Security professional here too. Agree that this is reasonable, and making a big deal about it is kinda meh.
Comment on For security reasons
neatchee@lemmy.world 1 month ago
Security professional here. This is legit a good call on their part. It’s because those types of addresses won’t bounce emails but aren’t necessarily in your control; it’s very, very easy to spam those petition forms with mail@ for a million real domains without bouncing the emails, making them seem legit.
You own your domain, obviously, so it’s really as simple as creating a forwarding address of “changeorg@domain.tld”. If creating a forwarding address is that much of a problem for you I suggest that you likely shouldn’t be hosting your own email in the first place.
Your laziness isn’t a good reason to be upset with a company taking steps to reduce their security overhead significantly
twistypencil@lemmy.world 1 month ago
SacralPlexus@lemmy.world 1 month ago
making a big deal about it
Maybe I’m wrong but isn’t this sub for posting minor annoyances?
twistypencil@lemmy.world 1 month ago
True, I do find it mildly infuriating that someone is mildly infuriated at this
cosmicrookie@lemmy.world 1 month ago
They send a mail asking to confirm my email by clicking a link. I can’t see how spam registering with those emails would work
neatchee@lemmy.world 1 month ago
My understanding is that signing a petition and creating an account aren’t necessarily linked, and it’s up to the person who created the petition whether verification is required.
cosmicrookie@lemmy.world 1 month ago
After signing the petition, they pop a large notification about needing to validate my account by clicking on the link in the mail they sent. If I didn’t do it, the signing wouldn’t count
neatchee@lemmy.world 1 month ago
Right I’m saying I always thought that was an optional feature, determined by the person who created the petition. I don’t think it’s a universal requirement for all change.org petitions
treadful@lemmy.zip 1 month ago
Your laziness isn’t a good reason to be upset with a company taking steps to reduce their security overhead significantly
Your laziness isn’t a good reason to add an unnecessary barrier of entry for your users.
Treczoks@lemmy.world 1 month ago
Catchall - the new spam bin ;-) It’s soooo good to have your own domain for mail…
H4mi@lemm.ee 1 month ago
I have been using catchall on my domain since 2002. I have never told anyone any of my real accounts. When I have to send an email, I just add that account (change@ whatever), send the e-mail and delete the account afterwards, rebanishing the company to my catchall. I’ve had it scripted for ages.
When I do get an unsolicited email from let’s say ShittyCompany Inc, I set up a rule to forward all incoming shittycompany@(mydomain) emails to info@ shittycompany. This way they just spam themselves. Takes 2 seconds to run the script and I never see emails from shittycompany again.
moon@lemmy.cafe 1 month ago
That’s a good way to potentially get your personal domain as potential spam.
H4mi@lemm.ee 1 month ago
Yes, potentially. It’s still going strong after 22+ years of me doing this though.
drathvedro@lemm.ee 1 month ago
Web developer here. The problem here is not with emails but with change.org’s business model, which is reliant on lying to people that their petitions actually mean anything. But, anyone with half a brain cell can easily spot that they don’t have any legal backing whatsoever nor do they do any kind of identity verification, therefore those petitions are completely worthless. They might as well not give a fuck and allow cheating. For all they care, it only boosts counters and makes them appear more popular than they actually are.
kashifshah@lemmy.sdf.org 1 month ago
Let’s talk about the security of using email to do anything in this day and age.
neatchee@lemmy.world 1 month ago
You’re not wrong, but this isn’t really a security matter, it’s an “apparent uniqueness” matter. Their goal, I assume, is to satisfy critics enough that a given petition’s participants are sufficiently unique while keeping the barrier to filling out the form as low as possible. So they end up in a situation where neither of perfect, but they’re both “good enough” for what the business needs.
I dealt with this in the anti-cheat space: my goal was never to remove all cheating, because that’s too expensive (insanely so). My goal was to make the public believe they weren’t playing against cheaters too often. If the solution was forcing the cheaters to perform at a level that was just below the most skilled human players, that was actually a success, because if the players can’t differentiate between cheaters and pro players, then they can’t effectively determine how prevalent cheating actually is.
Part of me hated that we had to treat it that way, but another part of me understood that if I pushed too hard on “eliminating cheating” my department would become more costly than it was worth and they’d pivot away from gameplay that needed anti-cheat at all
kashifshah@lemmy.sdf.org 1 month ago
Risk management is the name of the game, as always, eh?
That’s a slick technique for anti-cheat, heh. What did you think of the Call of Duty “fake data” approach? That cracked me up - things in game that only cheaters can see, so they end up self-reporting themselces as cheaters lol
neatchee@lemmy.world 1 month ago
As it ever will be, much as it may pain our moral sensibilities.
Re: CoD - I loved it. Laughed my ass off. Absolutely a big fan of creative approaches to getting cheaters to tell on themselves. I proposed something similar to my team when we had a problem with players manipulating the position of objects in the world so they were directly in front of the player: add an object of the same type inside map geometry and attach a “kill volume” to it, so it was like a landmine. Move the object in front of the player and they instantly die :P Wish we’d done it but couldn’t get the level designers’ time to implement it unfortunately
One we did do though: back when the product I worked on was on PS3 one of the big problems was hacked consoles spoofing platform entitlements (the thing that tells the game what purchases they should have access to). So we added an entitlement that couldn’t be acquired in any legitimate way, and gave you a specific item in game. Then we just checked player inventories once a week for anyone with that item and banned their account, their console, and any account that played on that console for a meaningful amount of time. Did the same thing with an item you could only get to by clipping through geometry. Even put the word “intrusion” in the item’s name haha.
The cheats are so technically complicated at this juncture that the creative stuff is often the most effective. I mean, people are literally voluntarily installing hypervisor rootkits to run the cheats, so they can talk to their drivers below even the kernel. It’s so hard to come to with technical solutions to a problem like that that doesn’t wind up costing massive server processing power to validate every input.
kashifshah@lemmy.sdf.org 1 month ago
I spent about a decade in the enterprise software development space, so I totally get it. I couldn’t put it into words as well as you did, however.
After watching the FCC bigwigs debate robocalls several years ago, I’ve become a believer in a future where your internet access is always authenticated to your real life ID, dark web excepted of course.
In their case, it was posited as a best-in-class solution to the problem of spam in the telephony space. Same logic applies to email. I mean, look at what Twixxer did with the verified checkmark requiring a credit card. The trend is already there.
I get the fear of being de-anonymized on the internet, but it may be the case of something we hate being something we need, when you start to throw deepfakes into the mix.
neatchee@lemmy.world 1 month ago
Funny you mention the robocall thing… I’m literally leaving a company that works on that problem (though not as their primary business) Wednesday. It was a short stint - mostly because they are resistant to solving massive technical debt problems and I’m not trying to doom my future self - but what I witnessed was…depressing. Getting anything done was like pulling teeth, and that’s with the recent FTC pivot to taking this stuff more seriously. STIR/SHAKEN is a reasonable start but it still has almost no teeth behind it.
I’m with you on the identity issue. I mean, if we’re being really honest, the only people losing out by not implementing strong personal identification verification are the legitimate end users because the threat actors have gotten so unbelievably good at fingerprinting user behavior. And it’s only going to continue getting worse. With ML growth as unfettered as it is, there is nothing we can do. So I’d much rather take the reigns and make identity verification a robust feature instead of a bug we can’t squash.
hemko@lemmy.dbzer0.com 1 month ago
They do though mention “+” and “-” also banned in the username part, which is kinda annoying
neatchee@lemmy.world 1 month ago
Yeah I agree that one seems silly on the surface but for their specific situation I understand why: services like Gmail allow using a + to create faux-labels. So for example foo@gmail, foo+bar@gmail, and foo+baz@gmail all get delivered to the same account. For change.org that’s a problem because it allows a single email account to fill out the form many times.
Ideally, they would simply truncate everything after and including those symbols but it’s possible other services have different rules (maybe yahoo let’s you pretend faux-tags instead of appending them, or something like that) so simply blocking their use altogether could be the more robust solution
hemko@lemmy.dbzer0.com 1 month ago
Eh, honestly I think blocking plus addressing as a workaround to block people from using multiple identities on the site is very weak argument and ignores completely the reason plus addeesses are being used in the first place, tagging.
And the addition of “-” just tells they don’t really know what they’re doing, considering it’s not only valid but also very common symbol in email addresses
neatchee@lemmy.world 1 month ago
I don’t think the reason they’re being used is relevant to their problem though. “Think like an attacker” wins the day here: as an attacker, I don’t care what it’s meant for, only how I can use it to my advantage. If it’s something they observed as a problem, I understand why they would want to stop it.
As for “-”, yeah, I don’t have a particularly good explanation for that one except the assumption that it’s something similar to + addressing on a different service.
scrion@lemmy.world 1 month ago
The local parts of email addresses are standardized, and there is an RFC handling subadressing as well, see RFC 5233 - it’s not like Gmail invented this behavior.
Also, RFC 5321 clearly states (2.3.11) that the local part of an email must only be interpreted by the receiving server, so that part should not be parsed, modified or mangled in any form - the assumptions poor web forms or validation libraries make these days are incredibly annoying and simply not compliant.
So no, non of your suggestions are good, let alone ideal. Ideally, people would simply implement the specs and stop making lazy and false assumptions. In the case you cited, it turns out email validation is simply not the proper tool to limit how often the form can be submitted. Similar websites use e. g. text messages.
neatchee@lemmy.world 1 month ago
Requiring SMS validation is a massive barrier to entry and not a viable option for a service like Change.org that relies on a certain level of participation.
Racle@sopuli.xyz 1 month ago
I wonder how they handle gmail addresses with dots as you can put dot in anywhere and it still will redirect to your email.
I’ve setup (for few services which don’t allow + sign) emails like foobar@gmail.com, foo.bar@gmail.com, fo.o.bar@gmail.com and they all come to my inbox.
0x0@programming.dev 1 month ago
IIRC Gmail interprets foo.bar, f.o.o.b.a.r and foobar as the same account (the latter).
neatchee@lemmy.world 1 month ago
I imagine because it can’t be used to add additional junk characters to the address, they probably just strip them out before doing their string comparison
eee@lemm.ee 1 month ago
that’s to stop people from spamming signatures with user+1@gmail, user+2@gmail, user+3@gmail, etc.
hemko@lemmy.dbzer0.com 1 month ago
You can still spam with user1@domain.tld, user2@domain.tld etc and it takes basically no extra effort
alphafalcon@feddit.de 1 month ago
IF you already have an email domain you control.
Calling “acquiring and setting up an email domain and configuring the mail server for wildcards” “basically no extra effort” is a bit disingenuous compared to “solve a captcha for a Gmail account”
eee@lemm.ee 1 month ago
Spamming user+1@gmail, user+2@gmail takes absolutely no technical knowledge whatsoever - anyone can do it with 1 gmail account.
Spamming user1@domain, user2@domain etc requires 1 of two things:
you can sign up for multiple email accounts using a third party service. You’re going to run into trouble with Gmail or other big providers if you start creating accounts en masse.
you create your own email server. this requires someone with selfhosting knowledge and some basic coding (or rather server config) experience.
Localhorst86@feddit.de 1 month ago
I’d assume one needs to verify the email by clicking a link, so to spam user1@domain.tld, user2@domain.tld would mean you need access to those inboxes. That means you need to go through the effort to actually create those emailadresses on whatever freemail service you chose, or you need to host the emailserver yourself and have all mails run into a catchall inbox.
Hosting your own emailserver is definately a lot more effort, even for a lot of tech-savvy people, paying for a hosted email service using your own domain is easier, but also seems like not a good investment just to spam a petition website.
The foo+bar@gmail.com functionality, however, is pretty well known tool - even by non-tech savvy people. Even some people I know that I consider basically tech-illiterate have known this for years have told me they found out about it and asked me if I was aware of this functionality.
The first one I mentioned preparation, setting up email accounts or an email server, the second one is basically already set up for most email users and ready to go, the latter is therefore definately a lot less effort to pull off.