[HN Gopher] A little trick to spam the spammers ___________________________________________________________________ A little trick to spam the spammers Author : sodimel Score : 154 points Date : 2022-07-26 19:11 UTC (3 hours ago) (HTM) web link (misc.l3m.in) (TXT) w3m dump (misc.l3m.in) | bcrosby95 wrote: | I used to run a mud back in the late 90s. When we nerfed | something a disgruntled player signed up all the admin emails for | every piece of spam they could find. | | It was a huge pain in the butt. Nowadays we would probably barely | notice. | AdmiralAsshat wrote: | Get the site onto the frontpage of HN and hug the spammers to | death? I like it. | mrtweetyhack wrote: | ccn0p wrote: | OK now let's do SMS spam. I get daily reminders from recorded | idiots telling me that I qualify for a low-rate business loan! | How exciting! I dream of exploring who's actually behind these | and wasting their time ala Giovanni Ribisi in Boiler Room. but | then I do nothing and go back to what I was doing. | divbzero wrote: | The design of this blog is delightfully readable: no popups, no | banners, no FOUC as I wait for a beautiful webfont to load. | wizofaus wrote: | Except for the "beautiful webfront" bit, that was my experience | too - no popups/banners/ads while waiting patiently for it to | finally load the "Connection timed out" page. | [deleted] | sodimel wrote: | If you're speaking about l3m.in I removed unused chars from | the font I load (using the super tool on fontsquirrel | website) in order to make it lighter. I save the banner | images in webp format too (with a liiiittle bit of gaussian | blur in order to reduce the size even more) :P | | The real problem here is my internet connection ; my top | upload speed seems to be something like 100-200ko/s, which | isn't very much when there's a lot of people loading various | parts of my self-hosted websites :( | wizofaus wrote: | The link is to a txt file! Anyway the archive link someone | else posted seems to work fine (I still can't load the | original link). | sodimel wrote: | Oh, ok. On this folder (https://misc.l3m.in/txt/) there | is a link to my main website (won't post the link here in | order to reduce the load) and I thought you were talking | about it :P | | Keep refreshing like anyone (I guess), my server is at | 1.5% of load average, you should be able to access this | txt file, if my slow connection is allowing you to reach | my server :/ | IronWolve wrote: | Speaking of annoying email lists, spammers are using government | state/federal email lists that dont need confirmation. Trolls can | just sub people up to hundreds of daily emails. How about spam | someone all the train/bus schedules for a city? DOT updates, | parks and rec, health updates, DHS, ICE, weather, etc. | | You cant just remove yourself with replying either, you have to | go to a website and remove them, either 1 at a time or if lucky a | unsubscribe all. | | But its ironic the government email lists are being abused to | such an extent to annoy people. | | I had users get caught in such an attack, but easily enough to | just spam their domains. Hammer solution, but quick fix. | codetrotter wrote: | I wonder if most sites maintain any of the following addresses or | not for externally incoming mail: | hostmaster@<domain> postmaster@<domain> | webmaster@<domain> dns-admin@<domain> | info@<domain> contact@<domain> root@<domain> | | (And if they do, if anyone is actually reading the mail coming to | those addresses.) | | I used to but I got so much spam and 0 actually legit mails to | these addresses on my own domains so I stopped accepting | externally incoming mails for those names/aliases. | djbusby wrote: | I still run those names for many domains I operate. Only info@ | gets the spam. The others are quiet - but I've actually gotten | real emails (in 2022 even) to postmaster and hostmaster. | dsl wrote: | Every email to legal@ has to be read by any legitimate site, | thanks to GDPR/CCPA. Not that you'll get a response. | logifail wrote: | Could you give references for this? | edm0nd wrote: | I do not believe that is how the joke laws that are GDPR/CCPA | operates. | urda wrote: | Hardly, and especially no to the GDPR. As a US citizen | operating my own US site, doing no business with the EU, I do | not care nor am I required to comply with EU law that has no | bearing on a US citizen like me. | legitster wrote: | > As a US citizen operating my own US site, doing no | business with the EU, I do not care nor am I required to | comply with EU law that has no bearing on a US citizen like | me. | | It's actually a bit more complicated than that. Our | expensive GDPR lawyers have made it clear there is still | _some_ amount of risk. | | The example was of a German citizen booking American hotels | for their vacation. Under the wording of the GDPR law, if | their data was breached, the hotel could be held liable | under a German court. | | Now, the realisticness of this actually going to court or | there being any meaningful penalty has not really been | tested, but it's our corporate policy not to be the first | ones to do so. So even for signup forms targeting Americans | for American events, legal has asked us to specify to | always collect country information (so we know what GDPR | rules to process this person under) or include a dumb | disclaimer that people from certain countries should not | sign up. | aendruk wrote: | I suspect spammers might have given up on that. I get almost | nothing for webmaster at a domain that receives plenty of spam | and phishing attacks on other email addresses, and a constant | barrage of spam into the web contact form. | Avamander wrote: | Not given up, I'd expect them to avoid those addresses to | avoid blocklists and abuse reports. | bitbang wrote: | I will often provide the email address postmaster@hashbang.com | for people insisting they need an email address who have no | legitimate reason doing so. (hashbang.com resolves to | localhost. Thanks twocows...) | legitster wrote: | These types of addresses are actually used by corporate anti- | spam software and they are called "honeypots". The idea being | you setup a inbox with no public email address and report any | IP Addresses sending it emails. There is no legitimate reason | someone should be emailing these addresses, so it's an obvious | flag that someone is being naughty. | iamacyborg wrote: | There are plenty of legit reasons to be mailing some of those | addresses. | ithinkso wrote: | There were* | NullPrefix wrote: | iamacyborg wrote: | No, there are. I still see masses of businesses signing | up for b2b products using contact@ or info@ addresses. | thallium205 wrote: | Don't sites still use these emails to verify domain | ownership? | [deleted] | rascul wrote: | https://datatracker.ietf.org/doc/html/rfc2142 | legitster wrote: | > SECURITY CONSIDERATIONS | | > Denial of service attacks (flooding a mailbox with junk) | will be easier after this document becomes a standard, | since more systems will support the same set of mailbox | names. | autoexec wrote: | I've managed a number of RFC 2142 mailboxes and while | they all got spam (the dumb spammers would even send to | abuse@!) it wasn't any worse than the other published | email addresses on those systems and the volume was spam | was still less than what our typical user would see | (since nobody using postmaster@ used it to sign up for | everything under the sun). | | The spam we got was often useful for abuse handling and | spam filtering too. It was a good thing! | | Every network should have an abuse@ address. Web forms | are pretty popular these days too, but every extra hoop | you force reporters to jump through can cut down on the | reports you get of problems on your network. It's worth | dealing with the spam to make sure you're getting | notified as quickly as possible. | boshomi wrote: | https://archive.ph/PyCa9 | sodimel wrote: | Thanks, my tiny web server still got plenty of power but my | connection is pretty terrible today :/ | jedberg wrote: | Since the site is down, what's the trick? | legitster wrote: | The entirety of the post: | | > published: 26/07/21 (dd/mm/yy) > updated: not yet | | > A little trick to spam the spammers. | | > When I find a "get X free" button on a website that then asks | for my email address, I like to search for the email of the | company behind the website (sometimes it's on the legal page, | or the privacy policy page) and I submit their email. I also | make sure to check the "sign me up for the newsletter" box, to | make sure the spammers get at least one of their messages. | | > I don't really know why I do this, it seemed funny a few | months ago when I started and now I do it out of habit. | | > I now keep a list of emails from these spam sites, and | subscribe them all to the various newsletters I find if I have | 5 minutes. | sodimel wrote: | The site is not down, but my poor upload connection prevent you | all to have access to this glorious _txt_ file, sorry :( | rolph wrote: | im sure theres a script for that somewhere about. | sacrosancty wrote: | I used to get spam from a Chinese exporter who conveniently | included their actual address in the emails. One day I happened | to be visiting their city and went to their office and asked them | to unsubscribe me in person. The lady was very confused and first | thought I wanted to buy something. I showed her the spam on my | phone and she agreed but didn't bother actually removing me. Just | seemed to think I was a bit stupid for travelling so far (I was | also a foreigner) to complain about a spam. It was interesting to | see what those companies look like in real life though - an | office filled with piles of widgets and cartons of deliveries | everywhere. These Chinese exporter spammers do tend to be | legitimate businesses and they can actually provide good cheap | access to manufacturers but they harvest emails from everywhere | if there's any hint you might work in a related industry. | dylan604 wrote: | There's no bette motivater than having an upset customer in | your presence. I have camped outside the office of someone | until a situation was resolved. | [deleted] | informalo wrote: | Details please | rubatuga wrote: | Do tell | ashton314 wrote: | Chaotic good right there. | dredmorbius wrote: | The terms ceo@ / sales@ / marketing@ / info@ <domain> can be fun. | | Or state-level intelligence addresses / TLAs of various stripes. | dawnerd wrote: | I also like using support@, surprising number use that to | create tickets which can annoy someone very quickly. | 1nd1ansumm3r wrote: | The trick works in analog too. Just stuff the pre-paid business | reply mail with other junk mail. | kibibyte wrote: | That's a classic. http://bash.org/?127039 | | I do occasionally wonder if it would still work, but most | business reply mail type spam has been supplanted by email | nowadays. | danuker wrote: | I spent hours on bash.org when I found it a few years ago. | Thank you for reminding me of it! | tanseydavid wrote: | And by visiting just about any large IT-related convention you | can easily collect a hundred or more pre-paid business reply | mail cards. | | At least that's what a friend told me. ;) | reaperducer wrote: | Similarly, when a store annoys me for an address or phone | number, and won't take "no" for an answer, I look it up on | Google Maps and give the clerk the store's information. | | Edible Arrangements is the most recent place this happened. The | store wouldn't sell anything to me without an address and phone | number, even though I was paying cash. The manager said the POS | wouldn't even let him start a transaction without collecting | the information. | | So Edible Arrangements' marketing department is now spamming my | local Edible Arrangements store. | dylan604 wrote: | 1212 Main St, City, St (area code) 515 1212 for phone | | I gave up trying to explain why I prefer not to have that | info, so I just give them obviously bogus info that I can | remember. Most people don't even realize what you're telling | them. They just robotically enter the numbers. They just want | to get on with their day as much as you do, and really don't | want to hear your diatribe about big brother tracking blah | blah, can you hurry up the line is backing up. | jorgesborges wrote: | Yup. When I was signing up at MEC I gave the clerk a fake | number but accidentally included both the area codes for my | city as the first six digits: "Whoa that's weird, never | seen them together like that before." It's easy for me to | remember now at least. | legitster wrote: | I run marketing email databases. This is cute, but it doesn't | actually do anything in most systems - either the employees all | already get the marketing emails or there is a system-wide rule | to suppress against the email domain. | | If you actually want to (potentially) break something, try | submitting some obscure characters or malformed html into some | fields. Blank spaces in emails can particularly be a nuisance. | | And if you want some real fun, some systems only enforce | validation rules via client-side javascript. If you block them, | you might be able to submit some _real_ chaotic entries. | TechBro8615 wrote: | I think Log4shell was about the closest we got to this. It's | still crazy to me you could exploit an unknown machine by | leaving a string of text somewhere and waiting for a vulnerable | client to process it. I imagine many spammers are running a lot | of insecure PHP and Perl scripts to support their operation. | That was certainly the case back in ~2006, and I imagine most | "new entrant" spammers are not using email but rather social | media tactics and the like, so I doubt email spam | infrastructure improved. | | That said, the real guilty spammers are the companies doing it | under the flag of a sales tool. RIP your email if you put it in | a git commit. | Jerrrry wrote: | Blind XSS is a thing. | | not my fault you haphazardly inserted <whatever I crafted> | into an HTML field in some browser at some point in the | future. | | DNS records, facebook statuses, titles of apps on the | playstore, Wifi SSIDs, BIO's on obscure forums, names of | children, recipe ingredients, your TV's network nick | name...anything that can hold the input of a user, that a | scraper or content mechanism will eventually naively come | across... | | eventually it will get added to the DOM of some unknownst | messenger, and I will receive a ping, letting me know that | someone, somewhere, somewhen, sniffed my digital fart. | ARandomerDude wrote: | How do you sleep at night? | Avamander wrote: | I would also recommend naming yourself Viagra, Cialis or CBD. | kbenson wrote: | "Viagra Cialis, CBD" does sort of sound like a name with some | odd post-nominal... | dylan604 wrote: | I want to have my name legally changed to Spam Likely | legitster wrote: | This is actually kind of clever, but only if you give us a | real email address. | | We will often take your name and insert them into emails (for | some dumb reasons around personalization supposedly | increasing opens). But an email being stuffed full of spam | words is a good way to get it flagged by anti-spam software | and potentially hurt our sender reputation score. | | You would probably have to do it en masse and use real | inboxes. A couple other names you could use would be "free", | "lovers", "singles", or any sort of mid word character | substitution. | iamacyborg wrote: | This reminds me of when I briefly worked at a major luxury | fashion retailer. | | We were not allowed to send emails with "pussy bow" blouses | as they were getting caught by corporate spam filters | sodimel wrote: | I never thought about naming me with potential spam words | :o | legitster wrote: | Please, call me Singles. Hot Young Patriot Singles In | Your Area is my father. | incogitomode wrote: | Keep a short list of your enemies' email addresses and use | those as the destination for these likely-to-be-flagged | signups to hedge your bet. | sodimel wrote: | The zero-width char seems to be a good candidate, thanks ! | s09dfhks wrote: | Unicode Character " " (U+2800) | sodimel wrote: | I usually use the char from | https://codepen.io/chriscoyier/pen/iLKwm :D | alliao wrote: | you guys are all monsters lol | sacrosancty wrote: | The extended version where he sends signs up his list of other | spammers for each other's newsletters should get around that | problem. | Gravyness wrote: | A trick I like is to fill every form with "null". | legitster wrote: | The extent that this bugs us though is pretty minimal. Any | publicly facing form is going to have to handle massive | amounts of garbage data as it is (if not just from people, | from bots as well) so records that cleanly identify | themselves as garbage save us a ton of time. | dylan604 wrote: | It's amazing how Lil' Bobby Drop Tables is still causing | havoc | koliber wrote: | The concept is called "closing the loop." | avodonosov wrote: | I do a similar thing with web crawlers that do not respect the | robots.txt | | https://github.com/cl-test-grid/cl-test-grid/blob/873b2fa978... | | I don't know if this snippet is really effective, can be improved | a little, especially that I noticed a couple of new crawlers that | ignore `User-agent: * Disallow: /path` in robots.txt, and do not | fix that even after reported. | gigel82 wrote: | I'll look into implementing this, nice tip :) | | archive.org is the worst offender for me; not only do they | ignore robots.txt, there is absolutely no way to get something | removed once they archived it (despite the data including | accidentally leaked PII for example - which can cause actual | harm to someone). | Analemma_ wrote: | I want archive.org to ignore robots.txt and make it as | difficult as possible to remove pages from it; it would be a | broken archive tool if this were not the case. | ShakataGaNai wrote: | Just send them a DMCA request, that's their takedown | mechanism. Is it a good one? No, but that's how they do it. | You see it posted about all over in their forums. | | ex: https://archive.org/post/1022869/site-removal-request | sodimel wrote: | That's pretty neat! I should set up something similar for my | domains that keep being spammed. | amiga-workbench wrote: | I wonder if you could abuse gzip compression on responses to | send a zip bomb back to them. | Avamander wrote: | You can, but most bots do timeout. If you get a lot of bad | bots that are vulnerable, then you'll probably waste a lot of | resources on those connections. | winddude wrote: | Yes you can. There ar also ways to protect the crawler server | from crashing. | dawnerd wrote: | I did just that for a while with a spare server I had. I set | it up to literally only respond to bad bots. I know the | crawlers don't care but it amused me at least. I tried to | also keep redirecting slowly before it could time out. There | was one bot that seemed to create a new instance each | redirect so I could keep it in a loop for essentially ever. | Just about every other bot only followed a few redirects | before giving up. Fun times. | grnmamba wrote: | I just put in random gibberish and submit. Too many undeliverable | mails can cause the sender be punished by their mailing service. | edm0nd wrote: | your website is down homie. | | "What kind of chip you got in there, a Dorito?" | sodimel wrote: | My tiny webserver is fine, but my connection is pretty low | today, preventing you to even reach my server :( | | Keep refreshing, maybe you will find a way to this txt file :P | melllvar wrote: | your Windows boots up in what, a day and a half? | lesuorac wrote: | I've wondered if thats why I can't always sign up for a webpage | using their domain before the @ (ex. | ycombinator@personaldomain.com). In that somebody else already | signed up using webmaster@ycombinator.com and so in response they | reject any emails containing "ycombinator". | mwint wrote: | This seems like a weird and computationally expensive | validation to perform, but it does explain your observation. | munk-a wrote: | As a bonus - write yourself a little browser script that | accumulates companies you do this to so that you can sign every | spammer up for every other spammer's mail. | treeman79 wrote: | I moved out of California many years ago and their fast pass | system get calling me daily to inform me my balance was low. | | I couldn't get them to stop calling me or cancel the account. | | So I changed my phone number to their support line number. | Never got another call. | | 15 years later I wonder if they still call themselves. | EddieDante wrote: | This pleases me. | ortusdux wrote: | I've been entering in short complaints as email addresses for a | while now. My hope is that the right person will see "whythehhell | wouldisignupforyournewsletterafter10seconds@nevercoming.back" and | get the message. | legitster wrote: | I run an email marketing database. You might be pleased to know | we keep a little "wall of honor" of the best fake emails we've | been given. | logifail wrote: | > the best fake emails we've been given | | If I were to do this, the email wouldn't be fake! | | I have hundreds of email aliases on my (main) domain, and the | list keeps on growing. | ortusdux wrote: | I have a catchall for my domain, so most sites get a unique | website@mydomain.com email and a unique password. Not only | does is help against password leaks but I also can find out | very quickly if someone sells the unique address. | willcipriano wrote: | I have a 3 character plus tld domain for this purpose. I | used to run my own server with Postfix and Dovecot, I was | able to deliver mail and it all worked but Microsoft can | do the same thing for less money and effort. | | The best part of running Postfix was I could add domains | and addresses to a denylist and it would bounce the email | and the senders server would often put a REJECTED message | in their inbox. The email equivalent of slamming the | door. | srcreigh wrote: | Care to share any? | legitster wrote: | Most of them are just various conjugations of swearwords or | attempted script injections. | toddm wrote: | Reminds me of one of my favorite meeting abstracts from David | Mazieres and Eddie Kohler at Stanford: | | https://www.scs.stanford.edu/~dm/home/papers/remove.pdf | the_biot wrote: | When I get spam from a local-ish company I always send an abuse | mail to their ISP or email provider. Sometimes it's ignored and I | keep getting spam from that particular bunch of shitheads. | | So I set up my .forward to bounce spam from that company right | back to any email addresses I can find for them _and_ their ISP. | Every spam I get, I add another copy to the list. The folks at | xertog.com currently get 8 copies each to their noc@, sales@ etc | for every spam they send me. | GordonS wrote: | Wow, that's dedication! | timwis wrote: | Aren't you worried about your own domain getting flagged for | spam since you're effectively (forwarding) sending spam? | the_biot wrote: | Yeah, these spam-friendly ISPs might flag me for forwarding | their spam. Quaking in my boots as we speak. | sam0x17 wrote: | I remember in '09 or thereabouts there was a tool called | SpamItBack that literally would just send spam all day to known | spam addresses while you let it run. | aendruk wrote: | Usually I'll add +myfeelings on the local part in case their MTA | does subaddressing. And making it unique increases the chances of | adding a new entry to their list. | devonnull wrote: | This reminds me of a trick a friend used to do: he'd collect the | email addresses of spammers who'd targeted and put them into file | on his website. Not sure whether that worked or not, but it's fun | to imagine that it did. | sodimel wrote: | Some french blogger did this to people contacting him for | putting sponsored content on his website. | | The text on his contact page literally start with "warning: if | you want to pay me to put something on my site your email | address will be leaked on this page". Funny how many people | won't read any content of a website but still want to pay in | order to put content on them :P | DonHopkins wrote: | https://news.ycombinator.com/item?id=12951917 | | DonHopkins on Nov 14, 2016 | parent | context | favorite | on: | The NHS's 1.2M employees are trapped in a 'reply-a... | | Back in the days of ARPANET mailing lists, there used to be an | "educational" mailing list called "please-remove-me", that was | for people who asked an entire mailing list to remove them, | instead of removing themselves, or sending email to the | administrative "-request" address. | | So when somebody asked an entire mailing list to remove them, | somebody else would add them to the "please-remove-me" mailing | list, and they would start getting hundreds of "please remove me" | requests from other people, so they could discuss the topic of | being removed from mailing lists with people with similar | interests, without bothering people on mailing lists whose topics | weren't about being removed from mailing lists. | | It worked so well that it was a victim of its own success: | Eventually the "please-remove-me" mailing list was so popular | that it got too big and had to be shut down... | | ...Then there was Jordan Hubbard's infamous "rwall incident" in | 1987: | | http://everything2.com/title/Jordan+K.+Hubbard | temp0826 wrote: | Something similar happened (multiple times?) when I worked at | AWS when someone decided to send a mass email to literally the | entire company and people inevitably reply-all enough to clog | the system and bring it to its knees. Many confused people were | replying "UNSUBSCRIBE" (again, to the whole company) as if it | would take them off | hinkley wrote: | Then you get a group of people panicked about the panic who | start replying all saying please stop replying all to this | email, and then people replying to them to point out how they | are just making the problem worse... | Akronymus wrote: | Or a few people have autoreplies that they are out of the | office... | hinkley wrote: | Hey it's a party, everyone is invited! | dvtrn wrote: | _right clicks thread, mouses over "create new rule", begins | sweating profusely_ | nonameiguess wrote: | This happened to the _entire US federal government_ in 2014. | Someone reply-all 'd a mailing from the General Fund | Enterprise Business System notification asking to be taken | off the list, and it escalated as then thousands of people | who didn't realize they were on this list did the same thing, | then got worse when smart asses reply-all'd telling other | people not to reply-all. | dylan604 wrote: | Part of the problem is from admins creating lists and | putting users on them without user knowing anything about | it. Can you blame users for being confused and seeking to | get off a list in the only way they know how? IT Admins | bear blame in these incidents. The users just make it fun | for everyone but IT, but IT hopefully sees the fun later | when they aren't running around putting out the fire | lwswl wrote: | state duplication | molticrystal wrote: | In more modern times, within the last couple months, there was | the Epic/Unreal Engine Github Email Storm[0][1] at minium 60m | emails, because a few hundred thousand people were getting over | a hundred emails within a minute or so thanks to a user trying | to get a minor patch pulled in so they could get some | credit/resume line/who knows. They "@"tted the whole membership | of the organization. There was a few repeats of the occurrence | immediately afterwards as well by some trolls. | | A fun aside is the article on wikipedia [1] begins with Jordan | Hubbard and ends with Epic: | | [0] https://linustechtips.com/topic/1435395-epic-games-github- | em... | | [1] https://news.ycombinator.com/item?id=31627061 | | [2] https://en.wikipedia.org/wiki/Email_storm | banana_giraffe wrote: | Reminds me of Bedlam DL3 at Microsoft: | | https://techcommunity.microsoft.com/t5/exchange-team-blog/me... | dmitryminkovsky wrote: | Thanks for re-sharing! | janci wrote: | Once I got on some internal distribution list of a client. I | was not needing those emails, plus they were all in Hungarian I | do not understand a word. I tried multiple times to contact the | sender and asked to remove me to no avail. | | The ultimate thing that helped immediately: reply-all to | hundred recipients. (Also got my account blocked from sending | emails for a while. Fun) | mcnesium wrote: | > discuss the topic of being removed from mailing lists with | people with similar interests | | lol | Minor49er wrote: | I basically do this too, though I just put in some random | gibberish (or "admin" or "info" or something) before the domain. | I figure they probably have some catchall email address, and if | not, nothing wasted | | On the other hand, if you _do_ want a one-time piece of email, | but don 't want to be subscribed to a mailing list, check out | sharklasers.com. It's a free temporary email service that works | pretty well | sodimel wrote: | I usually search "tempmail service" on some search engine and | take a random link. ___________________________________________________________________ (page generated 2022-07-26 23:00 UTC)