. Tinyurl.com is often used to shorten URLs that get included in emails (to avoid line breaks breaking the URL). So the use of tinyurl.com seemed innocuous, and David correctly figured that Mr. "disgruntled" would be more likely to click on a tinyurl.com link than on one that's obviously from his own domain. 3. The trick worked: > Here is the culprit log for falling for such a silly trick. > > 83.101.24.229 - - [15/Aug/2010:19:13:12 -0400] "GET /why.html HTTP/1.1" > 200 136 "-" "Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.9.0.11) > Gecko/2009070118 Firefox/3.0.11" > 4. If you do whois 83.101.24.229 , you can see that this is Belgium. On a good hunch, David looked up the IP address of kd85.com: > # host kd85.com > kd85.com has address 83.101.24.229 Kd85.com of course is known to be the domain of the Belgian Wim Vandeputte: > On 08/15/10 22:22, David Hill wrote: >> This email comes from kd85.com. >> >> contact-hdl: CCOM-138654 >> person: Wim Vandeputte >> organization: KD85.com bvba >> email: w...@kd85.com >> address: Kasteeldreef 85 >> city: Lovendegem >> postal-code: 9920 >> country: BE >> phone: +32.478217355 5. David also received the following response from the disgruntled.develop...@googlemail.com email address after he sent his bait email. The response --probably correctly-- said that Mr. "disgruntled" (i.e. Wim Vandeputte) had nothing to do with the trollaxor.com site. Of course, linking Mr. "disgruntled" (Wim) to trollaxor.com was never the point. That was just the bait, in order to identify Mr. "disgruntled". On 16 August 2010 04:51, David Hill <dh...@openbsd.org> wrote: > > here is an email response from the culprit: > > <email> > Nope, nothing to do with that... we all still have our commit bit and in > two weeks we'll be committing to the tree again... just like you... > unless of course you did not do your testing home work.... =============================================================== PS: What I personally found really annoying/insidious about the "disgruntled.developers" email that started this thread is how it quoted an email that Theo had sent to Henning (and cc'd to the list), and how the "disgruntled.developers" email then was signed "H." I believe that this was intentionally done, to make it look as if it was Henning who was Mr. "disgruntled". Despite all the static in the past, I had still been hoping to save some money and buy a Lemote YeeLoong from Wim (as they're hard to get otherwise). I now no longer intend to do so.
