| ▲ | Someone used my open source project to phish people(andrej.sh) | |||||||||||||||||||||||||||||||||||||
| 44 points by andrejsshell 5 hours ago | 13 comments | ||||||||||||||||||||||||||||||||||||||
| ▲ | dddddaviddddd 3 minutes ago | parent | next [-] | |||||||||||||||||||||||||||||||||||||
I've been thinking of making an event platform like Partiful, but only for personal use because it's also the perfect platform for spam (send emails and texts to people with attacker-controller content). | ||||||||||||||||||||||||||||||||||||||
| ▲ | autoexec 4 minutes ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||||||||
I don't know what domain was used to send that crap but you should probably have an abuse contact listed at kaneo.app so that if people do discover issues from your service they have an easy way to get a hold of you. | ||||||||||||||||||||||||||||||||||||||
| ▲ | cobertos 9 minutes ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||||||||
Is this the new norm for trying to make software projects in the wild? The 14000 sends over 3 hours (< 1/s) makes it sound more-than-human speed. E.g. automated. Wondering if LLM-assisted vulnerability hunting will lead to the same gains in scale for bad actors wanting to find spammable channels in applications. The barrier to entry becomes so much greater because any small project, once found, can be wrung dry of all its trust signals by third parties | ||||||||||||||||||||||||||||||||||||||
| ▲ | eggbrain an hour ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||||||||
There will always be a subset of users whose goal is to not use your service, but to arbitrage your service into the maximum value for themselves. For example -- let's say you offer $100 in free AWS credits by signing up to your platform. Expect a malicious user to eventually come to your platform, realize they can resell those $100 in credits for $50, and start using your platform for their own gain. Unless the mechanisms you add in place to reduce fraud / second sign ups / etc is greater than the value that they are receiving ($50), they will continue. With sites where the platform is free, the math almost always makes sense for these malicious users to eventually abuse. In this case it was leveraging the email reputation of another domain at no cost to their own (along with the added value of anyone getting phished), but on other sites it's public profiles being used for backlinks / spam, etc. | ||||||||||||||||||||||||||||||||||||||
| ▲ | no_multitudes an hour ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||||||||
Please write your blog post yourself if you expect people to read it. The LLM output is very grating. | ||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||
| ▲ | j-bos an hour ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||||||||
"Disposable email domains blocked" This one is really annoying as in practice, more and more services that become spammers or sell to what are basically spammers cannot be kept at arms length. | ||||||||||||||||||||||||||||||||||||||
| ▲ | jubilanti 30 minutes ago | parent | prev | next [-] | |||||||||||||||||||||||||||||||||||||
If you have commits in the linux kernel, your open source code has certainly been used to murder people. Because it's in everything, including weapons systems. | ||||||||||||||||||||||||||||||||||||||
| ▲ | sandeepkd an hour ago | parent | prev [-] | |||||||||||||||||||||||||||||||||||||
Couple thing: 1. You are not alone, this happens at a large scale across the board with companies of all sizes. 2. More than likely the abuser did not do it manually, more than likely they automated it 3. As a thoughtful business one may have rolled out all the authentication features/gates if the business picks up, as a starter the safe idea could have been to put it behind any openly available OAuth provider | ||||||||||||||||||||||||||||||||||||||