Sending spammers to password purgatory (opens in new tab)

(troyhunt.com)

349 pointsitsjloh3y ago162 comments

162 comments

For our dating site, which of course has to deal with many prinses, Nigerian or otherwise, when we manually verified an account to be a scammer, we reject logins with a message stating that the IP address has been blocked. Scammers will usually go through all of their VPNs/bots in order to try to login, allowing our system to flag them all.

We'll manually review all accounts that use (more than one of) those ip addresses. Works like a charm! :-)

mrtksn3y ago

> when we manually verified an account to be a scammer

This makes all the difference with other services that block out users only to let them guess why they were blocked.

If an automated system did that, I would have said it's evil. Yet, I hope you have a communication channel in case there was a human error.

jjoonathan3y ago

Yes, although I would add an attention threshold too, as it's not entirely unknown for hired manual review to just spam the "guilty" button so they can get to lunch. In any case: your false positive rate needs to be massively low if you want to be a massive asshole to the people it flags -- or else you are just an asshole.

If you can afford to get the FPR down, sure, have fun, but if not, please have the decency to not pretend.

1 more reply

vanviegen3y ago

Admittedly, there is the occasional false positive. For such cases, we display an email address right underneath the error message. Scammers rarely dare to complain, and when they do, they are usually not very convincing.

1 more reply

efitz3y ago

That is truly evil. I love it!

bradknowles3y ago

So, the problem I see here is when spammers abuse someone else's machine to conduct activity like this, and all those random people get their IP addresses blocked by your system.

And how would the legitimate owner of that IP address ever know how to contact you to get removed from your blacklist?

vanviegen3y ago

No, the IP addresses won't be blocked, but the accounts will be reviewed.

Legitimate users would be able to contact us using the email address that is shown right underneath the error message.

Chilinot3y ago

That's a really smart idea!

brightball3y ago

That is genius

armchairhacker3y ago

Ok, I have no issue with tactics like these when they're wasting spammers' time. But sometimes it seems like real users get caught up in these honeypots for scammers and hackers.

A lot of the crap real sites make people go through e.g. when they lose access to their account or login to a VPN or the site just "can't verify their identity" for some reason. Where you go through a bunch of hoops and captchas, only to have some step fail or reach a dead end. They really seem like they're just set up to intentionally waste people's time.

For example, Steam has a system where if you enter too many invalid passwords, it will present you with a captcha which you can never actually solve. It's a lot more annoying than just saying "you have been locked out of trying to log in for X hours".

But this, this is fine. It's pretty clear that the person you're targeting is a spammer, and it's pretty clear to the user after about 60 seconds that you're password system is a joke.

bo10243y ago

> For example, Steam has a system where if you enter too many invalid passwords, it will present you with a captcha which you can never actually solve.

I call this "login gaslighting" and it's evil. Pioneered by the "do no evil" company.

stepupmakeup3y ago

ReCaptcha does a similar tactic but rather than unsolvable it's a stream of the most annoying captcha -- "select all of image until none are left". Fail one and you're back at the start. You do have the option to cycle captcha, but 9/10 times it'll be this one. Eventually you'll get locked out of captcha entirely. Anyone who has used Tor on Google has probably experienced this.

4 more replies

zasdffaa3y ago

So that's what that was... Was trying to do something legit, MS gave me a puzzle to solve, it was unsolvable in the time given, it wasted maybe 20 mins. Can't remember what it was, I think create an account for visual studio (you had to sign in to an MS account to keep using free VS, the wankers).

2 more replies

fjfbsufhdvfy3y ago

They are indeed set up to waste people's time.

Blocking people leads to them searching for ways around your block really quickly. Making them waste time not realizing they have been blocked, such as endless retries or shadow bans, is much more effective at making them stop bothering you for a while longer. Time spent doing this is time they can't spend being malicious on your platform.

It's unfortunate when a non-malicious user gets caught in one of these traps...

tpoacher3y ago

"Unfortunate"

Sounds like something a film villain would say when asked about collateral damage.

ImPostingOnHN3y ago

it is unfortunate that some people believe those pros outweigh the punishment inflicted on innocent users

it is better a thousand criminals/ spammers go free than a single innocent non-spammer be treated as if they are one

essentially the companies are shifting their own pain (with spammers) onto innocent users ("it's your problem now, suck it users, lol!!!")

1 more reply

duxup3y ago

Google had me in an endless no right answers captcha after I left a vpn on one day.

Lasted a few hours. I figure someone else on that vpn was doing something wrong and they just blocked anyone from there for a while.

Super frustrating that your left to just … to get frustrated.

___8___3y ago

I tried to sign up for steam and my long complex password seemed to trigger a never ending stream of captures. Also, just today ticketmaster decided my firefox browser was a bot and blocked me. Fun times.

ajimix3y ago

You are lucky. I haven’t been able to use Ticketmaster for 2 years because all IPs from my ISP are blocked as bots. Contacted their support on Twitter and they told me the only way to use their site is to change my ISP as even the VPNs I tried are blocked. Looks like they have enough money to have the luxury to block one of the biggest ISP where I live

zerocrates3y ago

StubHub was just doing the same thing to me: Firefox and only Firefox was blocked entirely.

Figure it was a mistake from some automated security framework type of deal.

artificialLimbs3y ago

Verizon’s site times out your login after like 2 minutes. Just trying to manage my account on the site is a nightmare, and I’m on fiber.

donkarma3y ago

steam censors passwords. if you have 88 in your password you will fail to register

CJefferson3y ago

I just made a new steam account with '88' in the password. It seems to have worked fine. I also can't find any reference to this on the internet.

1 more reply

sdoering3y ago

I understand the initial idea to block this known neo-Nazi short handle (8 for the letter H and 88 as HH standing for the 'Heil Hitler' salute in these circles).

But how many people do I know born in 88. Or on the 8th of August?

I understand that given the login is your public visible name on steam they just don't want clear neo-Nazi signifiers.

Edit: Typo

4 more replies

drfuchs3y ago

Troy, watch out you don't open yourself up for an attack from the bad guys: They'll start sending you solicitations with ReplyTo addresses of industry honeypots, and before you know it, you'll become a known spammer and your regular outgoing emails will be routed to recipient's spam folders or maybe even dropped entirely.

Ueland3y ago

I'm not sure if you're joking or not so: He already gets attacked from the bad guys.

quickthrower23y ago

And this would be a new way to attack him

1 more reply

shaky-carrousel3y ago

I found a surprisingly effective way of detecting honeypots some time ago, while working at an email marketing company.

thombat3y ago

You have a truly marvelous demonstration of this method, which this margin is too narrow to contain?

1 more reply

ghgr3y ago

You can check in their GitHub repo [1] the list of reasons to reject your password (classified by level of "InfuriationLevel"). Some examples:

'Password must contain at least 1 primary Simpsons family character'

'Password must contain at least 1 Nordic character'

'Password must contain at least 1 Greek character'

'Password must contain at least 1 primary Griffin family character'

'Password must contain at least one emoticon'

'Password when stripped of non-numeric characters must be a number divisible by 3'

[1] https://github.com/troyhunt/password-purgatory-api/blob/mast...

brk3y ago

My favorite was "password must be a palindrome".

drewzero13y ago

Mine is "Password must contain 'Password must contain'".

thih93y ago

But how does the palindrome rule work with “password must start with ‘cat’” and “password must end with ‘dog’”? It seems impossible to satisfy these three.

Having the conditions contradict each other serves as a proof that it’s impossible to create a password; I thought this information shouldn’t be revealed to the user.

Looks like there is already an issue about it: https://github.com/troyhunt/password-purgatory-api/issues/45

thih93y ago

The emoji rule is particularly annoying on ios; there the password keyboard (i.e. virtual keyboard used on “password” form input fields) is different and doesn’t support entering emoji.

drewzero13y ago

Good to know :)

Edit: I just noticed the list has one requirement for an emoticon, and another for an emoji. Carry on.

kazinator3y ago

How about "Password must exhibit at least some character". :) :)

brightball3y ago

This is awesome and it works!

I did the same thing 10 years ago and it was one of the best morale builders for our team after all the time we spent dealing with these folks.

https://www.brightball.com/articles/waste-spammers-time-to-r...

inopinatus3y ago

This reads more like Microsoft content marketing than a serious attempt to do anything of value.

urbandw311er3y ago

Came here to say the same. Oh look, I happen to be using all these new features.

thenoblesunfish3y ago

This reads a bit much like an ad. I sure have to scroll through a lot about Microsoft, Cloudflare, etc. before the funny password requirements I came for, at the verrrry end.

quickthrower23y ago

Yeah especially using that Microsoft service. Takes me back to M$ sponsored tech talks where they had to use MSN search and not mention the G word.

dmurray3y ago

This is a Microsoft sponsored tech talk. Advertising for MS is one of Troy's businesses, as he discloses in his bio on the page. And the banner at the top says this particular post is sponsored by Cloudflare.

2 more replies

KMnO43y ago

I once attended a MS workshop at my school on Azure. The speaker kept saying “open x page in Edge”, until there was a page that didn’t render properly with Edge. He was very hesitant to say Chrome.

rainsurf3y ago

This is a cool project, but I would more concerned that replying to spammers confirms you are real and that could result in much more spam. So is the net increase in pain your own?

hot_gril3y ago

There are simpler and more effective ways to waste spammers' time. First of all, I can't remember the last time I've gotten email spam that expected a response. On the other hand, phone spam, which is much more disruptive, is usually trying to screen me briefly then funnel me to a scammer.

So I pick up spam calls, press 1 immediately, then put the phone back in my pocket. This usually connects it to a real person who hears ambient noise, thinking I'm nearby. Usually I waste like 60sec of their time for 2sec of my time. It's hard for them to protect against this because no matter what, they need some victims to talk to the real person, unless they develop a very smart AI. But a relatively simple bot with a list of likely scam numbers could automate the fake victim's side.

A colleague was dealing with more advanced scammers who had already made some progress with his unaware mother. Their scam was unique in that it required calling them back. He managed to collect all the phone numbers they were using, then he put up fake Craigslist ads for free couches... and you can guess the rest.

brutusborn3y ago

I tried a similar approach but it resulted in me being spammed way more frequently. I assume pressing 1 flags your number as "likely to respond" and the database is then sold to other scammers. Also, collecting numbers doesn't work because all the spam calls I receive are from spoofed mobile numbers which change each time. The craigslist trick just punishes some unsuspecting person, not the scammer.

hot_gril3y ago

Yes, it probably adds you to their lists. Somehow, after doing this for years, I'm probably only getting one spam call each day, maybe because my carrier did something to cut down on them.

The Craigslist trick worked because of a unique situation. They were using real numbers because their scam relied on being called back. He did call manually to make sure.

Pxtl3y ago

I assume your starting password rules deliberately set the bar low to encourage PRs to improve it, since I can think of much more believable, infuriating, tedious ways to drag this out longer, keeping the user thinking they're always one step away from a valid password without being obviously silly.

Believable, stupid requirements I've seen in the wild in the bad early days of complexity requirements.

- your password contains a common word

- your password contains one or more repeating characters

- your password contains a forbidden character

- your password needs at least one additional uppercase letter

- your password needs at least one more distinct special character

- your password cannot end with a special character

- your password contains an escalating series of numbers

- your password is too short

- your password is too long

thayne3y ago

I've seen a real site where the minimum password length was more than the maximum password length. Of course, if you know that you'll stop wasting your time. But if the error is just "your password is too short" or "your password is too long" it might take several tries to figure out it's impossible to satisfy the requirement.

alpaca1283y ago

Twitch complained that my password longer than 16 characters exceeded the 40 character limit.

But the worst I've seen was a registration form that truncates long passwords to the (hidden) maximum length of ~10 without telling you, so anyone choosing a safe password cannot login and won't know why.

2 more replies

Pxtl3y ago

Especially when those messages are the last ones that appear after you've resolved every other issue.

RalfWausE3y ago

Hah... this reminds me of the following (perhaps most interesting for people speaking german):

Bitte geben Sie ein sicheres Passwort ein.

Leberkas

Entschuldigung, Ihr Passwort ist zu kurz!

Leberkas-Semme

Entschuldigung, Ihr Passwort muss mindestens 1 Zahl enthalten.

1 Leberkas-Semme

Entschuldigung, Ihr Passwort darf keine Leerzeichen enthalten.

50drecksleberkassemmen

Entschuldigung, Ihr Passwort muss mindestens einen Umlaut enthalten.

50drecksleberkässemmelnzefix

Entschuldigung, Ihr Passwort muss mindestens 1 Grossbuchstaben enthalten.

50DRECKSleberkässemmelnZEFIX

Entschuldigung, Ihr Passwort muss mindestens 1 Sonderzeichen enthalten.

50DRECKSleberkässemmelnZERFIX!!!!!!!

Entschuldigung, Ihr Passwort darf nur Grossbuchstaben enthalten, die nicht aufeinanderfolgend sind.

KreizKruzeFixVerdammterScheissDrecklatzkannstMiGleiKreizWeisSonstWo WoslnDesFiaAScheissSystem50DrecksleberkässemmelnZeFix!!!!

Entschuldigung, dieses Passwort ist bereits in Verwendung. Bitte wählen Sie ein anderes.

lrem3y ago

You got me at "Entschuldigung, dieses Passwort ist bereits in Verwendung." :D

WaxProlix3y ago

You also need to only give the feedback on password quality after user has entered it twice; until then, "passwords do not match" is the only piece of info.

InCityDreams3y ago

>stupid requirements I've seen in the wild in the bad early days of complexity requirements.

Early days? Every sodding week for me....

jaclaz3y ago

Just in case:

Dumb Password Rules

Shaming sites with dumb password rules.

https://github.com/duffn/dumb-password-rules

itsjlohOP3y ago

I had to change Microsoft -> MS and Cloudflare to CF otherwise the title wouldn't submit.

Original title in full is: Sending Spammers to Password Purgatory with Microsoft Power Automate and Cloudflare Workers KV

kazinator3y ago

> Because it would be rude not to respond, I'd like to send the spammer back an email and invite them to my very special registration form.

Don't do that. No, really, don't.

Okay, you didn't listen and did it anyway; please, at least don't automate it or semi-automate it where you're just doing it with one click.

> Spammer burned a total of 80 seconds in Password Purgatory

So you think, based on the belief that when you reply to the spam, it goes back to the spammer.

That may not be the case; when you engage spam, you are possibly generating "backscatter"; a person having nothing to do with the spammer may receive the e-mail.

Spam messages are not always relying on someone replying to them to hook in the victim. Sometimes there is no hook at all, or sometimes the hook is in the HTML links, and not in replying. (They additionally hope that if you reply, the person you are replying to will also get the spam e-mail, since it is quoted, and that person will click on the links.)

sedatk3y ago

Back in early 2000's, I'd written a simple ASP page that produced infinite amount of random email addresses page by page. Had any crawler bot got caught up in it, it'd keep filling its database with these nonsense email addresses. I'd distributed its source code too. Troy Hunt's project made me remember it.

LinuxBender3y ago

Nice! I like things that keep spammers and scammers busy.

My own low-effort method is to accept mail for any domain on my name servers. Spammers think they are relaying their scams but it just goes to a flat text file. It isn't like I try to hide it. The banner even says its a honeypot and not to use it.

    139K /var/spool/mail/vhosts/crap
    24K  /var/spool/mail/vhosts/crap
    177K /var/spool/mail/vhosts/crap
    196K /var/spool/mail/vhosts/crap

That's 4 days of spam/scams.

creeble3y ago

Cute idea, but my guess is that 80% of the reply-to in spam emails are either forged or fake.

They’re not typically trying to get you to reply - they’re trying to get you to click a link.

efitz3y ago

The complexity requirements pretty quickly become unreasonable, to the point that I would have realized they weren’t serious after like the 2nd try.

To be really evil, Troy should play with the password field- make it not a text or password field, but rather some sort of custom input field that doesn’t work with password managers and doesn’t allow paste.

Also maybe return errors sometimes that are themselves erroneous.

roveo3y ago

A better idea would be to use custom inputs that produce "typos" that the user didn't make. E.g. you have a "zip/postal" code field and your input sneakily swaps 2 neighbouring characters at some point, resulting in error "this zip code doesn't exist". Or change 8 to 9 etc.

Or you could make a "check your input one more time before confirming" step and display typos in e.g. names/emails there.

hot_gril3y ago

I've seen worse password purgatories in the wild. One was the Princeton undergrad acceptance (or should I say rejection) portal, which for some reason required registration even though I was entering a key from an email. It was something like:

1. marcopollo – Password must contain at least two numbers. 2. marcopollo11 – Password must not begin or end with a number. 3. m1arcopoll1o – Password must not contain two of the same number. 4. m1arcopoll2o – Password must contain at least one special character (! ? & % $ # @). 5. m1arcopoll2o! – Password must not end with a special character. 5. m1arcopoll2!o - Password must not contain 3 or more of the same letter. 6. m1arcopoll2p! - Password must not contain 2 of the same consecutive character. 7. I forget, but it kept going.

At some point, I gave up and started generating random passwords. The first 3 attempts were still not accepted. In a way, those restrictions were actually reducing the entropy.

orliesaurus3y ago

I love that the endpoint was called `/create-hell` - that got me chuckling reminding me of Stone Cold Steve Austin from WWE's motto:

- Arrive, Raise Hell, Leave

thih93y ago

The article shows only a single and relatively short “purgatory” session. Are there more? Is there a place that lists or provides a ranking of them?

Double_a_923y ago

This seems kinda silly... Basically he sends his own spam back to the spammer. I expected something cleverer.

jb19913y ago

Sometimes being clever means finding the simple and elegant solution.

kaiusbrantlee3y ago

This will work on some spammers but not forever. This is an infinite cat and mouse game.

For better or for worse, "publicizing spammers pain for our pleasure" has a guaranteed effect of shortening the useful lifespan of this tool. Unless of course no spammers ever read that article, OR HN.

jwozn3y ago

These spammers also aren't aware of Troy Hunt, otherwise they likely wouldn't try to spam him in the first place.

archi423y ago

I like the idea, but upon pondering, I think it could be made better by imitating other dark patterns:

1. Ask for a username, only offer "OK"

2. Upon OK: Wait 2-3s while showing an ajax spinner, then add another box to the DOM, asking for an "e-mail"

3. Rinse and repeat with first name + last name; then company name; country (pick from a list of ~50 widely known country names, sorted by median age of the population - remove the IPs country of origin, so they have to pick "other" and enter it manually)

4. Tell the user the username doesn't match the expected format and offer to add a random "#1234" for them - upon doing so, back to square one (except their username is now "#1234" and not "scamoverlord#1234"). make sure to flush the other info as well.

5.1. Tell them you're sending a verification mail (you don't). Offer them to resent it after 30s.

5.2. Upon "try again", tell them first to check their mail address, and lock the "try again" for another 10s.

5.3. Now, after another 30s, tell them there must be an error with the mail gateway (there is no mail gateway) and offer them to continue; the verification mail is queued and will be sent later (-> you're sooo super userfriendly!).

6. Now the user/victim easily spent 90s to enter "valid" details and must be quite invested. Show a re-captcha style captcha before asking for password (after sending an email and possibly spamming someone? yeah, maybe put that before the fake mail verification, I came up with that in the wrong order).

7. the "checking if you're human" should fail after 3-4s (spammers are used to that).

8. Then the first of the 9 captcha images should pop up afer 1-2s initial "loading time", the other ones after another .5 - 2s, each.

9. Let the first one or two captchas fail no matter what (two if they're fast, one if they're already spending a lot of time there - plausible if you're handpick terms + images for which foreign speaker often don't know the exact meaning; like "barnacles", "melange", "cabin", "truck", or showing differnt styles buses and asking for "tram").

10. Three times the charm: Accept any answer, as long as the "user" spent more than 4s on it (use a simple term with obvious images to make it plausible, like "birds" or "cars").

11. finally get started with the password. Let them do four or six levels.

12. What's that, the the captcha timed out and/or too many bad password tries? Are you sure you're not a bot? Well, do it again! (maybe let them only fail once to keep them hooked)

13. Oh no, the password field has been reset after the captcha was solved. At least you now know how to do a rule-abiding password. So let them do all the levels.

14. If they're really persistent, fake a "oh no, your tab crashed, reload?" screen for their browser.

Uuuuh, I think I put that on my infinite todo list.

PS: Have them write "a few words" about their business. Make sure to garble copy/paste (e.g. reverse word order or just reset length counter to 0, increase decrease from there and do a proper recount on submit). On submit, verify the input for a few seconds and claim that it's either to short or too long (if they wrote >500 chars, say it should be 200-400, if they wrote <500 chars, ask for 600-800). And remember to keep the char counter broken (update only after not typing for 2s, making the input field not readable for another second while "counting"). Bonus points if a WYSIWYG editor widget is used, which of course takes 5 to 10s to load; or have a "worker" at Amazon Mechanical Turk review it (only takes 30 to 90s).

PPS, for balls of steel: Add a second act by only enforcing the first few levels. Then, upon login, tell them they need to change their password. Maybe also tell them if they install your "super special" security extension, they can use weaker password rules. If they stupid enough to really install it, let it send a "X-Block-Me: I am a scammer" header along with every http/s request.

yabones3y ago

Wow, this is almost precisely the process for creating a new Air Canada account.

barelysapient3y ago

Another well intentioned 'design by committee'.

joshxyz3y ago

Thats evil and hilarious lol. Password must start with a cat, end with a dog haha.

leshenka3y ago

And then it must be a palindrome, how do you solve that?

bornfreddy3y ago

The site doesn't seem to check if the conditions are met though. When the password was supposed to end with "dog", spammer used an invalid format and still got the next challenge.

mattmaroon3y ago

This is hilarious but I wonder if many actually fall for it.

nkozyra3y ago

In the grand scheme probably not. The whole idea of spam is a lot of misses and few hits.

I'm sure it's great fun to design and build and occasionally get to watch.

chad_strategic3y ago

I do something kinda similar to this, but using the google mail api. Then I send them to my site were there are some ads impressions for them.

jmou3y ago

blinry used this idea as a game concept! https://blinry.org/you-shall-not-pass/

annoyingnoob3y ago

I would pay for this as a service.

miedpo3y ago

This reminds me of SpAmnesty.

legalcorrection3y ago

This is wrong. You are logging their password attempts and then sharing them with the world. It doesn’t matter that you think you know they are scammers. What gives you the right to dispense vigilante justice by disclosing people’s passwords? Shame on you.

ImPostingOnHN3y ago

you are mistaking scammers with spammers, and also mistaking what the poster thinks with reality

the reality is they are spammers, because spamming the poster is the only way they can end up with a reply email containing a link with a valid key to interact with this API

if they didn't send unsolicited commercial emails, there's no way they can interact with this API and get their passwords logged

legalcorrection3y ago

This is a common misconception. Cold emailing is legal under the CAN-SPAM Act.

1 more reply

hyakosm3y ago

He's not sharing the email adresses, only anonymous password attempts.

legalcorrection3y ago

People reuse passwords and having your password appear in a list of known passwords, even without being associated to your email, is reason enough to change it.

onychomys3y ago

It's not like "wasibutt123" was very secure to start with.

jakzurr3y ago

Thanks for your post. I enjoyed it so much I almost up-voted it.

bo10243y ago

I wouldn't be comfortable doing this, for one thing, we know people tend to re-use passwords. So any email/password info you collect should be treated with security like they just gave you their bank login, because some of them did. So then Troy has to report himself to his own service (haveibeenpwned).

ImPostingOnHN3y ago

the article goes into detail to explain how only spammers have a key to the api which logs that data

Hackbraten3y ago

They’re still people though.

Is punishing spammers for what they’ve done a helpful thing to do? Sure. Are spammers deserving of having their whole digital lives compromised? I don’t know.

2 more replies

bo10243y ago

Update, I see only the passwords are logged and not the emails, but still not great.

thomassmith653y ago

  Spammer burned a total of 80 seconds in Password Purgatory

The ability to deal with a bad actor by wasting a minute and 20 seconds of his/her time isn't cause for fist-pumping or high-fiving. The internet needs a better way to verify user identity. The lack of online accountability isn't worth the cost anymore.

figmaheart2553y ago

People are working on this. You've heard of proof-of-work and proof-of-stake right? Well my personal favorite is "proof of Apple" [1]

[1]: https://news.ycombinator.com/item?id=31751203

j / k navigate · click thread line to collapse

162 comments

vanviegen3y ago

We'll manually review all accounts that use (more than one of) those ip addresses. Works like a charm! :-)

mrtksn3y ago

> when we manually verified an account to be a scammer

This makes all the difference with other services that block out users only to let them guess why they were blocked.

If an automated system did that, I would have said it's evil. Yet, I hope you have a communication channel in case there was a human error.

jjoonathan3y ago

If you can afford to get the FPR down, sure, have fun, but if not, please have the decency to not pretend.

1 more reply

vanviegen3y ago

1 more reply

efitz3y ago

That is truly evil. I love it!

bradknowles3y ago

So, the problem I see here is when spammers abuse someone else's machine to conduct activity like this, and all those random people get their IP addresses blocked by your system.

And how would the legitimate owner of that IP address ever know how to contact you to get removed from your blacklist?

vanviegen3y ago

No, the IP addresses won't be blocked, but the accounts will be reviewed.

Legitimate users would be able to contact us using the email address that is shown right underneath the error message.

Chilinot3y ago

That's a really smart idea!

brightball3y ago

That is genius

armchairhacker3y ago

Ok, I have no issue with tactics like these when they're wasting spammers' time. But sometimes it seems like real users get caught up in these honeypots for scammers and hackers.

But this, this is fine. It's pretty clear that the person you're targeting is a spammer, and it's pretty clear to the user after about 60 seconds that you're password system is a joke.

bo10243y ago

> For example, Steam has a system where if you enter too many invalid passwords, it will present you with a captcha which you can never actually solve.

I call this "login gaslighting" and it's evil. Pioneered by the "do no evil" company.

stepupmakeup3y ago

4 more replies

zasdffaa3y ago

2 more replies

fjfbsufhdvfy3y ago

They are indeed set up to waste people's time.

It's unfortunate when a non-malicious user gets caught in one of these traps...

tpoacher3y ago

"Unfortunate"

Sounds like something a film villain would say when asked about collateral damage.

ImPostingOnHN3y ago

it is unfortunate that some people believe those pros outweigh the punishment inflicted on innocent users

it is better a thousand criminals/ spammers go free than a single innocent non-spammer be treated as if they are one

essentially the companies are shifting their own pain (with spammers) onto innocent users ("it's your problem now, suck it users, lol!!!")

1 more reply

duxup3y ago

Google had me in an endless no right answers captcha after I left a vpn on one day.

Lasted a few hours. I figure someone else on that vpn was doing something wrong and they just blocked anyone from there for a while.

Super frustrating that your left to just … to get frustrated.

___8___3y ago

ajimix3y ago

zerocrates3y ago

StubHub was just doing the same thing to me: Firefox and only Firefox was blocked entirely.

Figure it was a mistake from some automated security framework type of deal.

artificialLimbs3y ago

Verizon’s site times out your login after like 2 minutes. Just trying to manage my account on the site is a nightmare, and I’m on fiber.

donkarma3y ago

steam censors passwords. if you have 88 in your password you will fail to register

CJefferson3y ago

I just made a new steam account with '88' in the password. It seems to have worked fine. I also can't find any reference to this on the internet.

1 more reply

sdoering3y ago

I understand the initial idea to block this known neo-Nazi short handle (8 for the letter H and 88 as HH standing for the 'Heil Hitler' salute in these circles).

But how many people do I know born in 88. Or on the 8th of August?

I understand that given the login is your public visible name on steam they just don't want clear neo-Nazi signifiers.

Edit: Typo

4 more replies

drfuchs3y ago

Ueland3y ago

I'm not sure if you're joking or not so: He already gets attacked from the bad guys.

quickthrower23y ago

And this would be a new way to attack him

1 more reply

shaky-carrousel3y ago

I found a surprisingly effective way of detecting honeypots some time ago, while working at an email marketing company.

thombat3y ago

You have a truly marvelous demonstration of this method, which this margin is too narrow to contain?

1 more reply

ghgr3y ago

You can check in their GitHub repo [1] the list of reasons to reject your password (classified by level of "InfuriationLevel"). Some examples:

'Password must contain at least 1 primary Simpsons family character'

'Password must contain at least 1 Nordic character'

'Password must contain at least 1 Greek character'

'Password must contain at least 1 primary Griffin family character'

'Password must contain at least one emoticon'

'Password when stripped of non-numeric characters must be a number divisible by 3'

[1] https://github.com/troyhunt/password-purgatory-api/blob/mast...

brk3y ago

My favorite was "password must be a palindrome".

drewzero13y ago

Mine is "Password must contain 'Password must contain'".

thih93y ago

But how does the palindrome rule work with “password must start with ‘cat’” and “password must end with ‘dog’”? It seems impossible to satisfy these three.

Having the conditions contradict each other serves as a proof that it’s impossible to create a password; I thought this information shouldn’t be revealed to the user.

Looks like there is already an issue about it: https://github.com/troyhunt/password-purgatory-api/issues/45

thih93y ago

The emoji rule is particularly annoying on ios; there the password keyboard (i.e. virtual keyboard used on “password” form input fields) is different and doesn’t support entering emoji.

drewzero13y ago

Good to know :)

Edit: I just noticed the list has one requirement for an emoticon, and another for an emoji. Carry on.

kazinator3y ago

How about "Password must exhibit at least some character". :) :)

brightball3y ago

This is awesome and it works!

I did the same thing 10 years ago and it was one of the best morale builders for our team after all the time we spent dealing with these folks.

https://www.brightball.com/articles/waste-spammers-time-to-r...

inopinatus3y ago

This reads more like Microsoft content marketing than a serious attempt to do anything of value.

urbandw311er3y ago

Came here to say the same. Oh look, I happen to be using all these new features.

thenoblesunfish3y ago

This reads a bit much like an ad. I sure have to scroll through a lot about Microsoft, Cloudflare, etc. before the funny password requirements I came for, at the verrrry end.

quickthrower23y ago

Yeah especially using that Microsoft service. Takes me back to M$ sponsored tech talks where they had to use MSN search and not mention the G word.

dmurray3y ago

2 more replies

KMnO43y ago

rainsurf3y ago

This is a cool project, but I would more concerned that replying to spammers confirms you are real and that could result in much more spam. So is the net increase in pain your own?

hot_gril3y ago

brutusborn3y ago

hot_gril3y ago

Yes, it probably adds you to their lists. Somehow, after doing this for years, I'm probably only getting one spam call each day, maybe because my carrier did something to cut down on them.

The Craigslist trick worked because of a unique situation. They were using real numbers because their scam relied on being called back. He did call manually to make sure.

Pxtl3y ago

Believable, stupid requirements I've seen in the wild in the bad early days of complexity requirements.

- your password contains a common word

- your password contains one or more repeating characters

- your password contains a forbidden character

- your password needs at least one additional uppercase letter

- your password needs at least one more distinct special character

- your password cannot end with a special character

- your password contains an escalating series of numbers

- your password is too short

- your password is too long

thayne3y ago

alpaca1283y ago

Twitch complained that my password longer than 16 characters exceeded the 40 character limit.

2 more replies

Pxtl3y ago

Especially when those messages are the last ones that appear after you've resolved every other issue.

RalfWausE3y ago

Hah... this reminds me of the following (perhaps most interesting for people speaking german):

Bitte geben Sie ein sicheres Passwort ein.

Leberkas

Entschuldigung, Ihr Passwort ist zu kurz!

Leberkas-Semme

Entschuldigung, Ihr Passwort muss mindestens 1 Zahl enthalten.

1 Leberkas-Semme

Entschuldigung, Ihr Passwort darf keine Leerzeichen enthalten.

50drecksleberkassemmen

Entschuldigung, Ihr Passwort muss mindestens einen Umlaut enthalten.

50drecksleberkässemmelnzefix

Entschuldigung, Ihr Passwort muss mindestens 1 Grossbuchstaben enthalten.

50DRECKSleberkässemmelnZEFIX

Entschuldigung, Ihr Passwort muss mindestens 1 Sonderzeichen enthalten.

50DRECKSleberkässemmelnZERFIX!!!!!!!

Entschuldigung, Ihr Passwort darf nur Grossbuchstaben enthalten, die nicht aufeinanderfolgend sind.

KreizKruzeFixVerdammterScheissDrecklatzkannstMiGleiKreizWeisSonstWo WoslnDesFiaAScheissSystem50DrecksleberkässemmelnZeFix!!!!

Entschuldigung, dieses Passwort ist bereits in Verwendung. Bitte wählen Sie ein anderes.

lrem3y ago

You got me at "Entschuldigung, dieses Passwort ist bereits in Verwendung." :D

WaxProlix3y ago

You also need to only give the feedback on password quality after user has entered it twice; until then, "passwords do not match" is the only piece of info.

InCityDreams3y ago

>stupid requirements I've seen in the wild in the bad early days of complexity requirements.

Early days? Every sodding week for me....

jaclaz3y ago

Just in case:

Dumb Password Rules

Shaming sites with dumb password rules.

https://github.com/duffn/dumb-password-rules

itsjlohOP3y ago

I had to change Microsoft -> MS and Cloudflare to CF otherwise the title wouldn't submit.

Original title in full is: Sending Spammers to Password Purgatory with Microsoft Power Automate and Cloudflare Workers KV

kazinator3y ago

> Because it would be rude not to respond, I'd like to send the spammer back an email and invite them to my very special registration form.

Don't do that. No, really, don't.

Okay, you didn't listen and did it anyway; please, at least don't automate it or semi-automate it where you're just doing it with one click.

> Spammer burned a total of 80 seconds in Password Purgatory

So you think, based on the belief that when you reply to the spam, it goes back to the spammer.

That may not be the case; when you engage spam, you are possibly generating "backscatter"; a person having nothing to do with the spammer may receive the e-mail.

sedatk3y ago

LinuxBender3y ago

Nice! I like things that keep spammers and scammers busy.

    139K /var/spool/mail/vhosts/crap
    24K  /var/spool/mail/vhosts/crap
    177K /var/spool/mail/vhosts/crap
    196K /var/spool/mail/vhosts/crap