Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Get Websites To Ban Sign-ups From Gmail.com Accounts

Posted by Soulskill on from the battle-of-the-scripts dept.

An anonymous reader writes "Paul Tyma describes a simple, elegant, and hilarious method that Mailinator (hypothetically, of course) used to mess around with people who scraped its webpages in order to block its alternate domains. Quoting: 'Remember all that script-detecting code from the anti-abuse system? Well, what if I put that in here too, I thought. Let's "detect" when a script is hitting our weensy alternate-domain page. ... And what if after about 30 page hits from the same script (or so), stop displaying actual alternate domains and start sprinkling in some other things. Hmm... but what other things? I know — how about "gmail.com". Or, um, "hotmail.com". Or maybe, "yahoo.com."'"

35 of 175 comments (clear)

  1. Summary by Anonymous Coward · · Score: 4, Insightful

    Makes no fucking sense. A/C's bitcoin post above makes more sense.

    1. Re:Summary by SleazyRidr · · Score: 2, Funny

      I figured you were trying to be funny, but I went and reread both of them and you're right, the bticoin post is a lot easier to follow.

      --
      Is 1563649 a prime number?
    2. Re:Summary by tenchikaibyaku · · Score: 3, Informative

      I'm glad I'm not the only one who was left wondering what the hell this was all about.

      The short story: "Mailinator is a free, disposable email service". Some site operators wants to block people with this service from registering. There's a way of listing all the domains used by Mailinator (by generating a bunch of new throwaway addresses?). Mailinator in turn has a way to detect when a script is trying to go through this list.

      The amazing idea is to detect when a script is scraping this list, and feed it bogus data like "gmail.com".

    3. Re:Summary by Anonymous Coward · · Score: 5, Informative

      The Bitcoin post just looks dumb; phony Bitcoins? doesn't exist; they're cryptographically signed, the whole post is ridiculous. The article, on the other hand, is very simple, if you know what Mailinator is.

      Basically, it's a free webmail with no registration, no password, no security whatsoever: just send an e-mail to testaddress@mailinator.com, go to mailinator.com, and tell it you want to see the e-mails for "testaddress".

      So if you go to some website and it wants your e-mail address so that it can spam you, you put in a mailinator address instead. But then the website gets wise to this and tells you that you're not allowed to put mailinator addresses in the e-mail field when you register. So Mailinator constantly creates new domains that work identically, and gives you a handful of them when you visit the site. Websites got wise to that too, and had scripts that automatically checked Mailinator and automatically blacklisted all the domains it listed.

      Well, hypothetically speaking, if Mailinator's server detected that it was being accessed by a script, it could list whatever domains it wanted (google? yahoo? hotmail?) and the script would dumbly blacklist them. Result: now you can't sign up for $shitty_web_registration_account using your $real_Gmail_address, what the fuck?

    4. Re:Summary by Mad+Merlin · · Score: 5, Insightful

      It baffles me that people still require email addresses for random account signups. Either people are going to provide their email address, or they're not. Make it required and they'll just feed you a fake/disposable one, or not make an account at all. How about you treat your (potential) users with some respect and just make the email optional? That's what Game! does and it works well.

      --
      Game! - Where the stick is mightier than the sword!
    5. Re:Summary by SleazyRidr · · Score: 2

      I think you should be offered a job as a /. editor. I actually understand it now, thanks!

      --
      Is 1563649 a prime number?
    6. Re:Summary by nitehawk214 · · Score: 3, Insightful

      Thanks AC. Why the fuck couldn't TFS had just said this? Your summary makes more sense than TFS, TFA, or the Bitcoin BS post.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    7. Re:Summary by hedwards · · Score: 2

      Whenever I see a site that bars free email addresses from sign ups, I interpret that as them not wanting my business. I've learned from past experience not to use an ISP email address as the don't let you keep it when you change ISPs. Likewise for school email and anything which I have to maintain something in order to keep. I'll log in periodically to maintain an account, but that's it.

      Services that require one of those special addresses aren't doing themselves any favors.

    8. Re:Summary by Rifter13 · · Score: 2

      I completely agree. Gmail IS my email address. Stop me from using it, and I don't have another. Oh, I use qwest... and I think I have a hotmail address through them? Morons.

    9. Re:Summary by SuricouRaven · · Score: 3, Insightful

      At least one muck does likewise, but in their case it's for another reason: They want an address they can be sure is legally traceable to turn over should the police request it. The operators are very legally cautious, as it's a place where lots of sexual scenes get played out, and they want a way to make sure that should drama occur they can pass the buck and not need to be involved any more than they must.

      It's a common fear of small service operators - one user commits a crime, and the investigators may just sieze the entire server and the backups to be sure they get everything of use to them.

    10. Re:Summary by Malenx · · Score: 2

      The moment I required email addresses was the moment I got focused by some stupid Russian botters and spammed with new accounts.

    11. Re:Summary by TheRaven64 · · Score: 3, Insightful

      Seriously? The only email address that you have is one that is controlled by the whim of a third party? If you're going to use gmail, at the very least you should register a domain and tell gmail to do that, then if Google decides to cancel your account (which they are entitled to do, for any reason), you don't lose your email address.

      --
      I am TheRaven on Soylent News
    12. Re:Summary by EdIII · · Score: 2

      Maybe. I can tell you from experience that it will entirely depend on the investigator.

      That moron from the FBI will be infamous forever for his rampant stupidity in destroying hundreds of businesses by taking every server in the entire data center.

      If the investigator is reasonable, and you are performing services on behalf of another company or user, you can calmly explain that seizure is not required. That the investigator is far better off using you as an expert to get the information they need instead of destroying you for 24 hours until you can come back from backups, or if you are lucky, be located in geographically dispersed locations beyond his/her jurisdiction.

      I know personally of just a situation in which the investigator was talked out of seizure and convinced that the best people for the job to help with forensic analysis of the customer, their code, and their databases was the operator himself. Even got paid by the government to keep the server up and running and provide reports about the network traffic, customers, accounts, transactions etc.

      All of that being said, it is ridiculous to assume that a ISP based email address, or personal/corporate domain email address is anymore "legally" traceable than any of the free services. If I want to send an anonymous email that cannot be tracked, I will be able to do so quite easily.

      I proved this years ago. Some guy in the office said that he could track everybody by email and that it could not be faked. Well a couple of email messages sent from him announcing his romantic intentions towards a horse that he tracked back to his email server, and tracked back to his station convinced him otherwise.

      Email is not proof of an identity. The use of email at any one time is not conclusive proof that the owner of the account even originated the email message at all. Unless each email is encrypted and signed, there is no way to conclusively link the email or its content to an individual........ Just like an IP address.

      We all know that WPA2 can be cracked in under 15 minutes with the right resources and the most wireless security is akin to a wet paper towel to anybody that possesses to tools and knowledge.

      Turning it over to the police is the easy part. Convincing an ignorant investigator that seizing $50k worth of equipment is overkill and just taxes their forensic resources is the hard part. To say that is legal in a court of law is something to that will depend on how good the lawyer is. Give me 15 minutes in a court room and I can convince anybody that I can impersonate just about anybody on the Internet in a fairly short period of time. You don't need to be a super hacker to do it either. Just download some tools and script kiddie away! :)

    13. Re:Summary by shutdown+-p+now · · Score: 2

      They want people to sign up using e-mail addresses at an ISP's domain.

      It's been a few years since I last got an e-mail address from an ISP...

    14. Re:Summary by Jane+Q.+Public · · Score: 2

      Also, many people are not aware (and law enforcement, lawyers, and even judges sometimes tend to "forget") that if there is a method for obtaining the information that is less intrusive than seizure, then law enforcement is not just encouraged but required by law to use it.

      So if you have even a halfway-reasonable plan that would eliminate the need for outright seizure, they are duty-bound to listen to it.

    15. Re:Summary by EdIII · · Score: 2

      Encryption is vulnerable in two ways (I am not touching Quantum encryption here):

      1) Brute force. All encryption basically works by having such a large number of possible keys that to brute force it would take years, if not life times. A simple dial combo lock could be brute forced in a week with a robot. Depends on the number of values on the dial, but last time I checked there were only 275k approx unique combinations. A robot would probably get the right one if it were checking one every 3 seconds or so.

      2) You get a bolt cutter and cut the damn combo lock. This is where cryptanalysis comes into play. You find a mathematical or algorithmic weakness in the design or implementation that you can exploit to predict or outright obtain the key just by analysis of the cipher text and the exploit.

      I remain wholly unconvinced that any of the encryption algorithms today will stand up over time to have no weaknesses found.

  2. SNR by Anonymous Coward · · Score: 5, Informative

    The signal to noise ratio on that blog post was so low.. Here's the TLDR:

    When you detect that someone is scraping your site, and you'd prefer that they didn't, start feeding them bad data in a way that they won't notice. The dataset that you've poisoned will then have side-effects that the scrapers wouldn't have expected.

  3. I'm Sorry But That's Ridiculous by darkmeridian · · Score: 4, Insightful

    The scrapers would just remove gmail.com, yahoo.com, hotmail.com, all .edu and .gov domains, and leave in aol.com. Website owners probably know that most of their traffic comes from relatively few domains so as long as those are not banned, they ought to be okay. The people who were incorrectly banned would just complain and then the website owners can judge the domains one by one.

    --
    A NYC lawyer blogs. http://www.chuangblog.com/
    1. Re:I'm Sorry But That's Ridiculous by gsslay · · Score: 3

      It's even easier than that. Simply maintain a white list as well as a black list. If the domain scraped is on the white list, don't put it on the black list. Problem solved.

      This guy is proposing a half-assed idea to foil an issue that scarely exists, and easily circumvented with 30 seconds thought. Really, it's just embarrassing he's crowing about it in his blog.

  4. Translation by Anonymous Coward · · Score: 5, Informative

    Prior knowledge required to know what the summary is talking about:
    -Mailinator is a disposable email address service for people that don't like giving their email address to strangers
    -There are people who have issues with allowing someone to sign up for and use your service with a disposable email account
    -People started banning Mailinator off the bat
    -Mailinator's creator responds by creating alternate domains the email address can use to evade the standard Mailinator ban, displaying them for the public when they visit the Mailinator page at a rate of one domain per visit
    -People create scripts to collect these alternate domains for various purposes (mostly for banning)
    -Mailinator describes how it could mess with these people to remain useful to its users by detecting rapid page requests and serving random domains in response.

    1. Re:Translation by Onymous+Coward · · Score: 4, Insightful

      etc...

      Therein lies the rub.

  5. TFA missing one little thing by Sloppy · · Score: 2, Interesting

    WTF is mailinator and why, in the first place, would I want to find out about its other domains and then ban them?

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  6. Re:Welcome to the internet. by barrtender · · Score: 2

    Also:

    * Type /sign for your IRC star-chart reading

    * Type +++ for your 1200 baud modem speed doubler

    Also, since you're new to the club I'd like to offer you a leech account on our private warez site - use your existing login name and password when you ftp to 127.0.0.1

    Quit giving away my warez hosting site! I told you to keep that a secret.

  7. Worth the read by pavon · · Score: 5, Informative

    Yeah, you have to both know what Mailinator is and how it uses alternate domains for the summary to make any sort of sense. I didn't know either, but I am glad I read the article, because it is pretty funny.

    TL;DR:
    * Mailinator is a throw-away email service, and some sites want users to provide "real" email address and thus try to ban use of mailinator.
    * To combat this Mailinator has a bunch of alternate domain names that all resolve to the same server.
    * It displays them to users at it's website one at a time, chosen randomly.
    * Blockers tried to scrape the Mailinator website to get the full list of domain.
    * If a scraper is detected they could instead be fed other domains like gmail.com, which would cause the scrapper to block email from those domains as well.

  8. Re:Counterfeit Bitcoins Caused Price Crash by Jeng · · Score: 2

    Have you thought about submitting that story? Cause it sure beats the topic at hand.

    --
    Don't know something? Look it up. Still don't know? Then ask.
  9. Re:He sounds like a douche... by pavon · · Score: 4, Insightful

    shrug.. none of my business I suppose since I haven't heard of him, but I would be furious if I got that kind of response from an "anti-spam" company when asking them to stop spamming me.

    How does Mailinator spam anybody? They don't send any email, just receive it. And they don't facilitate forum spam any more than any other free email service.

  10. Re:He sounds like a douche... by Anonymous Coward · · Score: 2, Insightful

    You appear to be missing the entire point. Mailinator does not send out emails. Mailinator provides throwaway email addresses for you to use for signups. It is read-only, not write-only. It is impossible to spam someone via Mailinator.

  11. Re:No. [Re:Wouldn't that be fraud?] by zill · · Score: 2

    Your claim 3 is wrong because of 2 reasons:

    He predicted that some of his real users will notice the error when viewing the home page:

    Your alternate domain list displayed 'gmail.com'!
    Hi Fred, no it doesn't. Just reloaded the homepage 10 times, nothing like that. all the best.

    or I bet another would be like:

    Yahoo.com? What is this some kind of joke?
    Sorry, did you mean to email this to Carol Bartz? Not sure what you're talking about.

    Reason 2 is that scraper writers aren't stupid. They won't just load the second page knowing it's an obvious trap. They will load the main page like a regular user, and then parse the small iframe.

  12. Re:Wouldn't that be fraud? by Penguinisto · · Score: 2

    They'll load http://mailinator.com/ discard the main iframe, and then parse the randomdomain.jsp iframe.

    ...and if they hit it more than x times per second/minute/whatever, they could still get the posioned results.

    Personally, I'd be ass enough to display ";DROP DATABASE *;" for a fake alternate domain as one of the commenters on TFA had mentioned, just to see if anyone complained.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  13. Re:Wouldn't that be fraud? by icebraining · · Score: 2

    Nobody would download the main page. They'd load the direct page setting the appropriate 'referrer' header to seem as it is being loaded by the main page. There's no magic way to tell if the page is being loaded in a frame or not.

    Loading a full HTML renderer to load the iframe inside the normal page is complete overkill.

    --
    Dilbert RSS feed
  14. Re:He sounds like a douche... by Half-pint+HAL · · Score: 2

    It would be possible, would it not, for spammers to use it to sign up to bulleting boards...?

    --
    Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'
  15. Re:He sounds like a douche... by mwvdlee · · Score: 3, Interesting

    On the other hand, it makes it a lot harder for bulletin boards and companies to sell spamable addresses.
    I used to use unique email adresses for each site I signed up on; turns out spammers got my email from some quite reputable companies.
    Unless you expect to actually need to communicate through email with whatever site you're signing up to; use a fake email adress.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  16. Re:Wouldn't that be fraud? by Score+Whore · · Score: 2

    If I cared this is the scenario I envision:

    I'm just ass enough to be patient and just keep eating his random domains. It's free for me to add them to the blacklist. Each on cost him $0.75 or something. And it's not like I can't republish the list. Get together with a handful of other site admins, pool our resources and we all hit the site at random times throughout the day from random locations and what do you know, in not too long it'll he'll get tired of paying for new domains.

    Seems like he's on the losing side here.

  17. Re:maybe not Re:Wouldn't that be fraud? by BitZtream · · Score: 2

    Let me give you a hint, he can 'suggest' things and hypotheticals ... and when he goes to court, no one will give a shit how he 'pretended' he wasn't living in reality.

    Trying to word it in such a way that you pretend you didn't do it, but its clear to everyone you did, won't actually get you anywhere legally.

    Contrary to popular belief, lawyers are actually smarter than you or the idiot who is 'suggesting' things think, and judges wouldn't let this sort of silly bullshit last for more than a few seconds in any court room. The best you could hope for is that the judge thinks you're just retarded and not actually trying to pull the shit for real.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  18. Blocking gmail is used to block competitors by erice · · Score: 3, Insightful

    My friends run into this a lot when signing up for free seminars. The idea is to prevent employees of their competiors from attending their events. Competitor domains are blocked (obviously) but also well known ISP's and free web mail services like Gmail because a employee of a competitor can easily hide there. The whole process is quite leaky though. There are just too many domains to check. If you have a personal domain or even a lesser known ISP, they let you in rather than trying to figure out what or who you are.