Forgot your password?
typodupeerror
Communications It's funny.  Laugh. The Internet

How To Get Websites To Ban Sign-ups From Gmail.com Accounts 175

Posted by Soulskill
from the battle-of-the-scripts dept.
An anonymous reader writes "Paul Tyma describes a simple, elegant, and hilarious method that Mailinator (hypothetically, of course) used to mess around with people who scraped its webpages in order to block its alternate domains. Quoting: 'Remember all that script-detecting code from the anti-abuse system? Well, what if I put that in here too, I thought. Let's "detect" when a script is hitting our weensy alternate-domain page. ... And what if after about 30 page hits from the same script (or so), stop displaying actual alternate domains and start sprinkling in some other things. Hmm... but what other things? I know — how about "gmail.com". Or, um, "hotmail.com". Or maybe, "yahoo.com."'"
This discussion has been archived. No new comments can be posted.

How To Get Websites To Ban Sign-ups From Gmail.com Accounts

Comments Filter:
  • Summary (Score:4, Insightful)

    by Anonymous Coward on Friday July 01, 2011 @03:31PM (#36637250)

    Makes no fucking sense. A/C's bitcoin post above makes more sense.

    • Re: (Score:3, Funny)

      by SleazyRidr (1563649)

      I figured you were trying to be funny, but I went and reread both of them and you're right, the bticoin post is a lot easier to follow.

      • Re:Summary (Score:5, Informative)

        by Anonymous Coward on Friday July 01, 2011 @03:49PM (#36637424)

        The Bitcoin post just looks dumb; phony Bitcoins? doesn't exist; they're cryptographically signed, the whole post is ridiculous. The article, on the other hand, is very simple, if you know what Mailinator is.

        Basically, it's a free webmail with no registration, no password, no security whatsoever: just send an e-mail to testaddress@mailinator.com, go to mailinator.com, and tell it you want to see the e-mails for "testaddress".

        So if you go to some website and it wants your e-mail address so that it can spam you, you put in a mailinator address instead. But then the website gets wise to this and tells you that you're not allowed to put mailinator addresses in the e-mail field when you register. So Mailinator constantly creates new domains that work identically, and gives you a handful of them when you visit the site. Websites got wise to that too, and had scripts that automatically checked Mailinator and automatically blacklisted all the domains it listed.

        Well, hypothetically speaking, if Mailinator's server detected that it was being accessed by a script, it could list whatever domains it wanted (google? yahoo? hotmail?) and the script would dumbly blacklist them. Result: now you can't sign up for $shitty_web_registration_account using your $real_Gmail_address, what the fuck?

        • by tepples (727027)

          Result: now you can't sign up for $shitty_web_registration_account using your $real_Gmail_address, what the fuck?

          A few web sites, such as Pocket Heaven, have been seen to block signups using free webmail providers such as hotmail.com, gmail.com, and yahoo.com. They want people to sign up using e-mail addresses at an ISP's domain.

          • Re:Summary (Score:4, Insightful)

            by SuricouRaven (1897204) on Friday July 01, 2011 @04:48PM (#36637870)
            At least one muck does likewise, but in their case it's for another reason: They want an address they can be sure is legally traceable to turn over should the police request it. The operators are very legally cautious, as it's a place where lots of sexual scenes get played out, and they want a way to make sure that should drama occur they can pass the buck and not need to be involved any more than they must.

            It's a common fear of small service operators - one user commits a crime, and the investigators may just sieze the entire server and the backups to be sure they get everything of use to them.
            • by EdIII (1114411)

              Maybe. I can tell you from experience that it will entirely depend on the investigator.

              That moron from the FBI will be infamous forever for his rampant stupidity in destroying hundreds of businesses by taking every server in the entire data center.

              If the investigator is reasonable, and you are performing services on behalf of another company or user, you can calmly explain that seizure is not required. That the investigator is far better off using you as an expert to get the information they need instead

              • We all know that WPA2 can be cracked in under 15 minutes with the right resources and the most wireless security is akin to a wet paper towel to anybody that possesses to tools and knowledge.

                Only TKIP can be easily attacked. I'm not aware on any known vulnerabilities in WPA2 with CCMP (AES), and that has been a standard for 4 years now.

                • Depends on what you mean by "easy".

                  It's easy to get the encrypted key. Not necessarily so easy to break the encryption. But sometimes people get lucky.
                  • by EdIII (1114411)

                    Encryption is vulnerable in two ways (I am not touching Quantum encryption here):

                    1) Brute force. All encryption basically works by having such a large number of possible keys that to brute force it would take years, if not life times. A simple dial combo lock could be brute forced in a week with a robot. Depends on the number of values on the dial, but last time I checked there were only 275k approx unique combinations. A robot would probably get the right one if it were checking one every 3 seconds or

                    • Encryption is vulnerable in two ways

                      3) Rubberhose (or, in some jurisdictions, legal) cryptanalysis. An unscrupulous third party will always get at your data if they deem it valuable enough.

                    • All encryption basically works by having such a large number of possible keys that to brute force it would take years, if not life times.

                      Your scale is way off - measuring this in "universe lifetimes" would be much more accurate.

                      I remain wholly unconvinced that any of the encryption algorithms today will stand up over time to have no weaknesses found.

                      It would require some pretty revolutionary math advances to do so. And the odds are not exactly in your favor so far - RSA is, what, over 30 years old now, and the central idea is still as secure as ever.

                      Another point is that a "weakness" in cryptography really only means "faster than bruteforce"; it doesn't mean "fast enough to be practical". So if it takes 1 billion years instead of 10, it's a "weakness", but for pr

                    • by EdIII (1114411)

                      With respect, your scale is way off. It hardly matters what algorithm you are speaking of either. 60th order permutations? 100th order permutations? Leaving Quantum computing aside, I would think it would be hubris to claim that in the lifetime of a universe that a sentient race could not construct a machine capable of exploring that many permutations within a viable time frame.

                      Sure, 60th order sounds like a lot. However, if we were both in 1960 and I told you that in 2011 you can purchase as a consumer

                    • With respect, your scale is way off. It hardly matters what algorithm you are speaking of either. 60th order permutations? 100th order permutations? Leaving Quantum computing aside, I would think it would be hubris to claim that in the lifetime of a universe that a sentient race could not construct a machine capable of exploring that many permutations within a viable time frame.

                      Again, mind the scale. The number of atoms in the observable universe is only 10^80.

                • by EdIII (1114411)

                  TKIP is all you need.

                  By default 99% of all wireless and router manufacturers default to TKIP and AES when you choose WPA2 in the management screen. You actually need to choose just AES, if it offers it all. Additionally, I have found that leaving out TKIP causes more complaints because somebody's shiny POS can't negotiate correctly and when IT stands its grounds they are usually seen as inflexible, jerks, and not team players.

                  Hence, TKIP is practically everywhere right now. I don't think WPA2 is that muc

                  • By default 99% of all wireless and router manufacturers default to TKIP and AES when you choose WPA2 in the management screen.

                    It seems to be changing. My wireless router - which came from the ISP, no less - had CCMP enabled out of the box. So far I haven't found a device that couldn't connect to it, either.

              • Also, many people are not aware (and law enforcement, lawyers, and even judges sometimes tend to "forget") that if there is a method for obtaining the information that is less intrusive than seizure, then law enforcement is not just encouraged but required by law to use it.

                So if you have even a halfway-reasonable plan that would eliminate the need for outright seizure, they are duty-bound to listen to it.
                • by EdIII (1114411)

                  LOL

                  I'll take your word for it. However, that moron in the FBI may have been duty bound to listen, but obviously was the agent known as the "Fucking Retard" by the IT staff that has to take care of him at his office. We all know who they are at our offices we have been at don't we? :)

                  Duty bound is great.... when the agent is smart enough to understand that not every thing with a blinking light on it in the building needs to be transferred and processed into evidence.

                  I think the reason why the people I ment

                  • As I say... sometimes the people charged with protecting us, in their zeal, have tended to forget what their primary purpose is supposed to be.
          • They want people to sign up using e-mail addresses at an ISP's domain.

            It's been a few years since I last got an e-mail address from an ISP...

            • by kent_eh (543303)
              Rogers (major cable ISP in Ontario) doesn't even have their own customer mail accounts any more. They contract it to Yahoo, the last time I checked.
        • I think you should be offered a job as a /. editor. I actually understand it now, thanks!

        • Re:Summary (Score:4, Insightful)

          by nitehawk214 (222219) on Friday July 01, 2011 @04:12PM (#36637618)

          Thanks AC. Why the fuck couldn't TFS had just said this? Your summary makes more sense than TFS, TFA, or the Bitcoin BS post.

        • The Bitcoin post just looks dumb; phony Bitcoins? doesn't exist; they're cryptographically signed, the whole post is ridiculous.

          Think of BitCoins as money that is impossible to forge, and MtGox as essentially a bank. The "phony bitcoins" refers to a database entry on MtGox that said that one account had a large number of cash that never really existed in the first place. In theory all the database entries should sum up to the total amount of cash at MtGox, but in this case nothing stopped it.

          As for Mailinator, couldn't one write a script that sent to a random email address at a particular domain e.g. adflas2343872938743@gmail.com an

          • The bounce idea is good but you don't actually have to wait for a bounce. Most mail server software verifies addresses before accepting emails (so that it can bounce if necessary). You can use (or write) software that goes through the handshake process, and then when the server sends back the signal that means "ready to receive", you just don't send an email. Voila. Your email address has been verified. A lot faster than if you actually tried to send an email to check it.
            • by pjt33 (739471)

              Unless the server is implementing grey-listing, and will tell you the address is unavailable the first time.

        • The Bitcoin post just looks dumb; phony Bitcoins? doesn't exist; they're cryptographically signed, the whole post is ridiculous.

          Actually it is possible. Mt. Gox keeps the amount of bitcoin in a member's database--much like a bank where your account balance is nothing more than a number in a database. If someone compromised Mt. Gox's database they could potentially increase the amount of bitcoin the database says their account contains. Then the malicious user could transfer the bitcoins to their own wallet essentially stealing the the bitcoin from Mt. Gox.

          • by dave420 (699308)
            Well, technically that's a phony record of bitcoins, not phony bitcoins themselves.
        • by dadioflex (854298)
          I agree, your post just saved me from RTFA. Thanks!

          There are so many temporary email address sites now, the smaller ones seem to fall through the cracks. I'd mention them but then they'd get slashdotted....
    • Re:Summary (Score:4, Informative)

      by tenchikaibyaku (1847212) on Friday July 01, 2011 @03:42PM (#36637358)
      I'm glad I'm not the only one who was left wondering what the hell this was all about.

      The short story: "Mailinator is a free, disposable email service". Some site operators wants to block people with this service from registering. There's a way of listing all the domains used by Mailinator (by generating a bunch of new throwaway addresses?). Mailinator in turn has a way to detect when a script is trying to go through this list.

      The amazing idea is to detect when a script is scraping this list, and feed it bogus data like "gmail.com".
      • Re:Summary (Score:5, Insightful)

        by Mad Merlin (837387) on Friday July 01, 2011 @03:56PM (#36637486) Homepage

        It baffles me that people still require email addresses for random account signups. Either people are going to provide their email address, or they're not. Make it required and they'll just feed you a fake/disposable one, or not make an account at all. How about you treat your (potential) users with some respect and just make the email optional? That's what Game! [wittyrpg.com] does and it works well.

        • by hedwards (940851)

          Whenever I see a site that bars free email addresses from sign ups, I interpret that as them not wanting my business. I've learned from past experience not to use an ISP email address as the don't let you keep it when you change ISPs. Likewise for school email and anything which I have to maintain something in order to keep. I'll log in periodically to maintain an account, but that's it.

          Services that require one of those special addresses aren't doing themselves any favors.

          • by Rifter13 (773076)

            I completely agree. Gmail IS my email address. Stop me from using it, and I don't have another. Oh, I use qwest... and I think I have a hotmail address through them? Morons.

            • Re:Summary (Score:4, Insightful)

              by TheRaven64 (641858) on Friday July 01, 2011 @05:31PM (#36638174) Journal
              Seriously? The only email address that you have is one that is controlled by the whim of a third party? If you're going to use gmail, at the very least you should register a domain and tell gmail to do that, then if Google decides to cancel your account (which they are entitled to do, for any reason), you don't lose your email address.
              • by Rifter13 (773076)

                Ok, I have more than one. Gmail, Yahoo, Hotmail... but Gmail is what I use as my email box. I have had it since I got an invite early on. I have had it longer than any ISP I have ever used. I DO own a few domains, but don't actually use them for email explicitly. From time to time. So, I could get around restrictions, but, if they don't let me use Gmail or maybe Hotmail, I won't use their service. I have yet to find any service online that was SO pressing, that I would work at getting another email a

          • "Likewise for school email "

            The IT staff read your emails.
            - A school IT worker.
        • by Malenx (1453851)

          The moment I required email addresses was the moment I got focused by some stupid Russian botters and spammed with new accounts.

        • by erice (13380) on Friday July 01, 2011 @06:37PM (#36638560) Homepage

          My friends run into this a lot when signing up for free seminars. The idea is to prevent employees of their competiors from attending their events. Competitor domains are blocked (obviously) but also well known ISP's and free web mail services like Gmail because a employee of a competitor can easily hide there. The whole process is quite leaky though. There are just too many domains to check. If you have a personal domain or even a lesser known ISP, they let you in rather than trying to figure out what or who you are.

          • by praxis (19962)

            Maybe I don't understand who these free seminars are for, put perhaps a whitelist would suite them better than a blacklist?

            • by erice (13380)

              Maybe I don't understand who these free seminars are for, put perhaps a whitelist would suite them better than a blacklist?

              There is no definitive listing of potential customers. A white listing would likely only serve to limit the seminars to existing customers and that would defeat much of the purpose of holding the seminars.

        • "It baffles me that people still require email addresses for random account signups. Either people are going to provide their email address, or they're not. Make it required and they'll just feed you a fake/disposable one, or not make an account at all."

          Then you aren't serious about using their service, so why the hell should they care?

          The fact is that for legitimate businesses, the email registration is not for them so much as it is for the customer: there has to be a way to consistently identify that customer as an individual. It doesn't matter what name is on the email account, but if you have control over that account you are assumed to be the individual who signed up that account.

          It's not a perfect system, and lots of companies augment it with v

      • Thanks for the translation. The summary really could have been some random gibbering from a not yet fully grown spawn of an avatar of the Crawling Chaos. Horrid, but incomprehensible.
        • Well, at least TFS proves to us that the /. monkeys aren't quite ready to duplicate the works of Shakespeare yet ;)
          • True, but I fear what they might be able to conjure up if they follow down this path. This summary is not that far from "IA! IA! AZATHOTH FHTAGN! IA! IA! AZATHOTH NEBLODZIM FHTAGN!" And we all know where that ends.
  • Also:

    * Type /sign for your IRC star-chart reading

    * Type +++ for your 1200 baud modem speed doubler

    Also, since you're new to the club I'd like to offer you a leech account on our private warez site - use your existing login name and password when you ftp to 127.0.0.1

    • Also:

      * Type /sign for your IRC star-chart reading

      * Type +++ for your 1200 baud modem speed doubler

      Also, since you're new to the club I'd like to offer you a leech account on our private warez site - use your existing login name and password when you ftp to 127.0.0.1

      Quit giving away my warez hosting site! I told you to keep that a secret.

      • by Noughmad (1044096)

        Too late, he already posted the public IP address. I'm hacking it as we speak, C:\ is already deleted, and D:\ is about halfCARRIER LOST

  • SNR (Score:5, Informative)

    by Anonymous Coward on Friday July 01, 2011 @03:34PM (#36637276)

    The signal to noise ratio on that blog post was so low.. Here's the TLDR:

    When you detect that someone is scraping your site, and you'd prefer that they didn't, start feeding them bad data in a way that they won't notice. The dataset that you've poisoned will then have side-effects that the scrapers wouldn't have expected.

  • FTFA - "What, in our completely and totally hypothetical situation, would that do?"

    I find it more interesting he doesn't have any scrapers as he did before. Hell, I am still amazed mailonater isn't band when some sites still don't take Hotmail or yahoo addresses still.

  • by darkmeridian (119044) <william@chuang.gmail@com> on Friday July 01, 2011 @03:44PM (#36637382) Homepage

    The scrapers would just remove gmail.com, yahoo.com, hotmail.com, all .edu and .gov domains, and leave in aol.com. Website owners probably know that most of their traffic comes from relatively few domains so as long as those are not banned, they ought to be okay. The people who were incorrectly banned would just complain and then the website owners can judge the domains one by one.

    • by gsslay (807818) on Friday July 01, 2011 @08:44PM (#36639166)

      It's even easier than that. Simply maintain a white list as well as a black list. If the domain scraped is on the white list, don't put it on the black list. Problem solved.

      This guy is proposing a half-assed idea to foil an issue that scarely exists, and easily circumvented with 30 seconds thought. Really, it's just embarrassing he's crowing about it in his blog.

  • doesnt it make sense for the validation method to ping the domain? so if site $foo pings bar@gmail.com it'll show google's server not mailinator. It'll show as a valid domain. Or am i missing something?
  • Translation (Score:5, Informative)

    by Anonymous Coward on Friday July 01, 2011 @03:50PM (#36637444)

    Prior knowledge required to know what the summary is talking about:
    -Mailinator is a disposable email address service for people that don't like giving their email address to strangers
    -There are people who have issues with allowing someone to sign up for and use your service with a disposable email account
    -People started banning Mailinator off the bat
    -Mailinator's creator responds by creating alternate domains the email address can use to evade the standard Mailinator ban, displaying them for the public when they visit the Mailinator page at a rate of one domain per visit
    -People create scripts to collect these alternate domains for various purposes (mostly for banning)
    -Mailinator describes how it could mess with these people to remain useful to its users by detecting rapid page requests and serving random domains in response.

  • by Sloppy (14984) on Friday July 01, 2011 @03:52PM (#36637456) Homepage Journal

    WTF is mailinator and why, in the first place, would I want to find out about its other domains and then ban them?

  • spamgourmet.com is a much better site for generating thousands of fake email address, although not as fun as mailinator. You can forward them all to your real email address, and then turn them off individually as they are compromised.

    Spamgourmet.com also has a whole range of alternative names. I, for example, use mamber.net for the domain name of the addresses I generate. Visit the site, you'll get a laugh.

    So, how does spamgourmet prevent one person from getting a complete list of all alternate names? E

    • by dskoll (99328)

      You don't need the list of domains. The (comparatively tiny) list of MX machines will do...

    • by Guppy (12314)

      I use Sneakemail.com, which pretty much does the same thing. Only problem is that they're no longer a freemium service, pay-only now but still reasonably cheap.

  • Anyone who scrapes the list for alternate domains is supremely dumb. It's far easier to get a list of the small number of MX records. When we wanted to ban mailinator, we just banned any domain with an MX record that matched an IP address in the mailinator MX pool. Even if he uses a few different MX records for different domains, you'd only need a small list of domains to cover all the MX machines.

  • Apparently Kdawson has hacked your account, please secure it immediately.

  • Cause people would never write an exception for gmail/yahoo/hotmail etc. That has to be the biggest waste of time reading an article on here for a while. Did this guy post this himself?

    I love the comments on the site calling him a genius, I hope they aren't working in IT :p

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (2) Thank you for your generous donation, Mr. Wirth.

Working...