See also the ad hoc sections [Usenet], [Luring
Lore] & [Stalking
| "If you can't take a little bloody nose, maybe you ought to go back home and
crawl under your bed. It's not safe on Usenet. It's wondrous, with treasures
to satiate desires both subtle and gross. But it's not for the timid."|
trolls, flamers, kooks and shills
What is a troll? What is a flamer? What is a kook? What is a shill? You'll find a detailed explanation of the various terms
reading gandalf's trollfaq. Also,
in order to understand this lore, you better have already
acquired an adequate knowledge of usenet.
As a matter of fact, on any virtual meeting point (usenet newsgroups, http:// messageboards, maillists)
you may register "attacks" by individuals interested in disrupting the flow of
There are MANY kinds of such individuals, see for instance the wondrous descriptions of usenet people at
A troll is basically one who posts messages
intended to insult and provoke per fas et nefas (see [Trolls and Schopenhauer] below).
For each person who responds, the poster (the troll as a person) will
consider that person "caught". The troll (the troll as an action) is considered
to have been a
complete success if it disrupts beyond repair the normal traffic on a newsgroup or on a messageboard. In
extreme cases, trolls are posted by groups of trollers and crossposted to
unrelated newsgroups in an attempt to
destroy those groups by flooding them with flames and off-topic ranting.
one who posts -or crossposts on many newsgroups- the same, exact post, multiple times (mostly one liners: "cascade"). Some
of these 'listings' with all answers and counter-answers, can grow into huge files.
a regular poster who continually posts messages with no apparent grounding in reality.
The kook trademark is paranoia and grandiosity. Kooks will often build up elaborate imaginary support structures, fake corporations
and the like, and continue to act as if those things are real even
after their falsity has been documented in public.
While they may appear harmless, and are usually filtered out by the
other regular participants in a newsgroup or mailing list, they can
still cause problems because the necessity for these measures is
not immediately apparent to newcomers; there are several instances,
for example, of journalists writing stories with quotes
from kooks who caught them unaware. See http://www.crank.net/usenet.html for more info.
Some people have dedicated
their lifes to expose kooks, and they will warn you that 'It is important to note the subtle distinction between a net.kook, a net.cretin,
a clueless newbie, troll, or garden-variety @$$hole. The newbie, one hopes,
can acquire a clue on the installment plan even if he can't afford to buy one
for cash; the cretin is merely stupid and/or irritating; the troll is purposely
pulling your leg like it got caught in some heavy machinery, the @$$hole is,
well, simply that. But a TRUE net.kook has a special fascination derived
from his/her/its utter ineffability. Their behavior is irrational, if not downright
weird, but they are seldom merely boring'
A very interesting Kookologists' Manifesto is "The way of the Kook", this makes very good reading and it is
much more informative as it may seem at first.
A flamer is one who contributes nothing but uninformative
"ad hominem" bickering. His inventivity in names-calling and "hurting tooth poking"
fears no matches. Even a good troll will never win against a good flamer. Yet
flaming is an art that
many, many, try, few master, and nearly all think -wrongly- they are good at. So
you (reader) are most probably not a good flamer, heed the
(sound) advice: never answer to a troll (not even in order to flame him, see below).
A shill is one who posts messages as a spokesperson
for an unseen group or organization, usually at odds to
the topics being discussed.
The shills have joined trolls
as parasitical newsgroup fauna, destroying the balance of
free discussion, degrading the level of information, feeding
like preditors on newsgroup populations that contain the
resource that they seek to convert to money.
Remember, shills are creatures of darkness, and their enemy
is the light. Shills can
only succeed as far as they fool people, a shill is by definition
an agent of deception, similar to a con artist, but acting
on a target market instead of individuals. Shills always act on profit,
and the motive, opportunity, and promise of profit, which in
direct proportion to the degree of such, will spawn shills as surely
as rotten meat spawns magots.
Awareness of shills is a first defense against shills. Shills unmasked
are no longer shills, no longer effective.
As you'll see in the following, searchers can use trolls
in order to gather information, trolls attacks are often organized (in "waves"),
coordinate on usenet groups, trolls can teach us powerful rhetorical tricks and there are some weapons that you can use
to nuke them (apart
from killfiles plonking on usenet). Moreover stalking
and luring techniques can and will be very useful
when seekers have to deal with trolls (or punish them).
But, first, learn that you can troll yourself,
in order to gather specific knowledge or information...
|Trolling for information|
System administrators answering a troll
Well... soon or later I would have had to teach you how to fish info through clever
placed trolls anyway, so learn it right now... (I'm just speaking for those among you that did
not know this trick already, of course :-) ...Unix-related trolls (or Linux ones) on
usenet can fetch a huge amount of interesting info, if cleverly placed.
This was the troll (first relevant part, note the typical trolling style):
>> I get this feeling that your anti-MS because your an old school
>> UNIX weenie that hates the fact of MS-NT eating your lunch with
>> zero administration and fast setup?
This was the first answer:
"Zero Administration?" ...Service packs that fix one problem while
introducing another. Distributed in straight binary format with no
source code and no compiler, so you can't fix bugs in the code
yourself. Changing simple things like IP settings requires a reboot.
Changing damn near anything requires a reboot. On what's supposed to
be an Enterprise-class server? The people that actually have to
administer NT systems usually _hate_ them. Their boss is the one who
bought MS's bullshit about "ease of use" and "reliability".
This was the second answer (quite interesting, I believe)
I can vouch for this somewhat, having to deal with an NT box at work,
although it's actually given us little trouble. The reason for this
is that we have only *one* mission-critical function running on NT:
our proxy server. The only other tasks it's used for are backing up
the network and file/application serving, neither of which would
cripple us if the box puked tomorrow. The *real* important stuff runs
on Linux or Solaris (and, as soon as Informix ports its DB tools to
Linux, the Sun box will find itself on the doorstep the next day).
What slays me about Microsoft is how badly their software can coexist
with other products, *including their own*. A classic example is
their aforementioned proxy Server. When you set up NT with the Option
Pack and Service Pack 3, it installs Internet Information Server 4.0
by default. Which is fine, except for one small detail: it *breaks*
proxy Server. We had to back IIS 4.0 out of the system and install
IIS 3.0, which has no trouble working with proxy Server. AFAIK, there
is still no fix to get proxy Server working properly with IIS 4.0.
Now tell me: if Microsoft can't be bothered to fix glaring
compatibility issues with its own products, what makes anyone think it
gives two shits about making them compatible with anyone else's? Why
the hell did Sun sue Microsoft over the Java issue in the first place?
Second part of the troll:
>> UNIX hit rock bottom 2 years ago when the DOD shit canned it due to
>> it high cost. NT is cheaper and faster to use. Who in their right
>> mind would spend $1,500 for a crude UNIX OS when NT is better and
>> almost $ 1,300 cheaper???
Well, why would you need to spend $1500 when you can get your pick of
various *BSD and Linux OS's for either the cost of the CD, or the time
it takes to download? NT Server costs $200? I think it's a bit more
than that. And you also have to buy client licenses by the seat. The
more workstations you have being served by NT, the greater the cost.
He may be thinking of NT Workstation, which is a very different
Point of comparison: our upgrade to NT (we qualified, having run
Netware previously) cost us just under $1500 for the server and 30
client licenses (also not $200). But Solaris is much, much more
expensive, especially if you run it on SPARC hardware, although
there are no client-access restrictions.
I should add that actually both posters above realized they were
answering to a troll,
but, interesting enough, it worked nevertheless... and it was
possible to fish out some anti-M$ info allright :-)
The waves system
The following is the old alt.syntax.tactical (master trollers who make it their life's
work to destroy as many
as they can. They consider a group destroyed when more than three
of the threads on a group have been started by them and the group is
unusable for normal traffic) foundation for the structure, strategy, and protocol of simple
USENET invasions. I have decided to publish it here because it gives good insight on the
complexity of a good troll attack. Many of the tactics descrived here can be applied, mutatis mutandis to any sort
of "lone wolf" action you may want to stage on your own. Seekers should know all sort of techniques, least
they may suddendly need them (or need to recognize them) in some obscure corners of the web.
* Waves of Invasion *
Flames and wars between groups are as old as Usenet. What we try to do
is in many ways fundamentally different from what is or has been done in
After picking a messageboard, we call for an invasion on that msgbrd. There are a
number of phases to an invasion. Each person can volunteer for which
wave they want to be in, but more times than not, it is a first come-
first served policy. It is always important that no one jump the gun and
go in before we have time to prepare and bounce ideas off each other.
It's also important that people don't switch waves without letting
everyone know. Flexibility is the key, as is communication.
Typically, we use between two and five Waves of attack. Waves will
generally break down into this kind of structure:
a: Reconnaissance (RECON): These people will go in early and usually
set up camp as "friends of the newsgroup". They will become trusted and
participate by joining previous discussions or starting non-
controversial ones themselves. They will also act as "double-agents" to
counter-flame the other waves as the invasion progresses. They key is
building a bit of credibility.
b: Wave One: Wave one will usually be what starts the flame war.
Those involved in this wave can go on and each have a different flame,
or go on and flame in unison. They can bring in a subject of their own
or flame a previous discussion. What matters is that this initial wave
will be the one that the invaded newsgroup will have their attention on.
This wave calls for extreme subtlety. The quality of the flame MUST be
at its highest point here.
c: Wave Two: Wave Two will consist of tactics to attack the people who
were sent in as recon and attempt to start totally new flame threads.
The key here is that even if we attack a group of people restrained
enough to resist our flame-bait, wave two will stir things up and get
others to join in.
d: Wave Three: Wave three will generally change depending on the
campaign, but will generally be added to push the confusion and chaos
over the top. Flame the recon, flame the first wave, flame the second
wave. These guys are our balls out, rude SOB's. Mop up and clean out.
Sometimes (usually with bigger groups) Wave three will simply be along
the lines of a wave two. We will call for a wave four (or five) to be
the balls out routine. We will sometimes add a wave or two because
depending on the size and intelligence of a newsgroup.
There are three other things that we typically use, depending on
the sophistication of the invasion.
LOOSE CANNONS are people who come in and act so strange and obtuse that
it makes the rest of the flames look genuine.
THE ANON SERVICE can be used to send posts anonymously. This is a good
way to post and pretend to be scared of retribution. Only problem is
that this is usually the first sign that a post is a flame, so it should
only be used with a TREMENDOUS amount of DISCRETION.
CROSS POSTING is also a popular method of choice by other flame groups,
so it is important to Cross Post with discretion. If we can cross post
to bring in other newsgroups to unwittingly assist us, perfect. If we
cross post to suspicious newsgroups, our intentions will be obvious.
* Victory *
Ideally, signs of victory are the following:
* Notes *
Our names appear in killfiles
- Majority or ALL threads in invaded newsgroup were started by us
- Regulars/legit people abandon invaded newsgroup
- Receive much hate mail - as does our SysAdmin
- To be reprimanded by the glorious SysAdmin
Most important is the need to be SUBTLE when it is required. One
misplaced post can ruin it for the rest of us. Those of you who have
participated in widespread flame wars know the feeling of having a
newsgroup going for a long time, then someone posts an obvious flame or
something so far out of context, that everyone says to just ignore the
flames, which eventually includes all of us. Blowing a flame war will
occasionally happen, but if it could have been avoided with a little
thinking, then it's not as excusable.
We've got to share duties. Everyone should get practice playing
different roles and different waves.
It has been assumed that if you don't want to participate, fine. No one
will hold it against you. What is expected is that if you don't want to
participate you don't have to, but that also means that you wont go
warning that newsgroup when an invasion happens. You will close your
eyes and turn a blind eye. NO NEWSGROUP AND NO MESSAGEBOARD IS OFF LIMITS!!!!!!
Another thing many people seem to be talking about are SIGS AND NAMES.
Try to take on appropriate names. If you are on alt.rap, D.J. Trouble is
not going to stir things up...if you show up on soc.culture.physics with
that name, you're caught before your first word of text. If a Sig is
going to blow your cover, lose it.
One of the most interesting knowledge you can acquire, reading and analysing
trollers' postings, is
the wealth of Eristic
Dialectic stratagems they often use. In fact even tossing "verbal grenades" into the
in order to cause "indiscriminate damage" implies rhetorical subtility and skill, if
you want them
to explode at the right distance and against the right targets (and not in your hands).
Readers that will find the time to print and read
Schopenhauer's masterpiece, linked below, will recognize immediately (and never fall again for)
most of the rhetorical tactiques (indeed "stratagems") used
by trolls on usenet newsgroups or any other messageboard or forum.
Unfortunately today's "americanocentrical" world seems to ignore Schopenhauer's
beautiful teachings (no wonder, since if people would read Schopenhauer the whole
advertisement industry - and most politicians relying on media appearance -
would not have any chance). Few english version on the web, I am afraid... (a -bad-
translation I have found is here, another older one is
yet for those of you that can
read German, here you are with "Arthur
Schopenhauer: Eristische Dialektik oder
Die Kunst, Recht zu behalten – in 38 Kunstgriffen dargestellt".
Admit it: this kind of knowledge... these 38 tricks ("stratagems") translate into
real power for those
in the know, eh? Quite funny, come to think of it: A sharp incredible weapon against webtrollers strategies (actually, against much more), devised
in 1864 and more useful and valid in these web-intensive times that ever before :-)
Here a possible searchquery: schopenhauer "per fas et nefas"
Some usenet debunking techniques are of GREAT value, because you can apply them, mutatis mutandis to your own local corrupt politician's jargon.
An interesting example can be found at Cujo's World of Usenet Kooks, where the debunking of
a notorious Kook can give us an hilarious, but true, debunking-cypher-muster useful to debunk many a "round table" speech.
Here some examples (among the many other
available all over usenet when dealing with trolls and kooks) that I have taken from Cujo
and freely modified...
|A short debunking dictionary for political speech
|what the politician says
||what he really means
||Responding to his blabbering
||Person who doesn't agree with him
||Something he dreams of someday winning
||500,000th place on Amazon
||Bogus partisan research
||Data contradicting his statements
||Pointing out his lies and mistakes
||Declared victory by repeating screed
|Do you follow me?:
||You are a cretin.
|Do you understand?:
||Do you accept my argument unconditionally?
||Completely subjective labels
||Replying to his accusations
||Something that he doesn't like to hear
||Null concept when applied to himself
||I have no answer to that
||I'll be back in a minute
|Let's turn to something concrete:
||This argument annoys me.
||Incoherent, plagiarized screed
||I have no answer to that
||Boasting just one of my many qualities
||Have a nose longer than Pinocchio
||Responding and disagreeing with him
||Something that he doesn't like to hear
||Someone who disagrees with him
||Plagiarized with loads of bogus indexes
||Someone who disagrees with him
||Failure and disgrace
||Babbles pulled out of his ass
||Load of delusional rantings
||Obsessing over it night and day
||I'm in denial
||Any claims he won't back up
|You are partly right:
||You are wrong
|You are wrong:
||You are right, but I cannot admit it
|Waste of resources:
||Anything not favorable for his own scam projects
||Proclaim victory and run away
|So do not say never again that trolls and kooks are not useful...
|More about trolling|
moles, coordination points, flonk, meows...)
First of all: a warning...
"Do not meddle in the affairs of wizards
for they are subtle and quick to anger"
gandalf (@digital.net), see http://digital.net/~gandalf/trollfaq.html
1) They have a lot of free time, they are mostly lonely people.
2) They often
ingratiate themselves to a person or two on the group and use them to stay
in the group. They may protest with these "friends" that their right to
free speech is being curtailed.
3) They sometimes use "socketpuppets", i.e.
fake identities that may be used to sustain, or to inflame the troll's position or theory or attack.
At times the socket puppets' names are anagrams or similar to
the troll name. Thus a troll may engage in artificial conversations with
himself. However impersonating multiple people is frowned upon by the more able trolls and is considered the lowest of
Where do trolls coordinate?
Real nasty trolls operate without central coordination, and recognize themselves
on the fly when attacking a newsgroup (or a http:// messageboard, or any kind of forum... once more:
trolls do not operate only
on usenet). On usenet the most (in)famous newsgroups for trolls (not for trolling, for
coordination and experimentation) are
alt . alien . vampire . flonk . flonk . flonk,
alt . fan . karl-malden . nose (dedicated to cascades, UPA "Usenet Performance Art" and crossposting) and
alt . romath (The Knights of Romath "guard Usenet from netcops").
newsgroups (or newsfroups, see: "The way of the Kook" for some terminology): alt.hackers.malicious, alt.usenet.kooks,
As you have seen above, a favorite tactic of organized troll groups is to plant a
"mole" into the group - someone who looks and acts like a regular visitor / reader. Often,
mole is planted a few weeks to a month in advance of an attack wave. That way, for the
newsgroup habitat it
looks as though the invaders were attacking "one of us." Be wary of this tactic,
as it lends to the mischief: unsuspecting do-gooders are sucked into the
fray as they come to the defense of the the "attacked fellow".
Finally, if you are interested in troll wars, be aware that, apart from the obvious
trolling opportunities caused by the 11 september attack against the States ("the WTC was so ugly
I'm happy it went down" kind of postings on right/conservative/"americafirst" oriented forums) there is an
attack on the alt.cats newsgroup. This involves at least 20 trolls.
In fact there exist even a special alt.cats.declawing-debate newsgroup,
has been especially created (and animated) by trolls in order to annoy cat owners.
Shills appears most commonly on 'reviews' and 'readers opinions' scripts, not only on
usenet and on messageboards.
There are some techniques for telling whether a contributor is a shill:
- Look for other reviews/contributes on the same forum to see how they compare.
- Look for other reviews/contributes by the same reviewer. If there aren't any, look out!
- Look for a review/contribute made by a recognized reviewer/contributor.
- With respect to bad reviews, look for an obvious agenda. Contributors who
appear out of nowhere and use highly inflammatory or gratuitously insulting language are suspect.
- Always check the cui prodest of the contribution.
Try to understand if it could be the competition or someone else with an axe to grind.
are trolls useful? ...Yes...
Yes (as somebody wrote long ago), much like hyenaes: if a messageboard is strong and vibrant,
with healthy ideas and intelligent discussion among posters,
then these tend to be too interested in what is going on to pay much
attention to the trolls. However, once a forum begins to show signs of decay -
usually due to bickering amoung the regular visitors - then the trolls
run rampant and it is only a matter of time before the forum disintegrates.
"Trolls remind us that this is not private space.
Lurkers are everywhere but it is easy to forget that. Chatting away on a thread
with an old buddy it is easy to reveal personal details about one's life that
you might not really want public.
Trolls remind us that in a public forum anyone can read what we write."
Moreover, as we have seen in Trolls and Schopenhauer and with the debunking example above,
trolls DO deliver us many useful
findings about "Eristic Dialectic stratagems". Findings that we can easily apply outside the world of Usenet :-)
This said, trolls and (even more) shills are very often
de facto and/or de jure just lackeys of the commercial
powers that be. What all trolls have in common is that they flood newsgroups with
inappropriate material in an effort to suppress discussion they don't
want taking place. If it were radio, you would call it "jamming"
and everybody would agree it was censorship. But on Usenet or on messageboards,
is more subtle and the mechanism more complex (involving user interface
limitations of newsreading software) so it hasn'e been widely
recognized yet. Some of the most determined destroyers are
professionals trollers connected to people that stand
to lose if a specific Usenet newsgroup (or any given specific messageboard)
proves to be a viable
alternative to the(ir) controlled channels of mass communications.
Let's see how to (try to) destroy them...
Deathpinging ~ rebuking trolls
"OK, I have enough, let's screw the troller: I'll give him 200-300 ping -f -s 65000" ;-)
What A+heist is referring to is an attack know as 'ping flood':
many large size pings sent continously against your target system in order to have a
buffer overrun. This kind of attacks are commonly used, for instance, during IRC channels wars.
A well known fact is that Windows 98 (and many other toy and older
REBOOTS after a ping -f 65000. Often only a single ping -f 65000 is
enough to reboot the system. The command must be issued from a Linux Box.
For slackware 3.6 Kernel 2.0.36, the correct line is: ping -f -s 65000 Target_IP_address
If you are playing on local networks, use ping -s -l instead
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
[-r count] [-s count] [[-j host-list] | [-k host-list]]
[-w timeout] destination-list
-t Ping the specifed host until interrupted.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
In this context I would like to recall
the similarly famous "ping of death" method.
For exact information see:
I'll quote: billions
of machines can be crashed sending IP packets that exceed the maximum 'dos'
length (65535 bytes). You can send from Linux, and,
also, of course you can hack your own dos in order
to let it send a packet bigger than that. There are also many nukers on the web
that have options to change the packetsize.
Netware, Routers, and of course toy systems like
Windows NT and 9* can be locked, but early versions of Linux and Solaris can be nuked as well.
The attacker needs to know nothing about
the machine other than its IP address.
Most implementations of ping won't allow an invalid packet (i.e. more than 65535 bytes)
to be sent. Among the exceptions are Windows '95 and NT :-)
This exploit is by no means
restricted to ping. The problem can be exploited by anything that sends an IP datagram
probably the most fundamental building block of
the net. An IP datagram consists of an IP header and an IP payload
The IP header is of variable size, between 20 and 60 bytes, in 4-byte increments.
It provides routing support, payload identification, IP header and datagram
size indication, fragmentation support, and options.
The IP payload is of variable size, ranging from 8 bytes
(a 68-byte IP datagram with a 60-byte IP header) to 65,515 bytes
(a 65,535-byte IP datagram with a 20-byte header).
Note also that not only ICMP echo, but TCP, UDP and even new style
IPX can be used to hit machines where it hurts.
This said, the above methods (and other more nasty ones)
are better left to professional webwizards and "older ones" (that
may often be willing to help you for a worthy cause). Usually the best method when dealing with trolls is always the same:
NEVER ANSWER TO
THEIR POSTINGS! ("Please do not feed the troll")
The whole point of trolling is to have you react. So do not react!
It's as simple as that, duh. That is something that
enrages trolls (disqualify them: other lurking trolls will take
note of their failure and they know - and fear - it).
reacting, you have completely defeated their purpose in life. In other
words, the troll sees his self-worth in how much of a reaction he can
inspire - ignore him: it's your best
Should you, my advices notwithstanding, answer a troll, then calm down! Do not read any of
troll's responses to you. He is just trying to draw you further into its
lair. Once more: NEVER ANSWER TO
Once more, 5 easy rules:
(1) Don't read posts from or about trolls;
(2) Don't read email from or about trolls;
(3) If you can't resist reading, don't respond;
(4) If you can't resist responding, do so by email, not by posting on a public forum;
(5) If you are compelled to post a response, if you just can't
stop yourself, at least do the rest of the readers the favor of adding
the troll's nick to the subject line, so they can avoid reading that post.
In case of a cascade attack (by spamming trolls), you may be able to
help matters by posting yourself into the cascade and removing your group from
the crossposting line. (Cascades are those one liners piled on top of each other that spamming trolls
In the case of shills the best method is - instead - to boldly counterattack: stalk
them (sometime a simple reversing of their language
patterns will be enough) and debunk them.
If you can individuate (or even suspect, eheh)
the group/industry they have been working for, they are dead and everything they have damaged
will be reversed :-)
February 2002: A "flamebot": A perl script that makes automatic replies to one or more usenet posters of
by Dr. Flonkenstein
Dr. Flonkenstein, one of the ugliest trolls of the planet (this is, for trolls, a compliment :-) is a good friend of mine and
an extremely clever (and nasty) "usenet artist".
- April 2002:
fldigest.htm: Trollers Digest:
A description of trolling techniques and tactics,
by Dr. Flonkenstein, part of the trolling [section]
'colorful usenet behaviour' explained :-)
- September 2004:
A very interesting Kookologists' Manifesto is "The way of the Kook", this makes very good reading and it is
much more informative as it may seem at first.
- October 2004:
Trolls punishing deviant wannabies trolls through scorching sarcasm:
"USENET'S SUPREME COURT OF LAST RESORT", by Friendly Neighbourhood Vote Wrangler
A troll will be "impeached" in this text, among other things "for displaying
unmanly cowardice in the face of a Perl Script".
Classic unsubstantiated and erroneous claim
(c) 1952-2032: [fravia+], all rights reserved