There will always be a subset of users whose goal is to not use your service, but to arbitrage your service into the maximum value for themselves.
For example -- let's say you offer $100 in free AWS credits by signing up to your platform. Expect a malicious user to eventually come to your platform, realize they can resell those $100 in credits for $50, and start using your platform for their own gain. Unless the mechanisms you add in place to reduce fraud / second sign ups / etc is greater than the value that they are receiving ($50), they will continue.
With sites where the platform is free, the math almost always makes sense for these malicious users to eventually abuse. In this case it was leveraging the email reputation of another domain at no cost to their own (along with the added value of anyone getting phished), but on other sites it's public profiles being used for backlinks / spam, etc.
You're mixing up bonus abuse here. The people behind phishing are more like hackers, whereas bonus abuse is usually run by non-technical people or bot farms. Scammers are much more dangerous, because they're typically behind operations far wider than just phishing, this might include actual financial fraud, international money laundering, and so on.
Bonus abuse is a small shop, whereas phishing through third-party services is much more likely to be an organized crime group.
Thought the same. And also, this whole piece might just be a nicely obfuscated ad for the service in question.
Plus the "guardian sales angels" in the comment threads protecting their product:
"why, I thought it read really smoothly?"
"how sad of you to see only the bad things in life"
"need to get outside more?"
What has this all become. What have I become.
Huh. I didn't assume it was LLM-generated. I liked the article. I appreciated that author cared about the 14K phish recipients as if they were proper users.
I will say, I've grown bored of folks complaining about AI generated content. But, to each their own. Good luck storming the castle.
"Disposable email domains blocked"
This one is really annoying as in practice, more and more services that become spammers or sell to what are basically spammers cannot be kept at arms length.
Exactly. These days attackers mostly exploit application design (not just the code), and preventing that is what security in the 21st century is really about.
Captcha here only harms the real user experience and usually doesn't protect against this kind of abuse, since it comes from real scammers, not fully automated bots.
I'd suggest taking a look at our open-source security framework (1), installing it on your demo, and observing the pattern behind your scammers before taking any further steps.
I guess the author learned a hard lesson about preventing abuse of a web service, especially a service that is capable of sending emails.
I have a few small projects that I would love to serve publicly from my VPS. But I have put them behind strict logins (no signup) or put them in read-only mode, with (likely premature) rate limiting, fail2ban and cloudflare, for fear that a month of bandwidth gets used within minutes by an attacker. For the same reason, sometimes I only shared the source on github and let people deploy it themselves if they are interested.
Spammers are relentless. I had something similar happen to me 25 years ago. And once you're found out to allow any sort of information relay you end up in spamming scripts and for decades automated scripts will be trying to send/relay through you using the same api, even if you block it.
You learn to not leave anything open to spammers AT ALL, to your product's detriment because once you're labeled a spammer in this way your product is dead.
1. You are not alone, this happens at a large scale across the board with companies of all sizes.
2. More than likely the abuser did not do it manually, more than likely they automated it
3. As a thoughtful business one may have rolled out all the authentication features/gates if the business picks up, as a starter the safe idea could have been to put it behind any openly available OAuth provider
Is this the new norm for trying to make software projects in the wild?
The 14000 sends over 3 hours (< 1/s) makes it sound more-than-human speed. E.g. automated.
Wondering if LLM-assisted vulnerability hunting will lead to the same gains in scale for bad actors wanting to find spammable channels in applications. The barrier to entry becomes so much greater because any small project, once found, can be wrung dry of all its trust signals by third parties
Abuse such as this wasn't uncommon before, email platforms with lax ratelimits have always been abused through their clients' unsecured infrastructure. The only difference in post-LLM world is the amount of platforms as well as clients popping up in this space with dubious code quality that may lead to more attacks as;
a) having an email-sending product typically meant you had a project with a lot of effort invested into it as well as knowledge
b) the models, tokens spent and review done differs in the world of vibecoding and there is a race to the bottom to produce, produce, produce. Quantity > quality
I don't know what domain was used to send that crap but you should probably have an abuse contact listed at kaneo.app so that if people do discover issues from your service they have an easy way to get a hold of you.
I've been thinking of making an event platform like Partiful, but only for personal use because it's also the perfect platform for spam (send emails and texts to people with attacker-controller content).
If you have commits in the linux kernel, your open source code has certainly been used to murder people. Because it's in everything, including weapons systems.
There will always be a subset of users whose goal is to not use your service, but to arbitrage your service into the maximum value for themselves.
For example -- let's say you offer $100 in free AWS credits by signing up to your platform. Expect a malicious user to eventually come to your platform, realize they can resell those $100 in credits for $50, and start using your platform for their own gain. Unless the mechanisms you add in place to reduce fraud / second sign ups / etc is greater than the value that they are receiving ($50), they will continue.
With sites where the platform is free, the math almost always makes sense for these malicious users to eventually abuse. In this case it was leveraging the email reputation of another domain at no cost to their own (along with the added value of anyone getting phished), but on other sites it's public profiles being used for backlinks / spam, etc.
You're mixing up bonus abuse here. The people behind phishing are more like hackers, whereas bonus abuse is usually run by non-technical people or bot farms. Scammers are much more dangerous, because they're typically behind operations far wider than just phishing, this might include actual financial fraud, international money laundering, and so on.
Bonus abuse is a small shop, whereas phishing through third-party services is much more likely to be an organized crime group.
Please write your blog post yourself if you expect people to read it. The LLM output is very grating.
Thought the same. And also, this whole piece might just be a nicely obfuscated ad for the service in question. Plus the "guardian sales angels" in the comment threads protecting their product: "why, I thought it read really smoothly?" "how sad of you to see only the bad things in life" "need to get outside more?" What has this all become. What have I become.
Why do you think this is LLM-generated? Reads perfectly fine to me.
Huh. I didn't assume it was LLM-generated. I liked the article. I appreciated that author cared about the 14K phish recipients as if they were proper users.
I will say, I've grown bored of folks complaining about AI generated content. But, to each their own. Good luck storming the castle.
"Disposable email domains blocked" This one is really annoying as in practice, more and more services that become spammers or sell to what are basically spammers cannot be kept at arms length.
> They used my tool exactly as designed.
Exactly. These days attackers mostly exploit application design (not just the code), and preventing that is what security in the 21st century is really about.
Captcha here only harms the real user experience and usually doesn't protect against this kind of abuse, since it comes from real scammers, not fully automated bots.
I'd suggest taking a look at our open-source security framework (1), installing it on your demo, and observing the pattern behind your scammers before taking any further steps.
1. https://github.com/tirrenotechnologies/tirreno
I guess the author learned a hard lesson about preventing abuse of a web service, especially a service that is capable of sending emails.
I have a few small projects that I would love to serve publicly from my VPS. But I have put them behind strict logins (no signup) or put them in read-only mode, with (likely premature) rate limiting, fail2ban and cloudflare, for fear that a month of bandwidth gets used within minutes by an attacker. For the same reason, sometimes I only shared the source on github and let people deploy it themselves if they are interested.
Spammers are relentless. I had something similar happen to me 25 years ago. And once you're found out to allow any sort of information relay you end up in spamming scripts and for decades automated scripts will be trying to send/relay through you using the same api, even if you block it.
You learn to not leave anything open to spammers AT ALL, to your product's detriment because once you're labeled a spammer in this way your product is dead.
Couple thing:
1. You are not alone, this happens at a large scale across the board with companies of all sizes.
2. More than likely the abuser did not do it manually, more than likely they automated it
3. As a thoughtful business one may have rolled out all the authentication features/gates if the business picks up, as a starter the safe idea could have been to put it behind any openly available OAuth provider
Is this the new norm for trying to make software projects in the wild?
The 14000 sends over 3 hours (< 1/s) makes it sound more-than-human speed. E.g. automated.
Wondering if LLM-assisted vulnerability hunting will lead to the same gains in scale for bad actors wanting to find spammable channels in applications. The barrier to entry becomes so much greater because any small project, once found, can be wrung dry of all its trust signals by third parties
Abuse such as this wasn't uncommon before, email platforms with lax ratelimits have always been abused through their clients' unsecured infrastructure. The only difference in post-LLM world is the amount of platforms as well as clients popping up in this space with dubious code quality that may lead to more attacks as;
a) having an email-sending product typically meant you had a project with a lot of effort invested into it as well as knowledge
b) the models, tokens spent and review done differs in the world of vibecoding and there is a race to the bottom to produce, produce, produce. Quantity > quality
This kind of thing has happened to me.
I designed something that was "too open," and that "openness" was abused.
Sadly, spammers are why we can't have nice things; but that's been the case for decades. The incident I mentioned, happened in the 1990s.
The good news is, is that once this happens to you, you learn your lesson.
I don't know what domain was used to send that crap but you should probably have an abuse contact listed at kaneo.app so that if people do discover issues from your service they have an easy way to get a hold of you.
I've been thinking of making an event platform like Partiful, but only for personal use because it's also the perfect platform for spam (send emails and texts to people with attacker-controller content).
Please write your own blog posts rather than asking us to read LLM slop.
Just curious, on what grounds do you call this slop?
I thought it was a perfectly cromulent article making a perfectly reasonable point.
If you have commits in the linux kernel, your open source code has certainly been used to murder people. Because it's in everything, including weapons systems.
I think the problem here is that they used their server (that is running a demo of the project).
Wish I’d read a different example here, don’t even wanna subconsciously discourage any open source heroes