Ask HN: What is this user doing?

42 pointslai-yin4y ago33 comments

Between Nov 20 and Dec 14, someone with the IP address 34.66.115.47 has submitted 16 requests to join my email newsletter on my website form with nonsense email accounts like mphtnarrwqrs@gmail.com and qrzqoiakkubp@gmail.com. In one instance they used a real email address, so I have their name and know the company they work for (which is in my industry and we actually have mutual colleagues). What could this person possibly be doing with all these weird form submissions? I have a very basic, static website, do no A/B testing, and haven't made any updates to it in months. What do you think?

33 comments

junon4y ago

Welcome to public-facing application security :) Any number of reasons, potentially more than one at once:

1. Being a dick / bored / ...

2. Pen-testing you for some reason.

3. Trying to inflate your signup numbers for some reason.

4. Trying to see how many users you have (see other comment)

5. Testing their own fake email system for something

6. Trying to increase your costs

7. Demonstrating something for someone else not realizing it's production

8. Pure, unadulterated incompetence

9. Something else malicious

gaius_baltar4y ago

10. Just trying to get rid of your "Subscribe to the newsletter" pop-up.

Assuming there is one, of course, but my experience with current newsletters is that there is a popup. Sometimes a "delayed action" one.

jrs2354y ago

9. might be: get on your mailing list then when you send emails to those accounts flag them as SPAM in an effort to harm your email deliverability.

lai-yinOP4y ago

Haha sounds like fun! I need to dive into that more. Maybe for the next iteration of our website.

I tried emailing a few of these accounts from a burner email and got bounce backs on all of them.

Also just realized that since 12-15 another IP address 35.238.7.76 has submitted 4 more jibberish email accounts like uxjzylbwryxb@gmail.com.

So if they are fake accounts that bounce back, I guess that could hurt my deliverability rates with Constant Contact - not sure though. In any case I haven't been uploading them to my email contacts list so if he is trying to hurt my account it's been totally ineffective. And he'll need to increase his number of submissions by a few orders of magnitude to make a difference in the costs.

I guess my next step would have to be figuring out how to block multiple submissions from the same IP address or just reaching out to this dude and asking what's up. I need to learn more about him first since he works for someone kinda influential in my industry.

jszymborski4y ago

"6. Trying to increase your costs" would have been my initial guess, failing Hanlon's Razor (8.)

TechBro86154y ago

They’re probably just scraping e-mail newsletters for competitive intel. It’s likely a SaaS.

jareklupinski4y ago

just 1 actor?

probably 1)...

keyle4y ago

So in terms of 16 requests, that's nothing. Something actually malicious would be thousands.

Either this person is setting up to do something malicious and hasn't even started, or they're more likely studying your sign up process, struggling with it, and have a short memory so they did it many times over 15 days.

The fact is, having an open form on the internet is like having an open invite to come shit in your toilets.

Since this person is within your industry, I'd just poke them and ask. That will most likely make them stop. The fact that they use their own IP address and used a real email address means to me that this person is non-malicious.

Plus point for sending them a report of their own activity, real time as they submit it, to their email address.

krono4y ago

Send an email to the proper looking address and ask them what's up with all the different sign-ups. Check in to see if they're experiencing technical problems or something that you can help with.

Also report back here because now we're curious too ;)

mtmail4y ago

Does your newsletter have a "Welcome user number 1234"? or similar, like a number in the URL? Ages ago I used a similar approach to gain data on growth of a website. They would increase a number in the URL for every (shopping) checkout session, easy way to figure out if there was growth or not.

lai-yinOP4y ago

Thanks for the suggestion. There is no visible counter on the webpage for users to see, and I'm not seeing one when I look under the hood in DevTools. I could be missing something though. It still would be odd since given my industry and where this user works, I don't see much incentive for him to track my subscriber growth.

natoliniak4y ago

He/she is developing something similar to what you are exposing and is reverse engineering the behavior for quick solutions/shortcuts. Or is learning how form submissions work.

Not that i haven't done anything like that, ever :)

Flankk4y ago

That's really strange. Only thing I can think of is the person is using multiple throwaway email accounts to join your newsletter. They are then marking all your messages as spam in an attempt to get your email blacklisted. Hopefully someone has a less malicious explanation.

alchemyromcom4y ago

You know what it might be: maybe the person is a niche marketer and is going to pretend to be multiple people to sell their product to the newsletter's audience. That happens all the time. Account 1 will ask for recommendations, then account 2-6, all held by the same person, talks up the spammer's product. Although, I don't know exactly how it would work with a newsletter, I know this is very common when comment spamming.

271828182844y ago

Given how many times my real email is used incorrectly to sign up for everything from nursing courses in Florida to Golf Sundays in Michigan, I would no longer trust that "real email" address to be tied to the real person without more information.

Uhhrrr4y ago

Benign explanation: for whatever reason, they're not getting the newsletters so they're trying to subscribe again using a throwaway.

erdos4d4y ago

I agree with another comment here that this is likely them signing up with throwaway emails and trying to get you blacklisted by putting all your messages to spam. In the off chance that they are somewhat more sophisticated, I would try to log these requests and look for SQL injection attacks. It's possible that these bogus signups are an artifact of them doing something more malicious.

gkoberger4y ago

The IP address 34.66.115.47 points to Google Cloud. I think there's a possibility the real address is legitimate and it's just a coincidence? Or maybe they're using a Tor-like service that "covers their tracks" by sending randomized data?

If you don't see any obvious reason for malice, I think you should email them and ask!

justtologin4y ago

So yeah

  # curl ipinfo.io/34.66.115.47
  {
  "ip": "34.66.115.47",
  "hostname": "47.115.66.34.bc.googleusercontent.com",
  "city": "Council Bluffs",
  "region": "Iowa",
  "country": "US",
  "loc": "41.2619,-95.8608",
  "org": "AS396982 Google LLC",
  "postal": "51502",
  "timezone": "America/Chicago",
  "readme": "https://ipinfo.io/missingauth"}

What kind of url is that? This cant be someone using a browser as normal on their own machine can it? Could they be trying to build a google form or document or something that embeds part of the sign up form?

Edit: unsubstantiated source [0] says that domain relates to Google app engine, so could be the person is working on a project that includes some form submission capability and somehow is using your site for testing

https://superuser.com/questions/892437/what-do-you-do-if-you...

alam20004y ago

It looks like a IP geolocaion API. However, it has missing authentication under the readme.

1 more reply

jvilalta4y ago

One they get your newsletter you will receive an email asking about your privacy practices.

A_Duck4y ago

Probably competitor analysis of your newsletter signup flow

junon4y ago

I was going to mention this too but they mentioned they had colleagues in common. I figured it probably wasn't a competitor, but if there is a chance that they are a competitor, this is more than likely what it is.

muzani4y ago

I did something like this to someone once. I wanted to see if their camera worked in our in-app browser (it didn't). It was part of a loan application process. I tried fixing the bug a few times and didn't work each time.

I actually gave my real details the first time but didn't submit the form, so someone tried calling me about 20 times before I picked up and was confused when I said I wasn't interested.

MattGaiser4y ago

See if your newsletter leaks emails? Many do.

sojournerc4y ago

Just to make this more explicit. Ensure BCC (blind carbon copy) is used for all newsletter emails.

gaws4y ago

> In one instance they used a real email address, so I have their name and know the company they work for (which is in my industry and we actually have mutual colleagues).

So what will you do with this information?

toomuchtodo4y ago

As someone else mentioned, this is coming from Google Cloud IP address space. You might consider blocking that net block or silent discarding signup attempts from it.

35.238.4.0/22 (AS15169)

new_guy4y ago

Are you sure your newsletter is actually getting sent out?

It sounds like they're not receiving it, so signing up with junk emails to check.

huetius4y ago

That sounds like they’re writing a script of some kind and testing as they write it. Who knows what their motives are.

whalesalad4y ago

“If you build it, they will come.”

koziserek4y ago

Fishing for new hires. ;]

j / k navigate · click thread line to collapse

33 comments

junon4y ago

Welcome to public-facing application security :) Any number of reasons, potentially more than one at once:

1. Being a dick / bored / ...

2. Pen-testing you for some reason.

3. Trying to inflate your signup numbers for some reason.

4. Trying to see how many users you have (see other comment)

5. Testing their own fake email system for something

6. Trying to increase your costs

7. Demonstrating something for someone else not realizing it's production

8. Pure, unadulterated incompetence

9. Something else malicious

gaius_baltar4y ago

10. Just trying to get rid of your "Subscribe to the newsletter" pop-up.

Assuming there is one, of course, but my experience with current newsletters is that there is a popup. Sometimes a "delayed action" one.

jrs2354y ago

9. might be: get on your mailing list then when you send emails to those accounts flag them as SPAM in an effort to harm your email deliverability.

lai-yinOP4y ago

Haha sounds like fun! I need to dive into that more. Maybe for the next iteration of our website.

I tried emailing a few of these accounts from a burner email and got bounce backs on all of them.

Also just realized that since 12-15 another IP address 35.238.7.76 has submitted 4 more jibberish email accounts like uxjzylbwryxb@gmail.com.

jszymborski4y ago

"6. Trying to increase your costs" would have been my initial guess, failing Hanlon's Razor (8.)

TechBro86154y ago

They’re probably just scraping e-mail newsletters for competitive intel. It’s likely a SaaS.

jareklupinski4y ago

just 1 actor?

probably 1)...

keyle4y ago

So in terms of 16 requests, that's nothing. Something actually malicious would be thousands.

The fact is, having an open form on the internet is like having an open invite to come shit in your toilets.

Plus point for sending them a report of their own activity, real time as they submit it, to their email address.

krono4y ago

Send an email to the proper looking address and ask them what's up with all the different sign-ups. Check in to see if they're experiencing technical problems or something that you can help with.

Also report back here because now we're curious too ;)

mtmail4y ago

lai-yinOP4y ago

natoliniak4y ago

He/she is developing something similar to what you are exposing and is reverse engineering the behavior for quick solutions/shortcuts. Or is learning how form submissions work.

Not that i haven't done anything like that, ever :)

Flankk4y ago

alchemyromcom4y ago

271828182844y ago

Uhhrrr4y ago

Benign explanation: for whatever reason, they're not getting the newsletters so they're trying to subscribe again using a throwaway.

erdos4d4y ago

gkoberger4y ago

If you don't see any obvious reason for malice, I think you should email them and ask!

justtologin4y ago

So yeah

  # curl ipinfo.io/34.66.115.47
  {
  "ip": "34.66.115.47",
  "hostname": "47.115.66.34.bc.googleusercontent.com",
  "city": "Council Bluffs",
  "region": "Iowa",
  "country": "US",
  "loc": "41.2619,-95.8608",
  "org": "AS396982 Google LLC",
  "postal": "51502",
  "timezone": "America/Chicago",
  "readme": "https://ipinfo.io/missingauth"}

https://superuser.com/questions/892437/what-do-you-do-if-you...

alam20004y ago

It looks like a IP geolocaion API. However, it has missing authentication under the readme.

1 more reply

jvilalta4y ago

One they get your newsletter you will receive an email asking about your privacy practices.

A_Duck4y ago

Probably competitor analysis of your newsletter signup flow

junon4y ago

muzani4y ago

I actually gave my real details the first time but didn't submit the form, so someone tried calling me about 20 times before I picked up and was confused when I said I wasn't interested.

MattGaiser4y ago

See if your newsletter leaks emails? Many do.

sojournerc4y ago

Just to make this more explicit. Ensure BCC (blind carbon copy) is used for all newsletter emails.

gaws4y ago

> In one instance they used a real email address, so I have their name and know the company they work for (which is in my industry and we actually have mutual colleagues).

So what will you do with this information?

toomuchtodo4y ago

As someone else mentioned, this is coming from Google Cloud IP address space. You might consider blocking that net block or silent discarding signup attempts from it.

35.238.4.0/22 (AS15169)

new_guy4y ago

Are you sure your newsletter is actually getting sent out?

It sounds like they're not receiving it, so signing up with junk emails to check.

huetius4y ago

That sounds like they’re writing a script of some kind and testing as they write it. Who knows what their motives are.

whalesalad4y ago

“If you build it, they will come.”

koziserek4y ago

Fishing for new hires. ;]

j / k navigate · click thread line to collapse