Usually, someone with a really similar email address typo’d/got confused, and thinks they already have an account here. They try to reset, then try again, etc.
@Thumperchick - That would be a pretty tenacious person. Also, it just started again. 7 more attempts in the last 2 minutes.
Are you sure there isn’t something else going on?
If I were specifying a throttle, I would put a 15 minute delay (+a random skew +/- 10 minutes) between accepting requests, allow 4 in a row and then kick in a 24hr cooling off period. Anything more urgent than that, ask the customer to email support to troubleshoot why they aren’t receiving the reset emails. If it’s a bot or anyone not the actual account holder, that slows the attacker down to move on to an easier target elsewhere, and doesn’t let them pester your customers (i.e. us mehtizenry) filling up their mailboxes, while handling folks with a jacked up email situation.
@kdemo Someone really doesn’t like you or they’re just hammering your account to try all the other breached password they have for your email address, and using meh as an oracle.
This is why everyone should be using a password manager and different really strong, long, and random passwords for each site you have an account with.
@mike808 - Thanks, that’s what I was afraid of, but I’m not technical enough to understand. This is a relatively new email account - not pwned and receives no spam. Well, except from meh, I guess.
Damn.
@kdemo if anything, meh/mediocre infosec should be able to see if this is a point source attack or a distributed one. It is a bit odd that the attack is persistent, which implies you are a target worth the resources to do that. Not asking you to disclose, but you may be a person of interest (among 100s of thousands) to foreign interests.
Then again, the Russians and the Chinese have nothing better to do than hack the entire country in the run up to make sure 2020 is our last election ever.
This is why everyone should be using a password manager and different really strong, long, and random passwords for each site you have an account with.
I get endless clueless people that think “Yea, that’s probably my email address”, but nothing as persistent as your attacker. And my clueless idiots hit two different email accounts as well.
I’ve had everything from house closings, to pizza delivery in distant states, to doctor appointments (ever hear of HIPAA?) to you name it. Where I can, I notify the idiots, but it seems the medical stuff always comes from no-reply addresses.
I did start cancelling one guy’s pizza orders when he and Dominos wouldn’t respond.
@blaineg my djslack email has a few winners. Shoutouts to Dennis, Donna and Dave. I could pwn Donna’s Dropbox and I’ve sent a few emails back to Dave in Oz about his home improvements, liquor selection, and inquiring about the goat at the ragout festival. He never responds but he keeps doing it, although last time when i politely declined catching up with his family for dinner at a swanky restaurant i did notice a sharp decline.
What i don’t get is the guy in OKC who has somehow got his Google voice number forwarding to my Google voice number with tons of calls about medical appointments. I get voicemails of the Google voice call screener (and if i answer the call i have to hit 1 twice). I started telling the automated VA system to reschedule appointments so they would call me back but i never got a follow up call. I spoke with their administrators but i guess my number was not in their system. I finally got a first name and the number that they are calling and still haven’t gotten anywhere with it. I haven’t had a call in about a week, though, so maybe he fixed it.
@blaineg@djslack A couple of weeks ago I got a reservation confirmation from a Best Western in TX, through an alt gmail that I never use.
I was worried about I.D. theft and called the hotel - turns out it was just another Dennis G. who also made a gmail address using “first name ‘dot’ just the consonants of last name”, and apparently, whoever he dictated his address to heard “N” when he said, “M”.
@blaineg@djslack - That’s tricky. You want to help, but it isn’t easy. You just have to hope that they figure it out. It may be the epitome of first world problems?
@blaineg I keep getting stuff for a guy with the same name in Canada. Like business stuff and even tax info. I assume his company Outlook is close to my personal Outlook email…
I try to let people know, but some emails include a disclaimer at the bottom telling me I must delete and not respond or forward if I am not the intended recipient.
@DennisG2014@djslack My favorite one was when I got added to the mailing list for a low (no) budget horror movie production. Repeated requests, then pleas, to be removed were ignored.
So I tried insulting their movie, and got booted immediately!
Pssst. Anyone can click on the login, click on the “forgot your password?” link and then enter any damn username they’ve seen in the forums. It doesn’t lock your password and it won’t reset unless you click on the link in thr email. Ignore the email if you want to jeep your password, or at least ask for a password reset yourself, not because some random internet troll wants to annoy you.
No special skill required. If Meh already “knew” it was you, you would already be logged in.
This is an unavoidable “denial of service” attack on meh first, but the targeted user second. Only because it takes up meh resources to send you the email and your time to process it (trash it).
Any website with a “reset my password” trigger can be triggered by anyone - because that anonymous anyone could be you actually trying to reset your password.
Now, smart websites would know that people don’t ask for their passwords to be changed repeatedly, so there is rate throttling that can mitigate that crap and not annoy your customers. But that means the website would need to monitor (telemetry) those requests and look for inappropriate/unauthorized abuse of the self-service password reset function/process.
@mike808 - Oh, of course! Now I feel super dumb.
So it wasn’t necessarily a scary hacker, maybe just a forum maggot?
Hmmm - I have a couple of guesses. The reason I’ve been scarce in the forums lately.
@kdemo I had the same thing happen and also notified meh, who said they didn’t have any breaches. After the 4th email, I did an offline virus scan (nada). When I got back online, I cleared my browser sandbox, jumped to another IP address (VPN) and changed my meh password. I didn’t get any further emails.
There is a section in the email header about forwarding abuse reports to abuse@mandrill.com, which may be my next step.
@mehcuda67 - Was this just recent? I had 4 episodes over 2 days - I think 12 tries each time. Last one was last night after 10 pm.
Haven’t changed my password, it seemed like that might have played into their hands. I will do that if it starts up again.
Thanks for letting me know - this makes it seem a little more like a problem from meh than a random hack, do you agree?
I’m tempted to create a @kderno account…
@medz
/giphy squint
@medz
@kdemo funny you should ask. I just took a DNA test. Turns out, I’m 100% that bitch.
Usually, someone with a really similar email address typo’d/got confused, and thinks they already have an account here. They try to reset, then try again, etc.
@Thumperchick - That would be a pretty tenacious person. Also, it just started again. 7 more attempts in the last 2 minutes.
Are you sure there isn’t something else going on?
@kdemo Someone REALLY wants to be you.
@kdemo This would freak me out too.
@cinoclav @kdemo I bet it’s Robert Smith.
If you just got another email now, don’t worry.
That one was me.
@zachdecker
Yeah, I have come to realize that the title for this thread was a poor choice. Replies and reset requests look the same in my email.
Any other clues in the email? Like Meh tells you what IP address the request came from?
Perhaps Meh could go to using a 2-factor login. That might help people actually buy fukos and such without endless captchas.
@mike808
Good idea on the surface; but I think TPTB at Meh enjoy inflicting the captchas on us.
You would deprive them of this joy?
You may have failed CAPTCHA but on the upside, you’re less of a human.
@f00l They already have mediocrebot for that.
See above!
@mike808 - They had me forward one of the messages - they weren’t able to trace it back.
I rec’d 12 more today.
So far.
@mediocrebot
I’ll say it again, mediocrebot is a human masquerading as a bot.
Or a full AI, and the end times are upon us. One or the other.
Beep beep boop boop. (I assume if you failed CAPTCHA you now understand Robot.)
If I were specifying a throttle, I would put a 15 minute delay (+a random skew +/- 10 minutes) between accepting requests, allow 4 in a row and then kick in a 24hr cooling off period. Anything more urgent than that, ask the customer to email support to troubleshoot why they aren’t receiving the reset emails. If it’s a bot or anyone not the actual account holder, that slows the attacker down to move on to an easier target elsewhere, and doesn’t let them pester your customers (i.e. us mehtizenry) filling up their mailboxes, while handling folks with a jacked up email situation.
@kdemo Someone really doesn’t like you or they’re just hammering your account to try all the other breached password they have for your email address, and using meh as an oracle.
This is why everyone should be using a password manager and different really strong, long, and random passwords for each site you have an account with.
@mike808 - Thanks, that’s what I was afraid of, but I’m not technical enough to understand. This is a relatively new email account - not pwned and receives no spam. Well, except from meh, I guess.
Damn.
Blargh!
@kdemo if anything, meh/mediocre infosec should be able to see if this is a point source attack or a distributed one. It is a bit odd that the attack is persistent, which implies you are a target worth the resources to do that. Not asking you to disclose, but you may be a person of interest (among 100s of thousands) to foreign interests.
Then again, the Russians and the Chinese have nothing better to do than hack the entire country in the run up to make sure 2020 is our last election ever.
@mike808 Just remember to vote November 4th, 2020
@therealjrn - Keep cheating. It’s the only way you will win.
@kdemo I was about ready to call the Kremlin on your behalf too. :sad_face:
@mike808 - Hey, if I’m still logged in, it means they didn’t succeed in changing the password, right? Wonder if I should remove my cc info?
@kdemo You might lose your V shield if you forget to put it back in time. Did you change your pass.word anyway? You’re probably ok
@mike808
This, a thousand times this!
It wouldn’t hurt to check your address against https://haveibeenpwned.com/
@blaineg - Still good. Thanks.
@mike808 @therealjrn LOL we have signs and billboards up around here to vote on Nov 14th. They pull them down and someone puts them back up.
I get endless clueless people that think “Yea, that’s probably my email address”, but nothing as persistent as your attacker. And my clueless idiots hit two different email accounts as well.
I’ve had everything from house closings, to pizza delivery in distant states, to doctor appointments (ever hear of HIPAA?) to you name it. Where I can, I notify the idiots, but it seems the medical stuff always comes from no-reply addresses.
I did start cancelling one guy’s pizza orders when he and Dominos wouldn’t respond.
Reverse Identity Theft
Nice, mediocrebot parses xkcd urls, and shows the image.
@blaineg my djslack email has a few winners. Shoutouts to Dennis, Donna and Dave. I could pwn Donna’s Dropbox and I’ve sent a few emails back to Dave in Oz about his home improvements, liquor selection, and inquiring about the goat at the ragout festival. He never responds but he keeps doing it, although last time when i politely declined catching up with his family for dinner at a swanky restaurant i did notice a sharp decline.
What i don’t get is the guy in OKC who has somehow got his Google voice number forwarding to my Google voice number with tons of calls about medical appointments. I get voicemails of the Google voice call screener (and if i answer the call i have to hit 1 twice). I started telling the automated VA system to reschedule appointments so they would call me back but i never got a follow up call. I spoke with their administrators but i guess my number was not in their system. I finally got a first name and the number that they are calling and still haven’t gotten anywhere with it. I haven’t had a call in about a week, though, so maybe he fixed it.
@blaineg @djslack A couple of weeks ago I got a reservation confirmation from a Best Western in TX, through an alt gmail that I never use.
I was worried about I.D. theft and called the hotel - turns out it was just another Dennis G. who also made a gmail address using “first name ‘dot’ just the consonants of last name”, and apparently, whoever he dictated his address to heard “N” when he said, “M”.
¯\_(ツ)_/¯
@blaineg @djslack - That’s tricky. You want to help, but it isn’t easy. You just have to hope that they figure it out. It may be the epitome of first world problems?
Well, that and grammar.
@blaineg I keep getting stuff for a guy with the same name in Canada. Like business stuff and even tax info. I assume his company Outlook is close to my personal Outlook email…
I try to let people know, but some emails include a disclaimer at the bottom telling me I must delete and not respond or forward if I am not the intended recipient.
@djslack @kdemo Ok, was it one of you guys?
“Edward” just signed up for ADT security with my email address. How do you accidentally get Blaine out of Edward?
@DennisG2014 @djslack My favorite one was when I got added to the mailing list for a low (no) budget horror movie production. Repeated requests, then pleas, to be removed were ignored.
So I tried insulting their movie, and got booted immediately!
@blaineg - Dang, I should have waited until you forgot about this.
Makes you wonder how secure their security is?
Pssst. Anyone can click on the login, click on the “forgot your password?” link and then enter any damn username they’ve seen in the forums. It doesn’t lock your password and it won’t reset unless you click on the link in thr email. Ignore the email if you want to jeep your password, or at least ask for a password reset yourself, not because some random internet troll wants to annoy you.
No special skill required. If Meh already “knew” it was you, you would already be logged in.
This is an unavoidable “denial of service” attack on meh first, but the targeted user second. Only because it takes up meh resources to send you the email and your time to process it (trash it).
Any website with a “reset my password” trigger can be triggered by anyone - because that anonymous anyone could be you actually trying to reset your password.
Now, smart websites would know that people don’t ask for their passwords to be changed repeatedly, so there is rate throttling that can mitigate that crap and not annoy your customers. But that means the website would need to monitor (telemetry) those requests and look for inappropriate/unauthorized abuse of the self-service password reset function/process.
@mike808 - Oh, of course! Now I feel super dumb.
So it wasn’t necessarily a scary hacker, maybe just a forum maggot?
Hmmm - I have a couple of guesses. The reason I’ve been scarce in the forums lately.
@mediocrebot - Tell me about it.
@mike808 Yeah, that sort of makes sense. I was thinking of something more nefarious than what seems to be a pointless DoS annoyance.
@kdemo @mehcuda67
@Barney -
@kdemo
/image it wasn’t me
@kdemo
Is this better?
@Barney - Well, now you doth protest too little.
@kdemo
@kdemo I had the same thing happen and also notified meh, who said they didn’t have any breaches. After the 4th email, I did an offline virus scan (nada). When I got back online, I cleared my browser sandbox, jumped to another IP address (VPN) and changed my meh password. I didn’t get any further emails.
There is a section in the email header about forwarding abuse reports to abuse@mandrill.com, which may be my next step.
@mehcuda67 - Was this just recent? I had 4 episodes over 2 days - I think 12 tries each time. Last one was last night after 10 pm.
Haven’t changed my password, it seemed like that might have played into their hands. I will do that if it starts up again.
Thanks for letting me know - this makes it seem a little more like a problem from meh than a random hack, do you agree?
@kdemo 1:17 - 1:18 AM EST on 10/23. Nothing after that. (holding my breath)