I feel like root cause #2 should be titled "Our API is poorly designed".
If you pass nothing into the API, it doesn't give you an error? Is this even a valid use case - why is it even possible to express this request, should the important inputs not be some kind of required parameter?
If your attempt to use the primary purpose of your API silently broke until your database filled up, that should probably be a big red flag about how likely customers are to make mistakes using your product.
Holy slop. Of the three "root causes" the third isn't a cause at all, the first is a questionable mitigation, and the second is "oops, when we wired up our cool anti-bot product to the signup page we forgot to send it any data"
A good reminder that signup is a surprisingly rich target.
>Every row has the same name: " Dene Hemen! 5K Lira Bonusunu Yakala" — Turkish for "Try it now! Grab the 5,000 Lira bonus." Casino spam.
>Each registration fired a verification email. 55K signups = 55K attempted sends to fake addresses — the kind of bounce storm that gets a sending domain blacklisted.
I'd be surprised if the email addresses were entirely fake - it doesn't make sense to advertise to just the website developer. It seems more likely that this spammer is targeting real email addresses from some dump (QQ is especially prone to this, since you can target random QQ ID numbers and get a lot higher of a hit rate).
Backscatter scam is huge nowadays. I get so many "ticket opened" emails from various zendesk instances, where the contents of the ticket is cheap dick pills and crypto scams. I don't think zendesk does any validation on the from-field on incoming support requests.
9 comments:
>“This is the honest write-up”
Is an “honest” write-up about negative things bots do still honest when it’s written by a bot?
Looks like a PR stunt sales pitch for their product.
I feel like root cause #2 should be titled "Our API is poorly designed".
If you pass nothing into the API, it doesn't give you an error? Is this even a valid use case - why is it even possible to express this request, should the important inputs not be some kind of required parameter?
If your attempt to use the primary purpose of your API silently broke until your database filled up, that should probably be a big red flag about how likely customers are to make mistakes using your product.
Holy slop. Of the three "root causes" the third isn't a cause at all, the first is a questionable mitigation, and the second is "oops, when we wired up our cool anti-bot product to the signup page we forgot to send it any data"
A good reminder that signup is a surprisingly rich target.
>Every row has the same name: " Dene Hemen! 5K Lira Bonusunu Yakala" — Turkish for "Try it now! Grab the 5,000 Lira bonus." Casino spam.
>Each registration fired a verification email. 55K signups = 55K attempted sends to fake addresses — the kind of bounce storm that gets a sending domain blacklisted.
I'd be surprised if the email addresses were entirely fake - it doesn't make sense to advertise to just the website developer. It seems more likely that this spammer is targeting real email addresses from some dump (QQ is especially prone to this, since you can target random QQ ID numbers and get a lot higher of a hit rate).
Backscatter scam is huge nowadays. I get so many "ticket opened" emails from various zendesk instances, where the contents of the ticket is cheap dick pills and crypto scams. I don't think zendesk does any validation on the from-field on incoming support requests.
A slop article about how their vibe sloped page for their (I extrapolate) slop product turned out to be shit.
I'm honestly unsure if I'm more annoyed by slop or by the anyslop police at this point