Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] Ask HN: What is this user doing?
42 points by lai-yin on Dec 18, 2021 | hide | past | favorite | 33 comments
Between Nov 20 and Dec 14, someone with the IP address 34.66.115.47 has submitted 16 requests to join my email newsletter on my website form with nonsense email accounts like mphtnarrwqrs@gmail.com and qrzqoiakkubp@gmail.com. In one instance they used a real email address, so I have their name and know the company they work for (which is in my industry and we actually have mutual colleagues). What could this person possibly be doing with all these weird form submissions? I have a very basic, static website, do no A/B testing, and haven't made any updates to it in months. What do you think?



Welcome to public-facing application security :) Any number of reasons, potentially more than one at once:

1. Being a dick / bored / ...

2. Pen-testing you for some reason.

3. Trying to inflate your signup numbers for some reason.

4. Trying to see how many users you have (see other comment)

5. Testing their own fake email system for something

6. Trying to increase your costs

7. Demonstrating something for someone else not realizing it's production

8. Pure, unadulterated incompetence

9. Something else malicious


10. Just trying to get rid of your "Subscribe to the newsletter" pop-up.

Assuming there is one, of course, but my experience with current newsletters is that there is a popup. Sometimes a "delayed action" one.


9. might be: get on your mailing list then when you send emails to those accounts flag them as SPAM in an effort to harm your email deliverability.


Haha sounds like fun! I need to dive into that more. Maybe for the next iteration of our website.

I tried emailing a few of these accounts from a burner email and got bounce backs on all of them.

Also just realized that since 12-15 another IP address 35.238.7.76 has submitted 4 more jibberish email accounts like uxjzylbwryxb@gmail.com.

So if they are fake accounts that bounce back, I guess that could hurt my deliverability rates with Constant Contact - not sure though. In any case I haven't been uploading them to my email contacts list so if he is trying to hurt my account it's been totally ineffective. And he'll need to increase his number of submissions by a few orders of magnitude to make a difference in the costs.

I guess my next step would have to be figuring out how to block multiple submissions from the same IP address or just reaching out to this dude and asking what's up. I need to learn more about him first since he works for someone kinda influential in my industry.


"6. Trying to increase your costs" would have been my initial guess, failing Hanlon's Razor (8.)


They’re probably just scraping e-mail newsletters for competitive intel. It’s likely a SaaS.


just 1 actor?

probably 1)...


So in terms of 16 requests, that's nothing. Something actually malicious would be thousands.

Either this person is setting up to do something malicious and hasn't even started, or they're more likely studying your sign up process, struggling with it, and have a short memory so they did it many times over 15 days.

The fact is, having an open form on the internet is like having an open invite to come shit in your toilets.

Since this person is within your industry, I'd just poke them and ask. That will most likely make them stop. The fact that they use their own IP address and used a real email address means to me that this person is non-malicious.

Plus point for sending them a report of their own activity, real time as they submit it, to their email address.


Send an email to the proper looking address and ask them what's up with all the different sign-ups. Check in to see if they're experiencing technical problems or something that you can help with.

Also report back here because now we're curious too ;)


Does your newsletter have a "Welcome user number 1234"? or similar, like a number in the URL? Ages ago I used a similar approach to gain data on growth of a website. They would increase a number in the URL for every (shopping) checkout session, easy way to figure out if there was growth or not.


Thanks for the suggestion. There is no visible counter on the webpage for users to see, and I'm not seeing one when I look under the hood in DevTools. I could be missing something though. It still would be odd since given my industry and where this user works, I don't see much incentive for him to track my subscriber growth.


He/she is developing something similar to what you are exposing and is reverse engineering the behavior for quick solutions/shortcuts. Or is learning how form submissions work.

Not that i haven't done anything like that, ever :)


That's really strange. Only thing I can think of is the person is using multiple throwaway email accounts to join your newsletter. They are then marking all your messages as spam in an attempt to get your email blacklisted. Hopefully someone has a less malicious explanation.


You know what it might be: maybe the person is a niche marketer and is going to pretend to be multiple people to sell their product to the newsletter's audience. That happens all the time. Account 1 will ask for recommendations, then account 2-6, all held by the same person, talks up the spammer's product. Although, I don't know exactly how it would work with a newsletter, I know this is very common when comment spamming.


Given how many times my real email is used incorrectly to sign up for everything from nursing courses in Florida to Golf Sundays in Michigan, I would no longer trust that "real email" address to be tied to the real person without more information.


Benign explanation: for whatever reason, they're not getting the newsletters so they're trying to subscribe again using a throwaway.


I agree with another comment here that this is likely them signing up with throwaway emails and trying to get you blacklisted by putting all your messages to spam. In the off chance that they are somewhat more sophisticated, I would try to log these requests and look for SQL injection attacks. It's possible that these bogus signups are an artifact of them doing something more malicious.


The IP address 34.66.115.47 points to Google Cloud. I think there's a possibility the real address is legitimate and it's just a coincidence? Or maybe they're using a Tor-like service that "covers their tracks" by sending randomized data?

If you don't see any obvious reason for malice, I think you should email them and ask!


So yeah

  # curl ipinfo.io/34.66.115.47
  {
  "ip": "34.66.115.47",
  "hostname": "47.115.66.34.bc.googleusercontent.com",
  "city": "Council Bluffs",
  "region": "Iowa",
  "country": "US",
  "loc": "41.2619,-95.8608",
  "org": "AS396982 Google LLC",
  "postal": "51502",
  "timezone": "America/Chicago",
  "readme": "https://ipinfo.io/missingauth"}
What kind of url is that? This cant be someone using a browser as normal on their own machine can it? Could they be trying to build a google form or document or something that embeds part of the sign up form?

Edit: unsubstantiated source [0] says that domain relates to Google app engine, so could be the person is working on a project that includes some form submission capability and somehow is using your site for testing

https://superuser.com/questions/892437/what-do-you-do-if-you...


It looks like a IP geolocaion API. However, it has missing authentication under the readme.


No I wasnt clear, I used the api at ipinfo.io to get the information about the ip address the parent had posted. That info pertains to the "problem" ip he is encountering, its not generated by some service at that address


One they get your newsletter you will receive an email asking about your privacy practices.


Probably competitor analysis of your newsletter signup flow


I was going to mention this too but they mentioned they had colleagues in common. I figured it probably wasn't a competitor, but if there is a chance that they are a competitor, this is more than likely what it is.


I did something like this to someone once. I wanted to see if their camera worked in our in-app browser (it didn't). It was part of a loan application process. I tried fixing the bug a few times and didn't work each time.

I actually gave my real details the first time but didn't submit the form, so someone tried calling me about 20 times before I picked up and was confused when I said I wasn't interested.


See if your newsletter leaks emails? Many do.


Just to make this more explicit. Ensure BCC (blind carbon copy) is used for all newsletter emails.


> In one instance they used a real email address, so I have their name and know the company they work for (which is in my industry and we actually have mutual colleagues).

So what will you do with this information?


As someone else mentioned, this is coming from Google Cloud IP address space. You might consider blocking that net block or silent discarding signup attempts from it.

35.238.4.0/22 (AS15169)


Are you sure your newsletter is actually getting sent out?

It sounds like they're not receiving it, so signing up with junk emails to check.


That sounds like they’re writing a script of some kind and testing as they write it. Who knows what their motives are.


“If you build it, they will come.”


Fishing for new hires. ;]




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: