There will always be a subset of users whose goal is to not use your service, but to arbitrage your service into the maximum value for themselves.
For example -- let's say you offer $100 in free AWS credits by signing up to your platform. Expect a malicious user to eventually come to your platform, realize they can resell those $100 in credits for $50, and start using your platform for their own gain. Unless the mechanisms you add in place to reduce fraud / second sign ups / etc is greater than the value that they are receiving ($50), they will continue.
With sites where the platform is free, the math almost always makes sense for these malicious users to eventually abuse. In this case it was leveraging the email reputation of another domain at no cost to their own (along with the added value of anyone getting phished), but on other sites it's public profiles being used for backlinks / spam, etc.
no_multitudes 54 minutes ago [-]
Please write your blog post yourself if you expect people to read it. The LLM output is very grating.
pressbuttons 26 minutes ago [-]
Why do you think this is LLM-generated? Reads perfectly fine to me.
no_multitudes 17 minutes ago [-]
The sentence construction, choice of vocabulary, and continually breathless tone are all clear indicators this was written by an llm and barely edited.
I threw part of it into pangram to get a second opinion:
> There was no exploit. No vulnerability disclosure. No CVE for me to write.
was a dead giveaway in my mind when I read it.
poly2it 11 minutes ago [-]
> What stuck with me wasn’t the scale, although 14,000 people getting a phishing email from a domain I own is bad. It was how mundane it was.
> There was no exploit. No vulnerability disclosure. No CVE for me to write. The attacker filled out my signup form 942 times, made 942 workspaces, sent 942 batches of about a hundred invitations each, and stopped. They used my tool exactly as designed. The design was just bad enough that the tool was good for phishing.
jubilanti 17 minutes ago [-]
If you have commits in the linux kernel, your open source code has certainly been used to murder people. Because it's in everything, including weapons systems.
j-bos 43 minutes ago [-]
"Disposable email domains blocked"
This one is really annoying as in practice, more and more services that become spammers or sell to what are basically spammers cannot be kept at arms length.
sandeepkd 55 minutes ago [-]
Couple thing:
1. You are not alone, this happens at a large scale across the board with companies of all sizes.
2. More than likely the abuser did not do it manually, more than likely they automated it
3. As a thoughtful business one may have rolled out all the authentication features/gates if the business picks up, as a starter the safe idea could have been to put it behind any openly available OAuth provider
fsckboy 10 minutes ago [-]
[dead]
Rendered at 17:38:20 GMT+0000 (Coordinated Universal Time) with Vercel.
For example -- let's say you offer $100 in free AWS credits by signing up to your platform. Expect a malicious user to eventually come to your platform, realize they can resell those $100 in credits for $50, and start using your platform for their own gain. Unless the mechanisms you add in place to reduce fraud / second sign ups / etc is greater than the value that they are receiving ($50), they will continue.
With sites where the platform is free, the math almost always makes sense for these malicious users to eventually abuse. In this case it was leveraging the email reputation of another domain at no cost to their own (along with the added value of anyone getting phished), but on other sites it's public profiles being used for backlinks / spam, etc.
I threw part of it into pangram to get a second opinion:
https://www.pangram.com/history/8d6a7de3-86ac-4ce0-86c5-4f93...
was a dead giveaway in my mind when I read it.
> There was no exploit. No vulnerability disclosure. No CVE for me to write. The attacker filled out my signup form 942 times, made 942 workspaces, sent 942 batches of about a hundred invitations each, and stopped. They used my tool exactly as designed. The design was just bad enough that the tool was good for phishing.
1. You are not alone, this happens at a large scale across the board with companies of all sizes.
2. More than likely the abuser did not do it manually, more than likely they automated it
3. As a thoughtful business one may have rolled out all the authentication features/gates if the business picks up, as a starter the safe idea could have been to put it behind any openly available OAuth provider