On 2025-03-27 13:55, Jaroslaw Rafa via mailop wrote:
Hello,
a few days ago someone managed to abuse an account registration form on my
personal website and a few dozens of random recipients at different domains
(mostly at Yahoo) got registration confirmation emails from my address. The
scale of the attack was not big, it was about 20-30 mails in total until I
noticed it and secured the form to block the attack.
However I wonder - and here I'm looking for your opinion - what can be a
possible gain for the attacker from such an attack? The form does not have
any field to enter own information that could be passed to the recipient -
just login, password and email - so all the recipient gets is a standard
message saying that someone registered an account named XYZ on my website
using their email address, and if they want to confirm it, they should click
the link, otherwise do nothing and the registration will expire in 24 hours.
How can anyone benefit from spamming people with such messages?
Been going on for years.. standard 'mailbombing'.. there are services
out there you can 'rent' to do this for you. Script kiddie stuff for
the most part, they keep a list of newsletter and contact forms that can
be abused for this purpose, and script it.. so the target gets a full
mailbox..
See it in the gaming community all the time, when one gamer gets upset
with another.. but given it only costs a few bucks to launch one of
these attacks, it is used by some miscreants any time someone pisses
them off..
Worst thing, nothing you can really do about it when it happens..
luckily they usually only run it it a few hours at a time. We still
still it once every couple months at one of our customers.. but there is
enough variety in the automated sign-ups, other than temporarily
blocking everything for that account.. which MIGHT be the purpose in the
first place, so someone can't get an important mail they are waiting for.
(Now, if everyone of those sign-up forms included the auto-generated
headers, maybe you could restrict them based on that, but that is
whack-a-mole).
Secret is in the sign-up forms, having human detection safeties in place
to stop bot signups.. simple Captcha's are easy to beat, and like locks,
only keep out the innocent..
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Reg. TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
