214

If spammers can abuse something, they gonna abuse it

top 50 comments
sorted by: hot top controversial new old
[-] bjoern_tantau@swg-empire.de 46 points 9 months ago

I mean, allowing arbitrary characters in the name is one thing. I think I would do that as well, as there are many weird names out there.

But then actually parsing it out (or not escaping it properly), that's the real sin.

[-] towerful@programming.dev 33 points 9 months ago

Might be the mail client being helpful and going "hey! Thats a URL. Let me make it a link"

[-] jol@discuss.tchncs.de 2 points 9 months ago

At the very least remove slashes and periods from the name...

[-] asdfasdfasdf@lemmy.world 25 points 9 months ago

URLs as a person name

What do you mean?

[-] Sekoia@lemmy.blahaj.zone 72 points 9 months ago* (last edited 9 months ago)

Somebody created an account at MyEpson with OP's email address and the name "GET BITCOIN NOW link", which sends a confirmation email to OP with that name. Basically it's spam using Epson as a trojan horse to get past filters.

[-] AmidFuror@kbin.social 28 points 9 months ago

Did only a few of us miss this? Seems like it could have been explained better up front.

[-] surewhynotlem@lemmy.world 1 points 9 months ago

I only got it because there was another article about it earlier.

[-] asdfasdfasdf@lemmy.world 5 points 9 months ago

Oh I see. Interesting...

[-] TigrisMorte@kbin.social 22 points 9 months ago

If it doesn't exclude a URL it likely doesn't block SQL either.

[-] TheDannysaur@lemmy.world 29 points 9 months ago

Time for the ol XKCD Little Bobby Tables attack

[-] mint_tamas@lemmy.world 7 points 9 months ago

These days you have to actively work against whatever framework you are using to get SQL injection to work.

load more comments (6 replies)
[-] Dark_Arc@social.packetloss.gg 4 points 9 months ago* (last edited 9 months ago)

That's not how this works.

You have a database driver that takes care of communicating with the database.

In the bad old days (pre-early 2000s) the only way they knew how to do that was plain old SQL strings so you passed a string that contained both the data and the instructions on what to do with it.

Now you SHOULD be writing prepared statements that contain the instructions then passing the data separately to fill in the placeholders in the prepared statement via the driver (NOT via modifying the string).

// DO NOT DO THIS
execute("INSERT INTO foo VALUES ('a', 'b', 'c')")

vs

// DO THIS
executePrepared("INSERT INTO foo VALUES (?,?,?)", "a", "b", "c")
[-] noUsernamesLef7@infosec.pub 1 points 9 months ago

And yet injection is still #3 in the OWASP Top 10

[-] Dark_Arc@social.packetloss.gg 2 points 9 months ago
[-] noUsernamesLef7@infosec.pub 1 points 9 months ago

You make it sound as if it's a thing of the past when it is still a common problem.

[-] Dark_Arc@social.packetloss.gg 2 points 9 months ago* (last edited 9 months ago)

It's a common problem for the same reason that it's a common problem for people to have precision errors when doing math with currencies... People write the wrong code because they don't know any better (in that case using float or double/floating point math instead of a BigDecimal type).

Not filtering out characters that could be part of URL has no bearing on whether or not the site is properly protected from SQL injection. I'm much more often worried about sites that explicitly filter out certain characters because it likely means they don't understand what they're doing (similar to sites that insist on annual password changes).

The fact that people are arguing about this shows how much of an issue we have with education on this topic.

[-] TigrisMorte@kbin.social 0 points 9 months ago

Please explain how you remain confident of that "SHOULD" when they are not sanitizing the HTML out?

[-] Dark_Arc@social.packetloss.gg 1 points 9 months ago

Because it's literally impossible for SQL injection to occur if you do this. The database has already compiled the operation. There's nothing to escape, there's no more logic that can be added, you're free to insert arbitrary gook just like you can into any old array.

[-] TigrisMorte@kbin.social -1 points 9 months ago

"if" caring a lot of water on this here frog's back mr. scorpion.

[-] jeeva@lemmy.world 15 points 9 months ago

I mean, give folk a few years and it'll be something to add to the "you can't assume X about a name field" list.

[-] Moonrise2473@feddit.it 8 points 9 months ago

but even in the early 2000s nobody called their kid zombo.com

[-] TigrisMorte@kbin.social 1 points 9 months ago

Dweezil Zappa tells me otherwise. https://www.dweezilzappa.com/

[-] elbarto777@lemmy.world 10 points 9 months ago* (last edited 9 months ago)

What would be a solution? How do you know Albert/III.jr is not a valid name?

[-] Moonrise2473@feddit.it 32 points 9 months ago

it's a valid name but it shouldn't add the hyperlink.... wait a moment....

*** went to check the source of the emails that i received ***

the senders (i'm targeted by an asshole that did this on hundreds on sites) DIDN'T add any hyperlink, this is a huge security issue by gmail: they're automatically adding hyperlinks! This is very stupid, especially with the new google domains .zip and .mov. Someone sends an email like "attached there's bank-statement.zip" and then gets phished

[-] VonReposti@feddit.dk 11 points 9 months ago

You've landed on this page because you followed a link for a .zip file. This domain was registered to prevent its misuse for potentially harmful or malicious activities.

Well, what do ya know. There's still some good guys out there.

[-] Potatos_are_not_friends@lemmy.world 11 points 9 months ago* (last edited 9 months ago)

I was just going to point out that it's the responsibility of the email service to filter that as well.

It was a big bug ticket at my company, that our email service kept automatically turning plaintext to links like www.example.com for convenience. We couldn't fix it on our side at all.

Edit: lol either Lemmy or my Lemmy app also turns plaintext links into real links! www.Rofl.lol

[-] PlantJam@lemmy.world 9 points 9 months ago

Email clients and web browsers making anything that vaguely looks like a link clickable is nothing new.

[-] ares35@kbin.social 2 points 9 months ago* (last edited 9 months ago)

never trust user input. the web site should be looking for and filtering this shit out.

the other one (the submission page at the university, was right above this one in my 'all' feed) shows it better--with a full valid link in a text box. should be filtered and rejected by the form submission handler and never inserted into the database. in the case of no 'http' as part of it, links still follow a format, and those should be rejected too.

mod_security filters that shit out on my sites, the rules on what's allowed in a form field hardly ever get 'tested' anymore since i turned that on.

[-] elbarto777@lemmy.world 4 points 9 months ago

Never trusting user input, sure. That, I know. And probably the university's devs do as well.

However, it's not the university's website's fault that the email client is converting the name to a link.

So what you're saying is, email clients should not convert link-like text to actual clickable links. Correct?

[-] ares35@kbin.social 1 points 9 months ago

the university's form allowed the link or link-like string in the text field. that's on them.

mail clients should at least be warning users about links it converts from text into clickable markup. yes.

[-] elbarto777@lemmy.world 1 points 9 months ago

We're going in circles. How do you know a name that looks like a link is actually a link or a real name?

How do you solve that problem in a way that names that look like links are still accepted?

Plus the way email clients parse plain text is not the university's website's responsibility. Today, it's links. Tomorrow, it's "embedded AI prompts" or "mini-QR codes," or "new format telephone numbers," etc.

[-] tiredofsametab@kbin.social 2 points 9 months ago

Falsehoods programmers believe about names is always a great read.

[-] haui_lemmy@lemmy.giftedmc.com 9 points 9 months ago

Something I just thought about for the first time: the sheer amount of spam content everywhere (website comments, mails, bots) seems to indicate that there must be ungodly amounts of money being made but I rarely see politicians actually talk about the topic and doing something against it.

Can anyone confirm/explain?

[-] echodot@feddit.uk 10 points 9 months ago

It's cheap easy to do, requires very little actual work , and it returns some profit.

It doesn't make a lot of money but it's more than no money at all so it is worth doing.

[-] SpaceCowboy@lemmy.ca 6 points 9 months ago

One of the major issues with creating legislation to block spam emails (and spam phone calls) is that it would also impact the fundraising capabilities of political parties.

Politicians don't talk about spam, because politicians use spam to raise money money for their campaigns.

[-] haui_lemmy@lemmy.giftedmc.com 6 points 9 months ago

Right. The rules are different in the US. Where I live, they dont/cant do that.

[-] sushibowl@feddit.nl 5 points 9 months ago

I'm not 100% sure what you're asking, but spam is generally a very low margin, very high volume kind of business. So I wouldn't assume these people are making ungodly amounts of money. I did a bit of searching and found estimates on the order of $200 million per year for spammers and spam-advertised businesses combined. Sure, it's not nothing. But on a global scale that's not necessarily ungodly amounts.

Compare for example revenues in the illegal drug trade, which globally accounts for hundreds of billions of dollars yearly.

[-] tiredofsametab@kbin.social 2 points 9 months ago

Scammers exist because scams work enough to be generally profitable :(

[-] eran_morad@lemmy.world 5 points 9 months ago
[-] ComradeKhoumrag@infosec.pub 3 points 9 months ago
[-] tiredofsametab@kbin.social 3 points 9 months ago

One of many old-school mail clients (unless this refers to something else)

[-] vox@sopuli.xyz 5 points 9 months ago* (last edited 9 months ago)


this is how the website in question looks like btw

lol there's a whole show with crappy gifs if you continue

[-] Moonrise2473@feddit.it 3 points 9 months ago

I guess they need a deposit of like $100 as "inactivity fee" in order to get those $64k

[-] vox@sopuli.xyz 1 points 9 months ago* (last edited 9 months ago)

nope they want you to pay 6$ for "conversion fee" to convert btc to usd (probably going to ask for more and more until you give up or your wallet is drained)

[-] vox@sopuli.xyz 2 points 9 months ago

the fake chat is fucking hilarious

load more comments
view more: next ›
this post was submitted on 09 Feb 2024
214 points (95.7% liked)

Software Gore

4787 readers
5 users here now

Welcome to /c/SoftwareGore!


This is a community where you can poke fun at nasty software. This community is your go-to destination to look at the most cringe-worthy and facepalm-inducing moments of software gone wrong. Whether it's a user interface that defies all logic, a crash that leaves you in disbelief, silly bugs or glitches that make you go crazy, or an error message that feels like it was written by an unpaid intern, this is the place to see them all!

Remember to read the rules before you make a post or comment!


Community Rules - Click to expand


These rules are subject to change at any time with or without prior notice. (last updated: 7th December 2023 - Introduction of Rule 11 with one sub-rule prohibiting posting of AI content)


  1. This community is a part of the Lemmy.world instance. You must follow its Code of Conduct (https://mastodon.world/about).
  2. Please keep all discussions in English. This makes communication and moderation much easier.
  3. Only post content that's appropriate to this community. Inappropriate posts will be removed.
  4. NSFW content of any kind is not allowed in this community.
  5. Do not create duplicate posts or comments. Such duplicated content will be removed. This also includes spamming.
  6. Do not repost media that has already been posted in the last 30 days. Such reposts will be deleted. Non-original content and reposts from external websites are allowed.
  7. Absolutely no discussion regarding politics are allowed. There are plenty of other places to voice your opinions, but fights regarding your political opinion is the last thing needed in this community.
  8. Keep all discussions civil and lighthearted.
    • Do not promote harmful activities.
    • Don't be a bigot.
    • Hate speech, harassment or discrimination based on one's race, ethnicity, gender, sexuality, religion, beliefs or any other identity is strictly disallowed. Everyone is welcome and encouraged to discuss in this community.
  9. The moderators retain the right to remove any post or comment and ban users/bots that do not necessarily violate these rules if deemed necessary.
  10. At last, use common sense. If you think you shouldn't say something to a person in real life, then don't say it here.
  11. Community specific rules:
    • Posts that contain any AI-related content as the main focus (for example: AI “hallucinations”, repeated words or phrases, different than expected responses, etc.) will be removed. (polled)


You should also check out these awesome communities!


founded 1 year ago
MODERATORS