Usenet has been around since 1980 and it is far from dead. Millions of users still access newsgroups daily through commercial Usenet providers, and the platform continues to host a massive volume of text discussions and binary content. Where there is volume, there is abuse — spam floods, copyright-infringing uploads in binary newsgroups, illegal content, and forged headers designed to mask the poster's identity.
Unlike social media platforms with centralized moderation teams, Usenet's distributed architecture means abuse reporting requires understanding which provider or ISP is responsible for a given post. This guide covers how to identify Usenet abuse, trace posts back to their source, and file effective complaints with the right parties. It is part of my complete guide to reporting IP abuse.
Types of Usenet Abuse
Usenet abuse falls into several distinct categories, and each one has a slightly different reporting path.
Spam (EMP and ECP)
Excessive Multi-Posting (EMP) means sending the same message to many newsgroups individually. Excessive Cross-Posting (ECP) means cross-posting a single message across a large number of groups. Both are considered spam under Usenet conventions and violate the acceptable use policies of virtually every Usenet provider. Spam on Usenet typically advertises products, services, or scam websites, and is often sent through open NNTP relays or compromised accounts. If you are also dealing with email spam from specific IPs, my guide on reporting spam from an IP address covers that process.
Copyright infringement
Binary newsgroups (the alt.binaries.* hierarchy) are a primary vector for pirated software, movies, music, and other copyrighted material. Files are split into segments, encoded, and uploaded across retention servers that store them for years. This makes Usenet a persistent distribution channel for pirated content.
Illegal content
Some of the most serious Usenet abuse involves illegal material including child sexual abuse material (CSAM) and content that violates laws in most jurisdictions. This type of abuse should be reported to law enforcement immediately, not just to the Usenet provider.
Trolling, harassment, and forged headers
Persistent harassment campaigns and forged message headers — where someone spoofs another user's email address or identity — are forms of Usenet abuse that most providers take seriously. Forged headers are particularly concerning because they can be used for identity-based attacks.
How to Trace Usenet Abuse
Every Usenet post carries headers that reveal its origin and the path it traveled through newsgroup servers. Understanding these headers is the key to identifying who to report.
Key headers to examine
- NNTP-Posting-Host — The IP address of the original poster. This is the most important header for tracing abuse.
- Path — Shows the chain of servers the post passed through, from most recent to the originating server.
- Injection-Info — Added by the server that first accepted the post. Often contains the posting host IP, the NNTP server name, and the authenticated user's details.
- Message-ID — A globally unique identifier for the post. Essential for referencing specific posts in abuse reports.
- X-Trace — Additional tracing information added by some servers.
Example header analysis
Here is a simplified set of Usenet headers showing what to look for:
Path: news.example.com!not-for-mail
From: [email protected]
Newsgroups: alt.binaries.multimedia,alt.binaries.movies,rec.arts.movies
Subject: [01/50] - "pirated-movie.mkv" yEnc (1/200)
Date: Thu, 12 Jun 2025 14:33:07 +0000
Message-ID: <[email protected]>
NNTP-Posting-Host: 203.0.113.55
Injection-Info: news.example.com; posting-host="203.0.113.55";
posting-account="[email protected]"
From this, I can extract:
- Poster's IP:
203.0.113.55(from NNTP-Posting-Host) - Usenet provider:
news.example.com(from Path and Injection-Info) - Account identifier:
[email protected](from Injection-Info) - Post reference:
<[email protected]>(Message-ID) - Cross-posted to: three newsgroups (potential ECP spam indicator)
Evidence Gathering Checklist
Before filing a report, gather the following:
- Full post headers — Not just the visible ones. Most newsreaders have a "show full headers" or "view source" option.
- Message-ID — The unique identifier that lets the provider locate the exact post.
- Newsgroup name(s) — Which group or groups the post appeared in.
- Post content — The full text or a description of what was posted. For binary posts, include the subject line which typically contains the filename.
- Source IP — Extracted from the NNTP-Posting-Host or Injection-Info header.
- Timestamps — The Date header and any server-added timestamps.
- Pattern evidence — If the abuse is ongoing, include Message-IDs from multiple posts to show the pattern.
Finding the Abuse Contact
Once you have the poster's IP from the NNTP-Posting-Host header, use the IP Location tool to look up who owns that IP address. The WHOIS results will show the ISP or hosting provider and their abuse contact email (typically [email protected]).
You will want to report to two parties: the Usenet provider whose server accepted the post (visible in the Path and Injection-Info headers) and the ISP that owns the poster's IP address.
Usenet Abuse Report Template
Use this template when filing a complaint with the Usenet provider or the poster's ISP:
Subject: Usenet Abuse Report — [Spam / Copyright Infringement / Illegal Content]
To Whom It May Concern,
I am reporting abuse originating from your network / Usenet service.
Abuse type: [Spam (EMP/ECP) / Copyright infringement / Illegal content / Harassment]
Post details:
- Message-ID: <message-id-here>
- Newsgroup(s): [newsgroup name(s)]
- Date/Time: [timestamp from headers]
- Subject: [post subject line]
Poster identification:
- NNTP-Posting-Host: [IP address]
- Injection-Info: [full injection-info header]
- Path: [path header]
Description of abuse:
[Describe what was posted and why it constitutes abuse. For spam, note the
volume and cross-posting. For piracy, identify the copyrighted work. For
illegal content, describe the nature without including the content itself.]
Full headers are attached below.
[Paste complete headers here]
I request that you investigate this abuse, take appropriate action against
the responsible account, and remove the offending content.
Thank you,
[Your name]
[Your email]
Where to Report
Usenet provider
Major Usenet providers have dedicated abuse teams. Report directly to the provider shown in the post's Path or Injection-Info headers. Common abuse contacts include:
- Eweka — [email protected]
- Giganews — [email protected]
- UsenetServer — [email protected]
- Newshosting — [email protected]
- Supernews — [email protected]
Most providers also accept reports through web forms on their support pages.
ISP of the poster
The ISP that owns the NNTP-Posting-Host IP address can take action against the user's account. Look up the IP using the IP Location tool to find the ISP and their abuse contact. Send a copy of your abuse report to their abuse email address.
For piracy: DMCA notice
If you are a copyright holder or authorized representative, you can issue a formal DMCA takedown notice to the Usenet provider. This triggers legal obligations under the safe harbor provisions of the DMCA. I have a dedicated guide on writing a DMCA takedown notice with a template you can adapt for Usenet.
For illegal content: law enforcement
Illegal content — particularly CSAM — should be reported to law enforcement immediately. In the United States, report to NCMEC's CyberTipline (missingkids.org). In the EU, report through your national hotline listed at inhope.org. Include the full headers and Message-ID so investigators can trace the post.
NTD (Notice and Takedown) for Usenet
Notice and Takedown is the formal process copyright holders use to request removal of infringing content from Usenet providers. It works similarly to DMCA takedowns but the term NTD is more commonly used in the European context.
How NTD works on Usenet
- The copyright holder identifies infringing content and gathers the Message-IDs.
- A formal NTD notice is sent to the Usenet provider, identifying the copyrighted work, the infringing posts by Message-ID, and the legal basis for removal.
- The provider removes the posts from their servers and typically prevents re-upload of the same content hash.
- Repeat infringers may have their accounts suspended.
Automated takedown systems
The volume of pirated content on Usenet means manual NTD is impractical at scale. Organizations like Brein (Netherlands), the BPI (UK music industry), and various anti-piracy firms operate automated systems that continuously scan binary newsgroups, identify infringing uploads, and submit NTD notices to providers. These systems can issue thousands of takedown requests per day.
Major Usenet providers cooperate with these automated systems and have intake APIs for bulk NTD processing. If you are a rights holder dealing with large-scale infringement, contacting an anti-piracy service that specializes in Usenet takedowns is often more effective than filing individual notices.
What to Expect After Reporting
Response times vary by provider and abuse type:
- Spam reports — Most Usenet providers respond within 24-48 hours. They typically remove the offending posts and suspend the account used for spamming.
- Copyright takedowns — Providers operating under DMCA safe harbor provisions generally act within a few business days. Well-formatted NTD notices with clear Message-IDs get the fastest response.
- Illegal content — Reputable providers treat these reports with urgency and typically remove content within hours. They may also proactively report to law enforcement.
If you don't receive a response within a week, follow up. For copyright infringement, escalating to the provider's legal department or their designated DMCA agent (listed on their website) can speed things up.
Keep in mind that Usenet's federated nature means removing a post from one provider does not remove it from all providers. You may need to file separate reports with multiple providers if the content has propagated widely.