How To Get Websites To Ban Sign-ups From Gmail.com Accounts

An anonymous reader writes "Paul Tyma describes a simple, elegant, and hilarious method that Mailinator (hypothetically, of course) used to mess around with people who scraped its webpages in order to block its alternate domains. Quoting: 'Remember all that script-detecting code from the anti-abuse system? Well, what if I put that in here too, I thought. Let's "detect" when a script is hitting our weensy alternate-domain page. ... And what if after about 30 page hits from the same script (or so), stop displaying actual alternate domains and start sprinkling in some other things. Hmm... but what other things? I know — how about "gmail.com". Or, um, "hotmail.com". Or maybe, "yahoo.com."'"

Counterfeit Bitcoins Caused Price Crash

An anonymous hacker used phony Bitcoins (BTC) last month to drive down the price of the online currency from $17.50 to a penny within the span of 30 minutes, Bitcoin exchange firm Mt.Gox has revealed. The hacker was able to create 2 million counterfeit BTC by manipulating the company's trading database after gaining access to a compromised administrator account on June 19, according to Adam Barr, head of support for Mt. Gox.
The hacker also assigned about $1 million in phony cash to the compromised account. After a massive volume of Bitcoins entered the Mt.Gox system, the price of the online currency crashed, creating a buying frenzy. The online thief ultimately got away with 2000 authentic Bitcoins before the site's security measures kicked in to stop trading.
Mt.Gox said user accounts were not compromised during the exploit and has promised to replace the stolen Bitcoins at the company's expense. The fake Bitcoins and cash "existed inside Mt.Gox alone," Barr says, and could not be transferred into a wallet for use in another exchange.
Bitcoins use a public-private key system to ensure the currency cannot be forged. To sell or buy Bitcoins in your virtual wallet, you need the right private key (basically a really long number) to prove that the Bitcoins are really yours. The person on the other end of the transaction needs your public key. However, when trading happens in real time, Mt.Gox relies on a simple database tracking each user's Bitcoin and cash balances to carry out transactions, according to Barr. The public-private key setup only comes into play once the Bitcoins are taken out of trading and placed in a user's wallet.
Although the Bitcoin system allows for anonymity, user wallets can be tracked. Mt.Gox has given competing exchanges the numbers required to identify the stolen Bitcoins in the hopes the thief will not be able to turn his ill-gotten gains into hard currency. The company has also alerted law enforcement, but it's unclear if police will investigate. Mt.Gox is based in Japan. SQL Injection Suspected
Mt.Gox's user database recently leaked online and the company suspects the anonymous hacker was able to gain access to the administrator account using the leaked information. The stolen database included e-mail addresses, user names, and encrypted passwords. It's unclear how the database was stolen, but Mt.Gox believes the hackers exploited an SQL injection vulnerability in its network that the company discovered in late June.
A typical SQL injection allows a malicious hacker to submit code into a text field submission box such as a web form asking for your name, address, and so on. If proper precautions aren't taken, a website's server will execute the code giving the perpetrator access to the site's databases. Originally, Mt.Gox suspected its database leaked online after "someone who performs audits on [Mt.Gox's] system" had their computer compromised. Change Your Password Now
Despite using encryption, Mt.Gox is warning its users to change their passwords immediately if they didn't do so after the price crash on June 19.
bitcoin currency hacker security"Our users and the public should know that these hashed [encrypted] passwords can be cracked, and many of our users' more simple passwords have been cracked," Mark Karpeles, CEO of Mt.Gox parent company Tibanne, LLC, says in a statement. Mt.Gox users should also change their login credentials for any other online accounts that use the same password.
Mt.Gox said it now uses SHA-512 encryption for user passwords to prevent a similar data breach in the future. The company also changed its system so that administrators cannot so easily edit the trading database, Barr says.
Since the data breach, Mt.Gox has been busy rebuilding its system to handle the massive amount of business the company says it was unprepared for.
"Our dated system was built as a hobby when Bitcoins were worth pennies a piece," the company says in a statement. "It was not built to be a Fort Knox capable of securely handling millions of dollars in transactions each day...We are certain that the launch of the new site will exceed the rightful expectations our users have of the service. We only hope that we can once again earn the trust of the Bitcoin community."

Re:Counterfeit Bitcoins Caused Price Crash

tl;dr

Re:Counterfeit Bitcoins Caused Price Crash

[Jeng]

Have you thought about submitting that story? Cause it sure beats the topic at hand.

Re:Counterfeit Bitcoins Caused Price Crash

After reading half of this post I thought: was that the cause of all those subluxations?

Re:Counterfeit Bitcoins Caused Price Crash

[marcosdumay]

Except that being vunerable to counterfeiting is one of the (maybe very few) problems that Bitcoins don't have.

Re:Counterfeit Bitcoins Caused Price Crash

[julesh]

Interesting post, but a point of inaccuracy:

The hacker was able to create 2 million counterfeit BTC by manipulating the company's trading database after gaining access to a compromised administrator account on June 19

No, the hacker didn't create any counterfeit BTC. He only convinced Mt Gox that he had given them 2 million BTC to hold in escrow for him when in fact he hadn't. Which is a very different thing: the former would indicate a flaw in the entire system, whereas the latter is an isolated event that screwed up a single trader and has no real implications for other BTC users.

Summary

Makes no fucking sense. A/C's bitcoin post above makes more sense.

Re:Summary

[SleazyRidr]

I figured you were trying to be funny, but I went and reread both of them and you're right, the bticoin post is a lot easier to follow.

Re:Summary

TFS and TFH are disgraceful, or as I like to call them, slashdotesque. TFA is relatively entertaining though, once you figure out what the fuck mailinator is.

Re:Summary

[tenchikaibyaku]

I'm glad I'm not the only one who was left wondering what the hell this was all about.

The short story: "Mailinator is a free, disposable email service". Some site operators wants to block people with this service from registering. There's a way of listing all the domains used by Mailinator (by generating a bunch of new throwaway addresses?). Mailinator in turn has a way to detect when a script is trying to go through this list.

The amazing idea is to detect when a script is scraping this list, and feed it bogus data like "gmail.com".

Re:Summary

The Bitcoin post just looks dumb; phony Bitcoins? doesn't exist; they're cryptographically signed, the whole post is ridiculous. The article, on the other hand, is very simple, if you know what Mailinator is.

Basically, it's a free webmail with no registration, no password, no security whatsoever: just send an e-mail to testaddress@mailinator.com, go to mailinator.com, and tell it you want to see the e-mails for "testaddress".

So if you go to some website and it wants your e-mail address so that it can spam you, you put in a mailinator address instead. But then the website gets wise to this and tells you that you're not allowed to put mailinator addresses in the e-mail field when you register. So Mailinator constantly creates new domains that work identically, and gives you a handful of them when you visit the site. Websites got wise to that too, and had scripts that automatically checked Mailinator and automatically blacklisted all the domains it listed.

Well, hypothetically speaking, if Mailinator's server detected that it was being accessed by a script, it could list whatever domains it wanted (google? yahoo? hotmail?) and the script would dumbly blacklist them. Result: now you can't sign up for $shitty_web_registration_account using your $real_Gmail_address, what the fuck?

Re:Summary

[Mad+Merlin]

It baffles me that people still require email addresses for random account signups. Either people are going to provide their email address, or they're not. Make it required and they'll just feed you a fake/disposable one, or not make an account at all. How about you treat your (potential) users with some respect and just make the email optional? That's what Game! does and it works well.

Re:Summary

[tepples]

Result: now you can't sign up for $shitty_web_registration_account using your $real_Gmail_address, what the fuck?

A few web sites, such as Pocket Heaven, have been seen to block signups using free webmail providers such as hotmail.com, gmail.com, and yahoo.com. They want people to sign up using e-mail addresses at an ISP's domain.

Re:Summary

[SleazyRidr]

I think you should be offered a job as a /. editor. I actually understand it now, thanks!

Re:Summary

[nitehawk214]

Thanks AC. Why the fuck couldn't TFS had just said this? Your summary makes more sense than TFS, TFA, or the Bitcoin BS post.

Re:Summary

There is a page which simply lists all alternative domains that you can use in your throwaway addresses. Web sites regularly download that page and parse it to add any new domains to a blocking list, so that when a user tries to register on these web sites with an email address based on a new Mailinator domain, the registration is automatically rejected. Mailinator detected (detects?) automated accesses to this list of domains and instead of simply returning an appropriate error code, they generate a fake list of domains. When common web mailer domains are added to the list, they end up blocked by the sites which scrape the Mailinator domain list page.

Welcome to the wonderful world of automated black lists and the associated pitfalls. Some people haven't received a bloody nose yet and are still willing to learn the hard way. For example: Your server is hit with a SYN flood attack. Do you add the source IP addresses to the firewall blacklist or do you still need to talk to the .com domain name servers?

Re:Summary

[hedwards]

Whenever I see a site that bars free email addresses from sign ups, I interpret that as them not wanting my business. I've learned from past experience not to use an ISP email address as the don't let you keep it when you change ISPs. Likewise for school email and anything which I have to maintain something in order to keep. I'll log in periodically to maintain an account, but that's it.

Services that require one of those special addresses aren't doing themselves any favors.

Re:Summary

Nice try, FBI.

Re:Summary

[Mindcontrolled]

Thanks for the translation. The summary really could have been some random gibbering from a not yet fully grown spawn of an avatar of the Crawling Chaos. Horrid, but incomprehensible.

Re:Summary

[Rifter13]

I completely agree. Gmail IS my email address. Stop me from using it, and I don't have another. Oh, I use qwest... and I think I have a hotmail address through them? Morons.

Re:Summary

[SuricouRaven]

At least one muck does likewise, but in their case it's for another reason: They want an address they can be sure is legally traceable to turn over should the police request it. The operators are very legally cautious, as it's a place where lots of sexual scenes get played out, and they want a way to make sure that should drama occur they can pass the buck and not need to be involved any more than they must.

It's a common fear of small service operators - one user commits a crime, and the investigators may just sieze the entire server and the backups to be sure they get everything of use to them.

Re:Summary

[SuricouRaven]

"Likewise for school email "

The IT staff read your emails.
- A school IT worker.

Re:Summary

[element-o.p.]

Well, at least TFS proves to us that the /. monkeys aren't quite ready to duplicate the works of Shakespeare yet ;)

Re:Summary

Not that it's in any way relevant to the topic, but just because you're an unethical little shite doesn't mean everyone is.

Re:Summary

[CTU]

Then they can read all the emails the school sends me...which is mostly useless stuff anyways :P

Re:Summary

[Malenx]

The moment I required email addresses was the moment I got focused by some stupid Russian botters and spammed with new accounts.

Re:Summary

[Mindcontrolled]

True, but I fear what they might be able to conjure up if they follow down this path. This summary is not that far from "IA! IA! AZATHOTH FHTAGN! IA! IA! AZATHOTH NEBLODZIM FHTAGN!" And we all know where that ends.

Re:Summary

[TheRaven64]

Seriously? The only email address that you have is one that is controlled by the whim of a third party? If you're going to use gmail, at the very least you should register a domain and tell gmail to do that, then if Google decides to cancel your account (which they are entitled to do, for any reason), you don't lose your email address.

Re:Summary

[Rifter13]

Ok, I have more than one. Gmail, Yahoo, Hotmail... but Gmail is what I use as my email box. I have had it since I got an invite early on. I have had it longer than any ISP I have ever used. I DO own a few domains, but don't actually use them for email explicitly. From time to time. So, I could get around restrictions, but, if they don't let me use Gmail or maybe Hotmail, I won't use their service. I have yet to find any service online that was SO pressing, that I would work at getting another email address for them.

Re:Summary

[EdIII]

Maybe. I can tell you from experience that it will entirely depend on the investigator.

That moron from the FBI will be infamous forever for his rampant stupidity in destroying hundreds of businesses by taking every server in the entire data center.

If the investigator is reasonable, and you are performing services on behalf of another company or user, you can calmly explain that seizure is not required. That the investigator is far better off using you as an expert to get the information they need instead of destroying you for 24 hours until you can come back from backups, or if you are lucky, be located in geographically dispersed locations beyond his/her jurisdiction.

I know personally of just a situation in which the investigator was talked out of seizure and convinced that the best people for the job to help with forensic analysis of the customer, their code, and their databases was the operator himself. Even got paid by the government to keep the server up and running and provide reports about the network traffic, customers, accounts, transactions etc.

All of that being said, it is ridiculous to assume that a ISP based email address, or personal/corporate domain email address is anymore "legally" traceable than any of the free services. If I want to send an anonymous email that cannot be tracked, I will be able to do so quite easily.

I proved this years ago. Some guy in the office said that he could track everybody by email and that it could not be faked. Well a couple of email messages sent from him announcing his romantic intentions towards a horse that he tracked back to his email server, and tracked back to his station convinced him otherwise.

Email is not proof of an identity. The use of email at any one time is not conclusive proof that the owner of the account even originated the email message at all. Unless each email is encrypted and signed, there is no way to conclusively link the email or its content to an individual........ Just like an IP address.

We all know that WPA2 can be cracked in under 15 minutes with the right resources and the most wireless security is akin to a wet paper towel to anybody that possesses to tools and knowledge.

Turning it over to the police is the easy part. Convincing an ignorant investigator that seizing $50k worth of equipment is overkill and just taxes their forensic resources is the hard part. To say that is legal in a court of law is something to that will depend on how good the lawyer is. Give me 15 minutes in a court room and I can convince anybody that I can impersonate just about anybody on the Internet in a fairly short period of time. You don't need to be a super hacker to do it either. Just download some tools and script kiddie away! :)

Re:Summary

[igreaterthanu]

The Bitcoin post just looks dumb; phony Bitcoins? doesn't exist; they're cryptographically signed, the whole post is ridiculous.

Think of BitCoins as money that is impossible to forge, and MtGox as essentially a bank. The "phony bitcoins" refers to a database entry on MtGox that said that one account had a large number of cash that never really existed in the first place. In theory all the database entries should sum up to the total amount of cash at MtGox, but in this case nothing stopped it.

As for Mailinator, couldn't one write a script that sent to a random email address at a particular domain e.g. adflas2343872938743@gmail.com and see if it bounces? If it bounces, it isn't a mailinator address.

Re:Summary

I use Hotmail as my primary account for a very simple reason: I've moved 3 times since I got the account and changed ISPs 5 times in that time frame. I go to a website I ahven't been to in a few years... guess what, I've registered under the Hotmail account. That account you said I had to use my ISP account for... oops I don't have access to that account anymore, sorry. Not that it matters, it was the email I only checked when I needed to register for a website and every other post in it never got checked.

Re:Summary

[shutdown+-p+now]

They want people to sign up using e-mail addresses at an ISP's domain.

It's been a few years since I last got an e-mail address from an ISP...

Re:Summary

It should be mentioned that google is one of those that ban mailinator emails from it's registration service. $shitty_web_registration_account for sure.

Re:Summary

[shutdown+-p+now]

We all know that WPA2 can be cracked in under 15 minutes with the right resources and the most wireless security is akin to a wet paper towel to anybody that possesses to tools and knowledge.

Only TKIP can be easily attacked. I'm not aware on any known vulnerabilities in WPA2 with CCMP (AES), and that has been a standard for 4 years now.

Re:Summary

Haven't you guys heard of "email address augmentation"? Like mygmailaccount+anycrap@gmail.com works as well as mygmailaccount@gmail.com. You can use the "augmented" gmail address on any Web site that requires an email address. You don't really need any "disposable" email addresses, you just need an "augmented" gmail address. You can create a gmail filter on your "augmented" gmail address to filter the crap out. It's not really rocket science, if you RTFGmailM.

Re:Summary

Haven't you heard of the dumbfuck asspirates who use stupidly wrong "validation" filters for email addresses and tell you "it has a '+', so it's not a real email address"? They only run about 30% of websites...

Besides, that feature of gmail is so well known, I have a hard time believing any buyer and seller of email lists doesn't run 'sed s/\+.*@gmail.com/gmail.com/' over his list to dodge those filters.

Re:Summary

[Tubal-Cain]

Some sites have choked on the "+", but yeah it works pretty well. I understand that you can also liberally sprinkle periods throughout your username (ie my.gmail.account@gmail.com) for the same effect.

Re:Summary

[Jane+Q.+Public]

Depends on what you mean by "easy".

It's easy to get the encrypted key. Not necessarily so easy to break the encryption. But sometimes people get lucky.

Re:Summary

[Jane+Q.+Public]

Also, many people are not aware (and law enforcement, lawyers, and even judges sometimes tend to "forget") that if there is a method for obtaining the information that is less intrusive than seizure, then law enforcement is not just encouraged but required by law to use it.

So if you have even a halfway-reasonable plan that would eliminate the need for outright seizure, they are duty-bound to listen to it.

Re:Summary

"Likewise for school email "

The IT staff read your emails.
- A school IT worker.

Do they now? How bored could they possibly be?

Re:Summary

[Jane+Q.+Public]

The bounce idea is good but you don't actually have to wait for a bounce. Most mail server software verifies addresses before accepting emails (so that it can bounce if necessary). You can use (or write) software that goes through the handshake process, and then when the server sends back the signal that means "ready to receive", you just don't send an email. Voila. Your email address has been verified. A lot faster than if you actually tried to send an email to check it.

Re:Summary

[Jane+Q.+Public]

"It baffles me that people still require email addresses for random account signups. Either people are going to provide their email address, or they're not. Make it required and they'll just feed you a fake/disposable one, or not make an account at all."

Then you aren't serious about using their service, so why the hell should they care?

The fact is that for legitimate businesses, the email registration is not for them so much as it is for the customer: there has to be a way to consistently identify that customer as an individual. It doesn't matter what name is on the email account, but if you have control over that account you are assumed to be the individual who signed up that account.

It's not a perfect system, and lots of companies augment it with various ways to recover your account if you forget it, or change emails addresses, etc. But as imperfect as it is, it is a good system that works better than 99.9% of the time.

If you are just going to use a fake email address or whatever, you aren't serious about being a customer, and you probably would not be able to use an online pay system or credit card on that account anyway, so why should the company care? You may think they're wasting your time but I assure you, they think the same of you.

Re:Summary

Thank you, captain obvious. Now finish your thought exercise.

After it blocks gmail, they realize something is wrong(possinly alerted by frustrated users) and stop blocking gmail. They possibly unblock some mailinator domains too. They probably quit crawling mailinator...

Re:Summary

If you use a gmail account only for signing up for stuff, then you can add a filter to incoming mail that deletes anything going to the address without the + filter. The 30% website part is true and that is why I am not able to do that trick.

Re:Summary

[kent_eh]

Rogers (major cable ISP in Ontario) doesn't even have their own customer mail accounts any more. They contract it to Yahoo, the last time I checked.

Re:Summary

[StayFrosty]

The Bitcoin post just looks dumb; phony Bitcoins? doesn't exist; they're cryptographically signed, the whole post is ridiculous.

Actually it is possible. Mt. Gox keeps the amount of bitcoin in a member's database--much like a bank where your account balance is nothing more than a number in a database. If someone compromised Mt. Gox's database they could potentially increase the amount of bitcoin the database says their account contains. Then the malicious user could transfer the bitcoins to their own wallet essentially stealing the the bitcoin from Mt. Gox.

Re:Summary

[phopon]

As for Mailinator, couldn't one write a script that sent to a random email address at a particular domain e.g. adflas2343872938743@gmail.com and see if it bounces? If it bounces, it isn't a mailinator address.

Most email servers don't bounce anymore. Spammers used that to determine legitimacy of email addresses and purged bad emails. Now gmail and hotmail and such (the big ones) stay silent as to whether or not the email made it to a destination.

Re:Summary

[EdIII]

LOL

I'll take your word for it. However, that moron in the FBI may have been duty bound to listen, but obviously was the agent known as the "Fucking Retard" by the IT staff that has to take care of him at his office. We all know who they are at our offices we have been at don't we? :)

Duty bound is great.... when the agent is smart enough to understand that not every thing with a blinking light on it in the building needs to be transferred and processed into evidence.

I think the reason why the people I mentioned had an easier time was not only that the spoke slowly and calmly but *convinced* the agent that they were not the responsible party, were impartial, wanted to help law enforcement, and could be a valuable asset to the agent to help him nail his suspect to the wall.

Re:Summary

[EdIII]

Encryption is vulnerable in two ways (I am not touching Quantum encryption here):

1) Brute force. All encryption basically works by having such a large number of possible keys that to brute force it would take years, if not life times. A simple dial combo lock could be brute forced in a week with a robot. Depends on the number of values on the dial, but last time I checked there were only 275k approx unique combinations. A robot would probably get the right one if it were checking one every 3 seconds or so.

2) You get a bolt cutter and cut the damn combo lock. This is where cryptanalysis comes into play. You find a mathematical or algorithmic weakness in the design or implementation that you can exploit to predict or outright obtain the key just by analysis of the cipher text and the exploit.

I remain wholly unconvinced that any of the encryption algorithms today will stand up over time to have no weaknesses found.

Re:Summary

[EdIII]

TKIP is all you need.

By default 99% of all wireless and router manufacturers default to TKIP and AES when you choose WPA2 in the management screen. You actually need to choose just AES, if it offers it all. Additionally, I have found that leaving out TKIP causes more complaints because somebody's shiny POS can't negotiate correctly and when IT stands its grounds they are usually seen as inflexible, jerks, and not team players.

Hence, TKIP is practically everywhere right now. I don't think WPA2 is that much more secure right now than WEP. For a couple thousand dollars I could build a machine, or just get Amazon EC2 and have the resources to get through in a couple days. 15 minutes you would need some pretty serious resources behind you, but a smaller person could still do it with a few hours of packet captures and a few days of crunching on a home made GPU farm.

I still get your point though, you can secure WPA2 wireless with AES and a strong enough passphrase to make it suitably secure for most situations.

I still go the extra mile and create two wireless networks. One for secure access and one for public or recreational access. That way all the guests, execs, and employees get to connect their iCrap, Smart phone, etc. to a public network, and the execs have to negotiate secure VPN tunnels over wireless to gain secure access on their corporate laptops.

I myself connect the same way on my wireless and anything I connect to uses SSH with keys.

Re:Summary

[dadioflex]

I agree, your post just saved me from RTFA. Thanks!

There are so many temporary email address sites now, the smaller ones seem to fall through the cracks. I'd mention them but then they'd get slashdotted....

Re:Summary

[pjt33]

Unless the server is implementing grey-listing, and will tell you the address is unavailable the first time.

Re:Summary

No-one is forcing you to use an ISP address, just register a domain.

Why would you consider yourself beholden to the ISP if you use their e-mail system, but not Gmail?

Re:Summary

[julesh]

Besides, that feature of gmail is so well known, I have a hard time believing any buyer and seller of email lists doesn't run 'sed s/\+.*@gmail.com/gmail.com/' over his list to dodge those filters.

I'm a long way from convicned. Looking at the addresses at my domain that receive spam, it seems most lists are curated with the attention to detail of a distracted 7 year old with ADHD. The number of times I see mail to addresses that would be valid if the first character hadn't been omitted, or have part of the address repeated ('julesules@mydomain'), or take two separate addresses and combine them ('julesmydomainpostmaster@mydomain'), it just seems to me nobody actually cares what's on those lists.

Re:Summary

[dbrueck]

Banning free email services is dumb, but requiring an email address of some sort makes a lot of sense - it's a great unique identifier, you automatically establish a mechanism for password recovery and, if you don't abuse it, it gives you an out of band channel for contacting your users in the event of a major outage or some such event.

Re:Summary

[Man+Eating+Duck]

Encryption is vulnerable in two ways

3) Rubberhose (or, in some jurisdictions, legal) cryptanalysis. An unscrupulous third party will always get at your data if they deem it valuable enough.

Re:Summary

[dave420]

Well, technically that's a phony record of bitcoins, not phony bitcoins themselves.

Re:Summary

[shutdown+-p+now]

All encryption basically works by having such a large number of possible keys that to brute force it would take years, if not life times.

Your scale is way off - measuring this in "universe lifetimes" would be much more accurate.

I remain wholly unconvinced that any of the encryption algorithms today will stand up over time to have no weaknesses found.

It would require some pretty revolutionary math advances to do so. And the odds are not exactly in your favor so far - RSA is, what, over 30 years old now, and the central idea is still as secure as ever.

Another point is that a "weakness" in cryptography really only means "faster than bruteforce"; it doesn't mean "fast enough to be practical". So if it takes 1 billion years instead of 10, it's a "weakness", but for practical purposes nobody cares.

And then, of course, it doesn't take long to come up with a new crypto algorithm and start using it if the old one is broken to the point of being useless. Just look at how rapid the uptake of AES was.

Re:Summary

[shutdown+-p+now]

By default 99% of all wireless and router manufacturers default to TKIP and AES when you choose WPA2 in the management screen.

It seems to be changing. My wireless router - which came from the ISP, no less - had CCMP enabled out of the box. So far I haven't found a device that couldn't connect to it, either.

Re:Summary

[EdIII]

With respect, your scale is way off. It hardly matters what algorithm you are speaking of either. 60th order permutations? 100th order permutations? Leaving Quantum computing aside, I would think it would be hubris to claim that in the lifetime of a universe that a sentient race could not construct a machine capable of exploring that many permutations within a viable time frame.

Sure, 60th order sounds like a lot. However, if we were both in 1960 and I told you that in 2011 you can purchase as a consumer a machine capable of 159,000 MIPS, I believe your first question would be, "What is a MIPS?". When I tell you that it stands for Million Instructions Per Second I think your disbelief and awe would be that you could even do 1 MIPS, let alone thousands. Then when I tell you how much a machine that fits in my hand could do you would be shocked.

You're not accurate in your assumption, or your calculations. Furthermore, GPUs have been shown to be better capable for some cryptanalysis operations than a regular CPU. For similar reasons this is why there are video encoding products, hopefully open source ones soon, that shift that processing from the CPU to the GPU and see a very large performance increase.

So who can really say how many MIPS, BIPS, or TIPS we can do in 15 years? Who can really say how many orders of permutations per second we can attempt on a given cipher text?

In the words of one of my favorite characters, "I don't think that means what you think it means".

As for the revolutionary math..... dear god man... what would say has happened in the last 100 years? A Russian janitor solved with pencil and paper a shortest path problem (IIRC) that was considered revolutionary.

Yes, there will always be a cold war in cryptography but you may have a router capable of AES out of the box, but why are we having such a big IPv4-IPv6 problem again?

It's because the firmware on the millions of devices out there don't support it. So for practical purposes it does not matter if the DOD has an encryption algorithm designed by the NSA for military use that is as strong as you suggest, when it is not running on John Smith's wireless router down the street.

AES uptake was fairly rapid, yet the options for the older stuff were still around. I can't say how many devices you can support, but from my experience I did attempt to lock down all wireless with AES and long passphrases only to get pushback from clients and users. There were a great many devices that just simply did not connect or maintain a connection. So the environment will unfortunately dictate the security that can be used in a balance between the users needs and the security of the environment.

It's funny we are talking about permutations, time frames, etc. and you mention odds :)

How do you come to the conclusion that the odds are not in my favor in the first place? I have no vested interest in seeing encryption fail. For you to calculate odds means you can predict the future.

If you were back in 1960 could you really have predicted 2011? I know I could have not done so either.

So my original point regarding encryption remains. You cannot rule out the possibility and I hardly doubt that the creators of TKIP honestly thought they designed something with a weakness in it when it obviously became vetted enough to be used so widely.

To say AES will not have one in a few years is an assumption neither of us can make. Remember, I said over time, but not what time frame. So you are correct in a sense, but the big picture is that the weakness of encryption overall everywhere is dependent on economics and availability, not just mathematics.

Re:Summary

[shutdown+-p+now]

With respect, your scale is way off. It hardly matters what algorithm you are speaking of either. 60th order permutations? 100th order permutations? Leaving Quantum computing aside, I would think it would be hubris to claim that in the lifetime of a universe that a sentient race could not construct a machine capable of exploring that many permutations within a viable time frame.

Again, mind the scale. The number of atoms in the observable universe is only 10^80.

Re:Summary

[Jane+Q.+Public]

As I say... sometimes the people charged with protecting us, in their zeal, have tended to forget what their primary purpose is supposed to be.

Re:Summary

[EdIII]

Well yeah.... that follows another security principle that if your hardware is physically possessed by another it is not longer secure.

So if you have a person that possess the key.. then I would agree that there is some pretty quick and efficient "cryptanalysis" that you can perform to obtain the key. I would hardly call that mathematical though and more akin to the brute force method :)

Re:Summary

[EdIII]

What does the physical universe have to do with math in this context? Are you saying that because the physical universe only has so many discrete "particles" in it that it somehow limits the number of possible permutations of a mathematical algorithm?

That makes no sense to me at all. Really.

I can make a number bigger than that already. Put a number on each atom in that 10^80 universe you claim exists. Then calculate how many unique numbers you could create by combining the numbers of those atoms. It is 10^80 raised to 10^80. A number significantly higher in order than anything I previously mentioned.

Re:Summary

[AmiMoJo]

It's a simple anti-spam system. Bots trying to create accounts will also need a working email account to receive the account activation link by email. Providers like gmail and hotmail make it hard for bots to auto-generate accounts, but of course not all sites do and the spammer can always use his own servers so the forums also try to ban domains that are not secure enough.

It also makes it harder for banned users to create another account because they also need a new email account. It might only take a few minutes to create one but if you ask forum admins they will tell you it is surprisingly effective.

It does seem somewhat unnecessary now we have captchas though.

Re:Summary

If you were back in 1960 could you really have predicted 2011? I know I could have not done so either.

Probably not, but Moore's law was coined in 1965, so it would not be infeasible to imagine someone of that era guessing how much computing power we'd have today.

But in all this debate you seem to have forgotten to explain how WPA2 can be cracked in 15 minutes today, I really don't care if it can be cracked in 15 minutes in 2075 just so long as it is secure today.

Re:Summary

...yes, when they're not reading Slashdot.

Welcome to the internet.

[synthesizerpatel]

Also:

* Type /sign for your IRC star-chart reading

* Type +++ for your 1200 baud modem speed doubler

Also, since you're new to the club I'd like to offer you a leech account on our private warez site - use your existing login name and password when you ftp to 127.0.0.1

Re:Welcome to the internet.

Speaking of doubles... check 'em ^^^^^^^^^^^^^^^

Re:Welcome to the internet.

[barrtender]

Also:

* Type /sign for your IRC star-chart reading

* Type +++ for your 1200 baud modem speed doubler

Also, since you're new to the club I'd like to offer you a leech account on our private warez site - use your existing login name and password when you ftp to 127.0.0.1

Quit giving away my warez hosting site! I told you to keep that a secret.

Re:Welcome to the internet.

[BadPirate]

Also, since you're new to the club I'd like to offer you a leech account on our private warez site - use your existing login name and password when you ftp to 127.0.0.1

Damn.. I've already got everything on that site :(

Re:Welcome to the internet.

I only found farm animal pr0n.

Re:Welcome to the internet.

[Noughmad]

Too late, he already posted the public IP address. I'm hacking it as we speak, C:\ is already deleted, and D:\ is about halfCARRIER LOST

SNR

The signal to noise ratio on that blog post was so low.. Here's the TLDR:

When you detect that someone is scraping your site, and you'd prefer that they didn't, start feeding them bad data in a way that they won't notice. The dataset that you've poisoned will then have side-effects that the scrapers wouldn't have expected.

Re:SNR

[MichaelSmith]

I wondered why they don't just use a captcha.

Re:SNR

Happens a lot. I just read "War and Peace". Here's the TLDR :

People in Russia lived their lives through a period of war and peace.

Re:SNR

[AnotherShep]

Are you kidding? Did you even try reading the article or going to the site to see what they were talking about?

Re:SNR

This problem is particularly annoying on a site such as Slashdot, because there are sometimes posts which are legitimately difficult to understand. When I see an article that I don't understand on here, I tend to assume that it's about some interesting-but-complicated idea which will be ultimately rewarding. This is sometimes the case. Unfortunately, I usually end up wasting my time trying to decipher something that the author could have said in two or three sentences. In the worst situations (such as this), the core idea is simply useless and wrong. It reminds me of this not-exactly-on-point xkcd:

http://xkcd.com/169/

More apropos of this article: "Communicating badly and then acting smug when you misunderstand your own terrible idea is not cleverness."

I guess what I'm really trying to say is that I'd like to find the people who submitted this article and cut off their hands.

Wouldn't that be fraud?

[zill]

Email sent to an alternate domain goes to Mailinator too! Here is one such alternate domain: gmail.com

Isn't this hypothetical situation just fraud? That's basically claiming you own the gmail.com domain and can offer mail services at that domain for free.Both claims are false and intentionally deceptive.

Even if it's not fraud Google can still sue you for damages.

Re:Wouldn't that be fraud?

If you read the horribly long blog, they don't say that (The here's one such alternative message) on the page scripts were scraping from.
It's an iframe to http://mailinator.com/randomdomain.jsp
Normal users get legit answer but if you hammer that page it serves up "other" results.

Re:Wouldn't that be fraud?

[Threni]

Just because something's not true doesn't make it fraud. Even if it were, all he'd have to do would be to say "here's either an alternative email address for this service OR a regular, existing email service from another company". Humans would have no problem determining, and scrapers get confused.

Re:Wouldn't that be fraud?

The article has a lot more details than the summary. You'll find he addressed this issue if you read it.

Re:Wouldn't that be fraud?

[zill]

I read the whole article, and it still doesn't answer my question above.

Re:Wouldn't that be fraud?

[zill]

Your alternate domain list displayed 'gmail.com'!
Hi Fred, no it doesn't. Just reloaded the homepage 10 times, nothing like that. all the best.

or I bet another would be like:

Yahoo.com? What is this some kind of joke?
Sorry, did you mean to email this to Carol Bartz? Not sure what you're talking about.

The article says some of his genuine users will notice the erroneous on the main page.

No scraper is stupid enough to just load http://mailinator.com/randomdomain.jsp
They'll load http://mailinator.com/ discard the main iframe, and then parse the randomdomain.jsp iframe.

Re:Wouldn't that be fraud?

They don't have to be jerks about it, just give the scraper it's arpa address instead.

Re:Wouldn't that be fraud?

[Penguinisto]

They'll load http://mailinator.com/ discard the main iframe, and then parse the randomdomain.jsp iframe.

...and if they hit it more than x times per second/minute/whatever, they could still get the posioned results.

Personally, I'd be ass enough to display ";DROP DATABASE *;" for a fake alternate domain as one of the commenters on TFA had mentioned, just to see if anyone complained.

Re:Wouldn't that be fraud?

[icebraining]

Nobody would download the main page. They'd load the direct page setting the appropriate 'referrer' header to seem as it is being loaded by the main page. There's no magic way to tell if the page is being loaded in a frame or not.

Loading a full HTML renderer to load the iframe inside the normal page is complete overkill.

Re:Wouldn't that be fraud?

[Ruke]

The "hypothetical complaining users" you quoted are those running scrapers, not actual Mailinator users. And yes, clearly the scrapers were stupid enough to load http://mailinator.com/randomdomain.jsp; otherwise they wouldn't have run into the garbage data.

Re:Wouldn't that be fraud?

[zill]

Why would the scraper runner email him? Why would he even both replying to these people who want to ban his service?

It only makes sense for him to answer a confused legitimate user.

Also there was no garbage data. This is all a hypothetical situation. So we have no evidence of scrapers actually falling for this silly trap.

Re:Wouldn't that be fraud?

[sabt-pestnu]

Obligatory XKCD: http://xkcd.com/327/

Re:Wouldn't that be fraud?

[Ruke]

He pretty clearly states that these hypothetical conversations are happening between users who were accessing "the page they weren't supposed to [be] accessing anyway."

And, hypothetically speaking if you had code that would sneak in these non-alternate-domains in the page they weren't supposed to accessing anyway, when would be the best time to set it into action?

Well, those scripts ran at many different times, but just after midnight seemed like a popular time-slot.

If such code existed, making it active Sunday morning from Midnight to 2am seems nice. I mean heck, if my website stopped accepting signups from "gmail.com" on some Sunday morning, I'm sure I'd be downright chipper to hop into the office and find out why.

Boy. If all that stuff happened - I wonder what kind of email conversations I'd have on that Sunday afternoon? I bet they'd be like:

The people who are banning his service are emailing him because they want to know why their automated scripts, which scrape his pages, are reporting that "gmail.com" should be banned.

Re:Wouldn't that be fraud?

[Score+Whore]

If I cared this is the scenario I envision:

I'm just ass enough to be patient and just keep eating his random domains. It's free for me to add them to the blacklist. Each on cost him $0.75 or something. And it's not like I can't republish the list. Get together with a handful of other site admins, pool our resources and we all hit the site at random times throughout the day from random locations and what do you know, in not too long it'll he'll get tired of paying for new domains.

Seems like he's on the losing side here.

Re:Wouldn't that be fraud?

[BitZtream]

There's no magic way to tell if the page is being loaded in a frame or not.

Yea, except ... you know ... see if theres been a recent request from the same browser session for the main page. You're right its not magic, its actually really simple, and its not even new. The very same thing was once used for various silly things like authing SMTP send without logging into the SMTP server by allowing sends from IP for a few minutes after seeing a POP3 connection.

Its basic SPAM prevention really, LOTS of popular sites do this exact sort of thing, including gmail and yahoo for webmail accounts in various places.

Re:Wouldn't that be fraud?

[Penguinisto]

Well, yes and no. After all, how many site admins actually give a damn about it in the first place, and how would you find enough compatriots who not only did, but would be willing to expose their own operations and help you out?

Eventually, you'd get sick of having to weed/script out not only the obvious legit domains, but others like comcast.net, att.com, frontier.net, verizon.net, and a whole raft of regional and smaller ISP (and corporate!) domains globally that he could add to the fakes list. After all, if you're running a site that discusses semiconductors, having to constantly be on the lookout for inadvertently banning intel.com (or even smaller but fairly important ones like triquint.com or wacker.com) would get pretty old, pretty quick.

Consider it this way... who has more time to dedicate to the game? You, who have a site to run, or that guy, who doesn't have to do much of anything else to do at all - not to mention all the other services that do the *exact same thing*? Remember that these guys can change IP addys and domain names in bulk.

Eventually you find yourself in a position similar to the RIAA trying to stop people from sharing music. Sure, you'll get a couple of 'em, but eventually you spend more time chasing them than you do in getting your original results.

Re:Wouldn't that be fraud?

[icebraining]

OK, so you do a request for the main page first, pipe the data to /dev/null and then request the domains page.

My point is that you wouldn't be loading the domains page as an iframe (which implies having a real HTML engine).

Re:Wouldn't that be fraud?

[julesh]

Yea, except ... you know ... see if theres been a recent request from the same browser session for the main page.

Except there's no reliable way to detect if two requests are in the same browser session. Drop a cookie? Enough poeple disable them that you're going to piss people off by requiring them (particularly when your target market is people paranoid about privacy, which is what mailinator does). Require same address? There are ISPs out there who feed requests through a load balanced cluster of proxy servers, so the same person's requests can come from different addresses from second to second. Besides, what about anyone who gets the main page out of cache rather than a new copy?

Re:Wouldn't that be fraud?

[Score+Whore]

Why would I have to weed out "legit" domains? I'd only be hitting his page once a day. He's going to detect that as a scraper? Twenty or thirty site admins, hitting the mailinator front page at random, but realistic, times once every one to two days, sending proper headers, requesting all the linked material from the page -- that's going to show up as scraping? In a month you could feasibly burn 300 - 450 domains.

Consider it this way... who has more time to dedicate to the game? You, who have a site to run, or that guy, who doesn't have to do much of anything else to do at all - not to mention all the other services that do the *exact same thing*? Remember that these guys can change IP addys and domain names in bulk.

Maintaining this kind of blacklist is part of running the site. And Mr. Tyma lives on sunshine and fresh air? He doesn't have to work? He gets free hosting, bandwidth and domain registration?

And ultimately why do you think people who might find this sort of service objectionable are stupid? You think they don't know about MX records? That they couldn't take each alternate site presented and check the DNS entries and see where it's mail is delivered. And if you want to get really clever, see who owns the IP address space involved. And the obvious thing: send a trial email. It's not that hard, eh?

Re:Wouldn't that be fraud?

[gmueckl]

Make the main page a script with uncacheable results and give out unique session IDs in the URL. Then you have the most reliable way of tracking browser sessions with no user cooperation required. Actually, I see that Mailinator uses a Java servlet container and most containers such as Tomcat have a very, very robust session management built in and using it is straightforward.

Re:Wouldn't that be fraud?

[Penguinisto]

In a month you could feasibly burn 300 - 450 domains.

...each week he could take two hours out and have 500 domains racked up from a scripted list - many registrars do let you do 'em in bulk.

Even scripted, you're doing it the hard way, and slowly. You're also only focusing on *one* service (Mailinator), out of potentially hundreds.

So, err, what part of your countermeasure plan actually makes sense?

Maintaining this kind of blacklist is part of running the site.

If you were paid to do SMTP administration for a living, I'd agree. If you're being paid to help run a larger website (and not do it by yourself), I'd also agree. Tell me - how many site admins actually do get paid to focus on such things? Most folks don't. They have other things to do.

And ultimately why do you think people who might find this sort of service objectionable are stupid?

Stop putting words in my mouth, please.

My point is that you don't/won't get a benefit anywhere near equal to the efforts.

Your job is to run a whole website, with all that entails - design, upgrades, maintenance, content, etc. Only a small part of that is to get valid email addys with which to do stuff with (authenticate, send newsletters, weed out trolls, sell to spam^Madvertisers? I don't claim to know, and I won't hazard a guess as to your particular reasons - just listing options).

His job in this game is to make sure people don't get (potentially) spammed by your website - specifically, by using engineering tricks with SMTP to pull it off. Couple that with his peers doing the same thing on their services, and folks who can create toss-off email addys with their own ISP.

Guess who is going to win this in the end? (Hint: Not you, at least not with that idea).

You think they don't know about MX records?

...which can be daisy-chained via relay, or have new IP addys in short order, or be aliased themselves - most of which can be automated. If you think that simply checking MX records will do it, I've got bad news for you.

That they couldn't take each alternate site presented and check the DNS entries and see where it's mail is delivered

That is, if every mail server on the planet sent receipts (err, the vast majority don't). Otherwise, you're only going to see a HELO/EHLO return with the name of the relay-du-jour.

And the obvious thing: send a trial email

Not sure what you mean exactly with this one, but it can go one of two ways - you get to talk to a relay, or you're going to additionally burden your potential *users* into replying with an email themselves - which can be cut+pasted and come back through *any* MTA. Oh, and then there's the new administrative burden on your part.

You may want to look up "Diminishing Returns" at this point, yanno?

~~

Lookit - your whole idea is to make sure you get a valid email from everyone that accesses your site. Thing is, Mailinator is only one thing you have to face. That service has competition that you don't even know about. On top of all those, even my ISP (Comcast) has the facility to create toss-off email addys that I can personally use to slip right by your defenses - takes all of five minutes, and I can delete/ignore it at my leisure (Hell, I have two addys built specifically for that purpose).

His entire rationale is actually valid - why should anyone open his/her mailbox to your (potential) spam machinery just to see content? Given the wide variety of options open to the clueful, clever folks don't have to. Meanwhile, you're busily focusing on *one* tiny sliver of the whole range of options, and on one tiny sliver of your operations.

Now I want to ban mailinator

I want to ban mailinator from my servers just simply because this guy is a douche bag. Oh and the story poster? What the fuck man, is English your second language or something, I've seen some incoherent shit posted on /. before, but this is pretty bad?

In short a poorly written blurb with a link to a story about some douche bag, being well, a douche.

WTF

[pinkeen]

I read the TFS twice and WTF is it all about? No wasting time to read the TFA then.

Hardly an original or novel idea

I had code to detect email harvesters and gift them addresses like abuse@fbi.gov in the late '90s. For anybody running a mailinator type service, what he's suggesting would have been so obvious that the USPTO would grant them a patent on it.

"Hypothetical situation"

[WarlockD]

FTFA - "What, in our completely and totally hypothetical situation, would that do?"

I find it more interesting he doesn't have any scrapers as he did before. Hell, I am still amazed mailonater isn't band when some sites still don't take Hotmail or yahoo addresses still.

I'm Sorry But That's Ridiculous

[darkmeridian]

The scrapers would just remove gmail.com, yahoo.com, hotmail.com, all .edu and .gov domains, and leave in aol.com. Website owners probably know that most of their traffic comes from relatively few domains so as long as those are not banned, they ought to be okay. The people who were incorrectly banned would just complain and then the website owners can judge the domains one by one.

Re:I'm Sorry But That's Ridiculous

Yes, but before that I'm sure he'll have had plenty of "hypothetical" fun...

Re:I'm Sorry But That's Ridiculous

The scrapers would just remove gmail.com, yahoo.com, hotmail.com, all .edu and .gov domains,

That's the whole point! They would have to stop their automated system and edit the blacklist by hand. This would cause may blockers to stop then and there. But I agree with the article; this is not needed. Mailinator is working perfect as is. When I find a site that blocks mailinator I 1. learn something about that site 2. use a special crap email I created for such occasions.

Website owners probably know that most of their traffic comes from relatively few domains so as long as those are not banned, they ought to be okay.

First, email is still hugely diverse. From my experience about half of a given unique customer base will have an email at one of the big guys. The other half contains domains from schools, businesses, local isps, small email providers, personal web sites, and more.

Second, you are greatly underestimating the impact of a few blocked users. I've seen a website reverse it's policy of blocking mailinator because of the problems it caused. Blocking an unrelated domain would cause a shitstorm.

The people who were incorrectly banned would just complain

You won't get many useful notices from people who can't create an account. By the time someone uses the site's email contact you'll have plenty of nasty complaints scattered throughout the internet.

and then the website owners can judge the domains one by one.

Again, that's the whole point. I believe many of the people who use an automated system to scrape mailinator would not bother if it proved this difficult. If mailinator really wanted to play this angle they could register domains that were hard to tell if they were legit or not.

But again, I think mailinator is working perfectly. For most sites it provides an anon email source. For the ones that block it we learn that they are fanatically interested in the minutia of their users. A valuable lesson indeed.

Re:I'm Sorry But That's Ridiculous

[Synerg1y]

I highly doubt 99% of websites are set up this way. Deny lists are a lot more popular than allow lists since you can never truelly know where ALL of your traffic is coming from.

Re:I'm Sorry But That's Ridiculous

[gsslay]

It's even easier than that. Simply maintain a white list as well as a black list. If the domain scraped is on the white list, don't put it on the black list. Problem solved.

This guy is proposing a half-assed idea to foil an issue that scarely exists, and easily circumvented with 30 seconds thought. Really, it's just embarrassing he's crowing about it in his blog.

Re:I'm Sorry But That's Ridiculous

If the domain scraped is on the white list, you can't trust the entire set of domains scraped along with it. Ie, mailinator wins.

Re:I'm Sorry But That's Ridiculous

Yup... I think the dude that blogged that very low-content blog is full of himself. My very fist instant reaction was whitelist/blacklist.

If not in whitelist then add to blacklist

"Problemo solved" as someone also pointed out on the blog comments.

Also I think it's totally stupid to buy several alternate domains at once. Obviously what makes sense is to *regularly* buy new domain names. The moment he buys them they cannot be blacklisted yet.

He sounds like a douche...

[whois]

I've never heard of Mailinator. Now that I have I guess I'm still not interested. I have my own domain and create fake accounts to track who sells my name but I generally get more spam due to mailing list posts I make than anything else, and you can't have a one-way email for mailing list accounts (although I guess you could set them to only accept mail from the mailing list, if you're willing to not accept personal replies to things you send out)

But this guy is full of himself. "Look at me, I setup a system to facilitate hiding your email address. Oh, people want to ban it? Lets see about that, hah!"

A normal response would be to just give out your list, or as he claims, stop accepting mail for that website (although that's opt-out so it's automatically less good than the alternative)

Now us evil web site owners will just have to come up with some other way to ban his bullshit.. like sharing the list publicly despite his efforts.. or.. banning his IP:

mailinator.com. 86400 IN A 66.135.37.96
spamherelots.com. 86400 IN A 66.135.37.96
thisisnotmyrealemail.com. 86400 IN A 66.135.37.96

shrug.. none of my business I suppose since I haven't heard of him, but I would be furious if I got that kind of response from an "anti-spam" company when asking them to stop spamming me.

Re:He sounds like a douche...

[pavon]

shrug.. none of my business I suppose since I haven't heard of him, but I would be furious if I got that kind of response from an "anti-spam" company when asking them to stop spamming me.

How does Mailinator spam anybody? They don't send any email, just receive it. And they don't facilitate forum spam any more than any other free email service.

Re:He sounds like a douche...

You appear to be missing the entire point. Mailinator does not send out emails. Mailinator provides throwaway email addresses for you to use for signups. It is read-only, not write-only. It is impossible to spam someone via Mailinator.

Re:He sounds like a douche...

[Half-pint+HAL]

It would be possible, would it not, for spammers to use it to sign up to bulleting boards...?

Re:He sounds like a douche...

[mwvdlee]

On the other hand, it makes it a lot harder for bulletin boards and companies to sell spamable addresses.
I used to use unique email adresses for each site I signed up on; turns out spammers got my email from some quite reputable companies.
Unless you expect to actually need to communicate through email with whatever site you're signing up to; use a fake email adress.

Re:He sounds like a douche...

It can't. He is just butthurt because he like to stalk potential customers.

email validation

[metalmaster]

doesnt it make sense for the validation method to ping the domain? so if site $foo pings bar@gmail.com it'll show google's server not mailinator. It'll show as a valid domain. Or am i missing something?

Re:email validation

You missed that you can't ping an email address, and that many firewalls and hosts block ICMP packets anyway, not to mention that I don't see what good it would do. Or did you mean "ping" in some other way than the standard way most IT-related people have known for decades?

I'm sure I'll be marked as a troll for this, but I'm honestly not trying to be an ass... I feel you did mean it in a different way, and I'm curious to know what that is. As a server admin for 20 years, "ping" has a specific meaning to me (and probably most admins/analysts).

Did you mean look up the MX record in DNS to see that Google's servers handle mail for gmail.com?

black hat

Regardless of whether or not this works, this is unabashedly black hat. Why is this on Slashdot?

Re:black hat

Because you're wrong, and it isn't?

Re:black hat

Actually it's multi-color party hat. If you're still automatically banning stuff on the internet, this is one rather innocent way of learning why that's a bad idea, and everybody else has a laugh.

Translation

Prior knowledge required to know what the summary is talking about:
-Mailinator is a disposable email address service for people that don't like giving their email address to strangers
-There are people who have issues with allowing someone to sign up for and use your service with a disposable email account
-People started banning Mailinator off the bat
-Mailinator's creator responds by creating alternate domains the email address can use to evade the standard Mailinator ban, displaying them for the public when they visit the Mailinator page at a rate of one domain per visit
-People create scripts to collect these alternate domains for various purposes (mostly for banning)
-Mailinator describes how it could mess with these people to remain useful to its users by detecting rapid page requests and serving random domains in response.

Re:Translation

People respond by creating whitelists for hotmail, gmail yahoo etc...

Re:Translation

[Onymous+Coward]

etc...

Therein lies the rub.

Re:Translation

[gwgwgw]

Thanks. I was just about to skip the submission, but, THIS time I sought clarificaton. You are going on my list of people who are communicators.

Re:Translation

[gwgwgw]

Please don't be anonymous. Can't build up any... well.. anything that way; and you gotta know you are worth paying attention to, no?

Re:Translation

You keep using the word "alternate", which is a verb, where you mean "alternative", a noun.

Please correct this.

TFA missing one little thing

[Sloppy]

WTF is mailinator and why, in the first place, would I want to find out about its other domains and then ban them?

Re:TFA missing one little thing

[SockPuppetOfTheWeek]

http://en.wikipedia.org/wiki/Mailinator

Long story short:

Shitty website requires you to register dumb account you'll only use once
Website wants your e-mail address, and requires verifying it by activation link
Tell it your e-mail address is nobody@mailinator.com
Go to mailinator.com and enter "nobody" as username
Click activation in e-mail

Then websites started banning @mailinator.com addresses, so mailinator tells you an alternate domain that you can use which also points to mailinator. Then websites started loading that same page and banning the alternate domains. Then mailinator (if it wanted to) could start putting stuff like "google.com" in its list of alternate domains for anyone who was repeatedly reloading that page...

Re:TFA missing one little thing

[Geminii]

Send in Perry the Platypus!

Re:TFA missing one little thing

You don't know what mailinator is? How can you even live on the internet without even knowing what mailinator is? It makes no sense.

Let me guess: when signing up to random forums or other crap, you actually use your email address? Scary.

Re:TFA missing one little thing

Don't worry, it's not for ultra-super-uber-lazy idiots like you. Just move on, okay?

Re:TFA missing one little thing

[Sloppy]

Let me guess: when signing up to random forums or other crap, you actually use your email address? Scary.

forumname@mydomain. When you start getting spam at that address: 1) you have a highly-reliable spam rule to add (the addressee) 2) you know who sold you out, so put 'em on your shitlist for whenever you're in naughty moods.

Re:TFA missing one little thing

If at this point from the above replies you don't know - we won't be able to explain it to you.

Worth the read

[pavon]

Yeah, you have to both know what Mailinator is and how it uses alternate domains for the summary to make any sort of sense. I didn't know either, but I am glad I read the article, because it is pretty funny.

TL;DR:
* Mailinator is a throw-away email service, and some sites want users to provide "real" email address and thus try to ban use of mailinator.
* To combat this Mailinator has a bunch of alternate domain names that all resolve to the same server.
* It displays them to users at it's website one at a time, chosen randomly.
* Blockers tried to scrape the Mailinator website to get the full list of domain.
* If a scraper is detected they could instead be fed other domains like gmail.com, which would cause the scrapper to block email from those domains as well.

Re:Worth the read

Umm, I did not have to read the article and I understood all of what you said before you said it from the snippet given here...

Re:Worth the read

I found the OPs post very informative and helpful. YMMV

No. [Re:Wouldn't that be fraud?]

If you actually read the blog post, you would notice that the page does not say that the false domains go to mailinator.

(1) his main page states "e-mail sent to an alternate domain goes to Mailinator too! Here is one such alternate domain: "
(2) that page calls a second page that generates the alternate domain.
(3) the second page generates a correct alternate domain if called from the main page, but false information if called (repeatedly) by itself.

So, if you go to his main page, you get correct information. If, on the other hand, you're a robot, and say "hey, I can save time by just reloading the second page,I don't need to reload the main page, since it only gives me the same information I already have"-- then you get the randomly chosen (false) data. But doing it this way doesn't put the text "Email sent to an alternate domain goes to Mailinator too! Here is one such alternate domain:" in front of the false information.

FUCK YOU MAN AND THE KAMEL YOU RODE IN ON !!

It's GMAIL for Chistie's Sake !! Teh GOOGLE is GOD !! You don't fuck with GOD and live to be a ripe old age !! REPENT BLASPHAMER !! REPENT !!

Re:No. [Re:Wouldn't that be fraud?]

[zill]

Your claim 3 is wrong because of 2 reasons:

He predicted that some of his real users will notice the error when viewing the home page:

Your alternate domain list displayed 'gmail.com'!
Hi Fred, no it doesn't. Just reloaded the homepage 10 times, nothing like that. all the best.

or I bet another would be like:

Yahoo.com? What is this some kind of joke?
Sorry, did you mean to email this to Carol Bartz? Not sure what you're talking about.

Reason 2 is that scraper writers aren't stupid. They won't just load the second page knowing it's an obvious trap. They will load the main page like a regular user, and then parse the small iframe.

DNS

What the hell, a scraper to find out all the aliases?
Why don't they do a simply dns request and filter on the ip

meh

i fucking hate sites that require a damm email to do ANYTHING. Still anon here on slashdot after a decade.

And if they have problems with me using mailinator.. (meaning i just wanted to sign up and didn't ever want SPAM from them)
It's a shit site and i don't care to use it anyway.

So pretty much any site that blocks mailinator addresses. I won't be signing up for anyway. Fuck em. Fuck their spam. Their site is going to get a throwaway address or nothing at all.

And isp emails are a fucking joke. i've changed isps a few times over the years. those accounts are dead and useless. gmail isnt.
mailinator isnt either.. lol

Re:No. [Re:Wouldn't that be fraud?]

[Half-pint+HAL]

Your claim 3 is wrong because of 2 reasons:

He predicted that some of his real users will notice the error when viewing the home page:

Your alternate domain list displayed 'gmail.com'! Hi Fred, no it doesn't. Just reloaded the homepage 10 times, nothing like that. all the best.

No, you misunderstand. His point is that "Fred" would say this "Your alternate domain list displayed 'gmail.com'!" based on the fact it came up in the scraper's results. He then directs "Fred" to look at the homepage and verify for himself that it actually never comes up. You see?

Reason 2 is that scraper writers aren't stupid. They won't just load the second page knowing it's an obvious trap. They will load the main page like a regular user, and then parse the small iframe.

Ah, and here I thought the owner of the mailinator.com domain had access to the server statistics that would tell him how people accessed his site. But obviously you're the person with that access, right?

Ban IP addresses?

[Half-pint+HAL]

Email tends to resolve addresses only at sending time, and in a forum system, that's several subsystems away. In fact, in a full-service hosted environment, that's probably way off in your ISP's systems.

Re:Ban IP addresses?

[mwvdlee]

Can you manually find the IP address based on the domain name part specified in an e-mail address?
If you can, then so can a webserver.

Re:Ban IP addresses?

[Half-pint+HAL]

Yes, you can, but that would fundamentally alter the architecture of the forum software.

Re:Ban IP addresses?

[mwvdlee]

I don't see how. There already is some sort of checking mechanism in most forum software. Just add a few lines of code using cURL and you're done. No architectural change whatsoever.

Re:No. [Re:Wouldn't that be fraud?]

[zill]

Why would the scraper writer ( or people buying the scraper's results) email him?

Why would he reply to the scraper writer?

Remember, these people want to ban his service. It doesn't make any sense for them to be emailing him or for him to email them back. So it follows that "Fred" must be a legitimate user confused about gmail.com appearing on his page for a few hours and then never appearing again.

maybe not Re:Wouldn't that be fraud?

[Fubari]

Isn't this hypothetical situation just fraud?

Maybe not - he put the randomizer into a standalone URL, which just returns some text.
(Try it a few times, and do a view page source: http://mailinator.com/randomdomain.jsp )
The "clever" part is that it just returns some text, nothing labeled as an "alternate domain".
The URL suggests it is some random domain; it doesn't say anything about alternate or mainstream.
The text might be a domain.
It might be a pie recipe.
*shrug*
Anyway, his main page uses that standalone URL and labels that page labels the result as an alternate domain.

So suppose it was fraud.
Next question - who would prosecute? :-)

"Why do you feel it was fraud?"
"Because we asked for an alternate domain and they gave us gmail.com."
"Was that the only request you made for a 'random domain'?"
"Probably."
"Wasn't that request just one in a batch of 2,000 you made during a 10 minute window on July 17th, 2010?"
"Uh, I don't recall."
"Does this server log help your memory?"
"Oh. Hmm. Yeah, that might have been us..."

Re:maybe not Re:Wouldn't that be fraud?

[zill]

I understand the iframe trick perfectly, thank you. I also understand it won't stand up in the court of law. If this defense actually worked then authors of libel and hate speech can just put each of their words in a separate iframe and claim they hosted a dictionary.

 

Next question - who would prosecute? :-)

 
Scraping websites is prosecutable now? I wonder how Google, Yahoo, and Microsoft are staying above the law then.

I have no problem with him presenting false information. That's still constitutionally protected free speech.

I have a problem with him impersonating other business for fraudulent reasons. How would you feel if you ran a mail service and his little stunt got your legitimate users banned around the web? Would you be ok with him claiming that your domain is an alternate address for mailinator.com?

Re:maybe not Re:Wouldn't that be fraud?

[gknoy]

Except, he's not impersonating them. He never offers to receive mail for them, he merely suggests that a (hypothetical) user (who accesses the generator in ways that no real user would) use a Gmail or Yahoo account for whatever.

Re:maybe not Re:Wouldn't that be fraud?

[zill]

According to his blog, this exact statement would appear on the main page to everyone (not just the scripts): "Email sent to an alternate domain goes to Mailinator too! Here is one such alternate domain: gmail.com". I personally don't think that's suggesting an alternative email service. I think that's claiming his service also covers the domain gmail.com, which is false.

I said "everyone" because he posted two hypothetical questions from his legitimate users, so he's fully aware of the confusions he will cause.

Re:maybe not Re:Wouldn't that be fraud?

[BitZtream]

Let me give you a hint, he can 'suggest' things and hypotheticals ... and when he goes to court, no one will give a shit how he 'pretended' he wasn't living in reality.

Trying to word it in such a way that you pretend you didn't do it, but its clear to everyone you did, won't actually get you anywhere legally.

Contrary to popular belief, lawyers are actually smarter than you or the idiot who is 'suggesting' things think, and judges wouldn't let this sort of silly bullshit last for more than a few seconds in any court room. The best you could hope for is that the judge thinks you're just retarded and not actually trying to pull the shit for real.

oops, forgot to sign in

[cheeks5965]

The Bitcoin post just looks dumb; phony Bitcoins? doesn't exist; they're cryptographically signed, the whole post is ridiculous. The article, on the other hand, is very simple, if you know what Mailinator is.

Basically, it's a free webmail with no registration, no password, no security whatsoever: just send an e-mail to testaddress@mailinator.com, go to mailinator.com, and tell it you want to see the e-mails for "testaddress".

So if you go to some website and it wants your e-mail address so that it can spam you, you put in a mailinator address instead. But then the website gets wise to this and tells you that you're not allowed to put mailinator addresses in the e-mail field when you register. So Mailinator constantly creates new domains that work identically, and gives you a handful of them when you visit the site. Websites got wise to that too, and had scripts that automatically checked Mailinator and automatically blacklisted all the domains it listed.

Well, hypothetically speaking, if Mailinator's server detected that it was being accessed by a script, it could list whatever domains it wanted (google? yahoo? hotmail?) and the script would dumbly blacklist them. Result: now you can't sign up for $shitty_web_registration_account using your $real_Gmail_address, what the fuck?

Spamgourmet, better in every way

[uigrad_2000]

spamgourmet.com is a much better site for generating thousands of fake email address, although not as fun as mailinator. You can forward them all to your real email address, and then turn them off individually as they are compromised.

Spamgourmet.com also has a whole range of alternative names. I, for example, use mamber.net for the domain name of the addresses I generate. Visit the site, you'll get a laugh.

So, how does spamgourmet prevent one person from getting a complete list of all alternate names? Every few months, he displays 3 more alternate domain names, and removes all references to the previous 3. Those 3 will never be shown again. It's a much simpler solution, but clearly defeats the scripts.

If you really had a want of domain names, and thought it was extremely important to not let anyone get the full list, you could fragment the list based on the requester's location. For someone to get the entire list, they would need to find proxy servers for all regions other than their own.

Re:Spamgourmet, better in every way

spamgourmet.com is a much better site for generating thousands of fake email address, although not as fun as mailinator. You can forward them all to your real email address, and then turn them off individually as they are compromised.

And get your real address sold to spammers.

Re:Spamgourmet, better in every way

[dskoll]

You don't need the list of domains. The (comparatively tiny) list of MX machines will do...

Re:Spamgourmet, better in every way

[Guppy]

I use Sneakemail.com, which pretty much does the same thing. Only problem is that they're no longer a freemium service, pay-only now but still reasonably cheap.

The actual technique he used

[Synerg1y]

Mailinator has been around for ages, this is not news, if you don't know what it is then :( for you, and as the article said back in the day it was by far the best way to get a temp email for signing up for something like a forum that requires you to register so you can get the link you need. IMHO it still is. The writer provided an epic insight into the battle between websites and bots, more than you typically hear of on a day to day basis. He went completely out of his way to implement this solution, nobody would ever code an intranet like this, but supposedly he also got results and was even able to implement a good measure. Great example of code being applied to the real world for those who haven't seen a whole lot of it.

DNS lookup

[Trentula]

Why don't the websites just do a DNS lookup on the domain used for the e-mail address, as all of mailinators domains seem to point to the same IP.

TLDR: Mailinator: Mail {Terminator|Eliminator ..

For all those people... "what is mailinator" "why do I care?" -- I thought /. was for intelligent nerds. News for people who are at least educationally literate.

/ TLDR in #36637276 / has it dead on. And people who couldn't figure it out in a minute and have a chuckle are a waste of precious oxygen. Burn your damned geek card. Mailinator is mailinator.

Got it? No? Is the juxtaposition of words confusing? Do we need to add an explanation?

Mail: OH hey, you're a geek, you know what email is
"inator"... huh...sounds like other stuff that ends in that...

If you can't guess, my dictionary only has 46 words matching "inate$" ... but a glance of the webpage answers better.

Oh, they're being funny--like terminator. I can tell by going to their homepage, which took me all of FIVE SECONDS. Less if I type it in my 'google search' box and click the preview link!

Get your heads out of your ass and learn. Part of being a respectable geek is being able to learn new things--not follow some god damned manual to set up your crappy exchange server while pretending you're good enough to be a BofH. Not expecting a summary to babysit your miserable ass when you could have learned in half a second. Not bitching and moaning that you don't know some part of culture and somebody didn't explain it well enough to you, because you don't understand MATH/PHYSICS/COMP SCI/Fortran Humor/What BoFH is or whatever the fuck else someone referred too.

Hey--we invented fucking google. Use it.

Why do you care about other domains? I dunno...this is Slashdot, you'd think there'd have been an article on SPAM sometime in the past decade. Maybe some of you who weren't busy fingerfucking sharepoint and outlook might have encountered disposable email addresses back...oh, I don't know.... Around fucking 98 when they came out in qmail? I've heard rumors DEC had them before then, but I'm too young for that. Maybe some of you know a use for disposable addresses and fake domains? Maybe have written a honeypot and have the competence to compile your own MX ?

Seriously, take your autistic spectrum OCD social disorders and blow them out the back of your damned skulls and onto the walls of momma's basement. I like my geeks literate and intelligent, not bending over for the Chicago Manual of Style because it makes them feel smart to follow the rules of an idiot in the humanities department.

And now, to be modded into nothingness! So sue me for being rude, it's Friday before the fourth and I've been stuck in meetings and want a beer.

If you're still reading this, please mod a random angry stranger up so I can give a big giant explosive American fourth of July "FUCK YOU" to people who are reading this and don't get what mailinator is.

And to the ones who got it...or didn't but read...have a well earned beer for being a man.

Re:No. [Re:Wouldn't that be fraud?]

[whoever57]

Your claim 3 is wrong because of 2 reasons:

No, your english comprehension failed.

He predicted that some of his real users will notice the error when viewing the home page:

No, he predicted that the people who run the scrapers would be suggesting to him that his website displayed "gmail.com -- not real users, but scraper-owners pretending to be real users.

Blocking gmail is used to block competitors

[erice]

My friends run into this a lot when signing up for free seminars. The idea is to prevent employees of their competiors from attending their events. Competitor domains are blocked (obviously) but also well known ISP's and free web mail services like Gmail because a employee of a competitor can easily hide there. The whole process is quite leaky though. There are just too many domains to check. If you have a personal domain or even a lesser known ISP, they let you in rather than trying to figure out what or who you are.

Re:Blocking gmail is used to block competitors

[praxis]

Maybe I don't understand who these free seminars are for, put perhaps a whitelist would suite them better than a blacklist?

Re:Blocking gmail is used to block competitors

[erice]

Maybe I don't understand who these free seminars are for, put perhaps a whitelist would suite them better than a blacklist?

There is no definitive listing of potential customers. A white listing would likely only serve to limit the seminars to existing customers and that would defeat much of the purpose of holding the seminars.

Silly scrapers....

[dskoll]

Anyone who scrapes the list for alternate domains is supremely dumb. It's far easier to get a list of the small number of MX records. When we wanted to ban mailinator, we just banned any domain with an MX record that matched an IP address in the mailinator MX pool. Even if he uses a few different MX records for different domains, you'd only need a small list of domains to cover all the MX machines.

Dear Soulskill

[crossmr]

Apparently Kdawson has hacked your account, please secure it immediately.

Maybe not gmail outright

[Hsien-Ko]

but gmail addresses with overuse of periods. I've been seeing a lot of spammers of the likes of "j.im.my.h.of.f.a@gmail.com" invading SMF forums.

I use 10 minute mail

[Cito]

http://10minutemail.com/10MinuteMail/index.html

The email lasts 10 minutes, you can request more time but then it auto deletes itself. I notice it changes domains almost daily to avoid blacklists.

I've used it for every forum I have ever signed up on.

What a plan...

[arse+maker]

Cause people would never write an exception for gmail/yahoo/hotmail etc. That has to be the biggest waste of time reading an article on here for a while. Did this guy post this himself?

I love the comments on the site calling him a genius, I hope they aren't working in IT :p

Vastly superior way to detect malinator...

All the domains resolve to the same IP address:

zx2c4@ZX2C4-Laptop ~ $ host bobmail.info
bobmail.info has address 66.135.37.96
bobmail.info mail is handled by 10 bobmail.info.
zx2c4@ZX2C4-Laptop ~ $ host mailinator.com
mailinator.com has address 66.135.37.96
mailinator.com mail is handled by 10 mailinator.com.
zx2c4@ZX2C4-Laptop ~ $ host binkmail.com
binkmail.com has address 66.135.37.96
binkmail.com mail is handled by 10 binkmail.com.

alternate; alternative. Stop being dim.

If you don't know the difference between the two words try to avoid them in future.

Re:No. [Re:Wouldn't that be fraud?]

[Half-pint+HAL]

These were hypothetical conversations, so it doesn't matter whether the scraper writers communicate with him directly or not.

What the fuck, dude?

Trying to take the credit for someone else's post is pretty shitty. You didn't post that, I did, and I didn't forget to sign in. I just chose to post anonymously. Fuck you.