For our dating site, which of course has to deal with many prinses, Nigerian or otherwise, when we manually verified an account to be a scammer, we reject logins with a message stating that the IP address has been blocked. Scammers will usually go through all of their VPNs/bots in order to try to login, allowing our system to flag them all.
We'll manually review all accounts that use (more than one of) those ip addresses. Works like a charm! :-)
Yes, although I would add an attention threshold too, as it's not entirely unknown for hired manual review to just spam the "guilty" button so they can get to lunch. In any case: your false positive rate needs to be massively low if you want to be a massive asshole to the people it flags -- or else you are just an asshole.
If you can afford to get the FPR down, sure, have fun, but if not, please have the decency to not pretend.
Admittedly, there is the occasional false positive. For such cases, we display an email address right underneath the error message. Scammers rarely dare to complain, and when they do, they are usually not very convincing.
So, the problem I see here is when spammers abuse someone else's machine to conduct activity like this, and all those random people get their IP addresses blocked by your system.
And how would the legitimate owner of that IP address ever know how to contact you to get removed from your blacklist?
Ok, I have no issue with tactics like these when they're wasting spammers' time. But sometimes it seems like real users get caught up in these honeypots for scammers and hackers.
A lot of the crap real sites make people go through e.g. when they lose access to their account or login to a VPN or the site just "can't verify their identity" for some reason. Where you go through a bunch of hoops and captchas, only to have some step fail or reach a dead end. They really seem like they're just set up to intentionally waste people's time.
For example, Steam has a system where if you enter too many invalid passwords, it will present you with a captcha which you can never actually solve. It's a lot more annoying than just saying "you have been locked out of trying to log in for X hours".
But this, this is fine. It's pretty clear that the person you're targeting is a spammer, and it's pretty clear to the user after about 60 seconds that you're password system is a joke.
> For example, Steam has a system where if you enter too many invalid passwords, it will present you with a captcha which you can never actually solve.
I call this "login gaslighting" and it's evil. Pioneered by the "do no evil" company.
ReCaptcha does a similar tactic but rather than unsolvable it's a stream of the most annoying captcha -- "select all of image until none are left". Fail one and you're back at the start. You do have the option to cycle captcha, but 9/10 times it'll be this one. Eventually you'll get locked out of captcha entirely. Anyone who has used Tor on Google has probably experienced this.
So that's what that was... Was trying to do something legit, MS gave me a puzzle to solve, it was unsolvable in the time given, it wasted maybe 20 mins. Can't remember what it was, I think create an account for visual studio (you had to sign in to an MS account to keep using free VS, the wankers).
Blocking people leads to them searching for ways around your block really quickly. Making them waste time not realizing they have been blocked, such as endless retries or shadow bans, is much more effective at making them stop bothering you for a while longer. Time spent doing this is time they can't spend being malicious on your platform.
It's unfortunate when a non-malicious user gets caught in one of these traps...
I tried to sign up for steam and my long complex password seemed to trigger a never ending stream of captures. Also, just today ticketmaster decided my firefox browser was a bot and blocked me. Fun times.
You are lucky. I haven’t been able to use Ticketmaster for 2 years because all IPs from my ISP are blocked as bots. Contacted their support on Twitter and they told me the only way to use their site is to change my ISP as even the VPNs I tried are blocked. Looks like they have enough money to have the luxury to block one of the biggest ISP where I live
I understand the initial idea to block this known neo-Nazi short handle (8 for the letter H and 88 as HH standing for the 'Heil Hitler' salute in these circles).
But how many people do I know born in 88. Or on the 8th of August?
I understand that given the login is your public visible name on steam they just don't want clear neo-Nazi signifiers.
Troy, watch out you don't open yourself up for an attack from the bad guys: They'll start sending you solicitations with ReplyTo addresses of industry honeypots, and before you know it, you'll become a known spammer and your regular outgoing emails will be routed to recipient's spam folders or maybe even dropped entirely.
But how does the palindrome rule work with “password must start with ‘cat’” and “password must end with ‘dog’”? It seems impossible to satisfy these three.
Having the conditions contradict each other serves as a proof that it’s impossible to create a password; I thought this information shouldn’t be revealed to the user.
The emoji rule is particularly annoying on ios; there the password keyboard (i.e. virtual keyboard used on “password” form input fields) is different and doesn’t support entering emoji.
This reads a bit much like an ad. I sure have to scroll through a lot about Microsoft, Cloudflare, etc. before the funny password requirements I came for, at the verrrry end.
This is a Microsoft sponsored tech talk. Advertising for MS is one of Troy's businesses, as he discloses in his bio on the page. And the banner at the top says this particular post is sponsored by Cloudflare.
I once attended a MS workshop at my school on Azure. The speaker kept saying “open x page in Edge”, until there was a page that didn’t render properly with Edge. He was very hesitant to say Chrome.
This is a cool project, but I would more concerned that replying to spammers confirms you are real and that could result in much more spam. So is the net increase in pain your own?
Readit News
We'll manually review all accounts that use (more than one of) those ip addresses. Works like a charm! :-)
This makes all the difference with other services that block out users only to let them guess why they were blocked.
If an automated system did that, I would have said it's evil. Yet, I hope you have a communication channel in case there was a human error.
If you can afford to get the FPR down, sure, have fun, but if not, please have the decency to not pretend.
And how would the legitimate owner of that IP address ever know how to contact you to get removed from your blacklist?
Legitimate users would be able to contact us using the email address that is shown right underneath the error message.
Dead Comment
A lot of the crap real sites make people go through e.g. when they lose access to their account or login to a VPN or the site just "can't verify their identity" for some reason. Where you go through a bunch of hoops and captchas, only to have some step fail or reach a dead end. They really seem like they're just set up to intentionally waste people's time.
For example, Steam has a system where if you enter too many invalid passwords, it will present you with a captcha which you can never actually solve. It's a lot more annoying than just saying "you have been locked out of trying to log in for X hours".
But this, this is fine. It's pretty clear that the person you're targeting is a spammer, and it's pretty clear to the user after about 60 seconds that you're password system is a joke.
I call this "login gaslighting" and it's evil. Pioneered by the "do no evil" company.
Blocking people leads to them searching for ways around your block really quickly. Making them waste time not realizing they have been blocked, such as endless retries or shadow bans, is much more effective at making them stop bothering you for a while longer. Time spent doing this is time they can't spend being malicious on your platform.
It's unfortunate when a non-malicious user gets caught in one of these traps...
Sounds like something a film villain would say when asked about collateral damage.
it is better a thousand criminals/ spammers go free than a single innocent non-spammer be treated as if they are one
essentially the companies are shifting their own pain (with spammers) onto innocent users ("it's your problem now, suck it users, lol!!!")
Lasted a few hours. I figure someone else on that vpn was doing something wrong and they just blocked anyone from there for a while.
Super frustrating that your left to just … to get frustrated.
Figure it was a mistake from some automated security framework type of deal.
But how many people do I know born in 88. Or on the 8th of August?
I understand that given the login is your public visible name on steam they just don't want clear neo-Nazi signifiers.
Edit: Typo
'Password must contain at least 1 primary Simpsons family character'
'Password must contain at least 1 Nordic character'
'Password must contain at least 1 Greek character'
'Password must contain at least 1 primary Griffin family character'
'Password must contain at least one emoticon'
'Password when stripped of non-numeric characters must be a number divisible by 3'
[1] https://github.com/troyhunt/password-purgatory-api/blob/mast...
Having the conditions contradict each other serves as a proof that it’s impossible to create a password; I thought this information shouldn’t be revealed to the user.
Looks like there is already an issue about it: https://github.com/troyhunt/password-purgatory-api/issues/45
Edit: I just noticed the list has one requirement for an emoticon, and another for an emoji. Carry on.
I did the same thing 10 years ago and it was one of the best morale builders for our team after all the time we spent dealing with these folks.
https://www.brightball.com/articles/waste-spammers-time-to-r...