If spammers can abuse something, they gonna abuse it
If it doesn’t exclude a URL it likely doesn’t block SQL either.
Time for the ol XKCD Little Bobby Tables attack
I mean, allowing arbitrary characters in the name is one thing. I think I would do that as well, as there are many weird names out there.
But then actually parsing it out (or not escaping it properly), that’s the real sin.
Might be the mail client being helpful and going “hey! Thats a URL. Let me make it a link”
URLs as a person name
What do you mean?
Somebody created an account at MyEpson with OP’s email address and the name “GET BITCOIN NOW link”, which sends a confirmation email to OP with that name. Basically it’s spam using Epson as a trojan horse to get past filters.
Something I just thought about for the first time: the sheer amount of spam content everywhere (website comments, mails, bots) seems to indicate that there must be ungodly amounts of money being made but I rarely see politicians actually talk about the topic and doing something against it.
Can anyone confirm/explain?
It’s cheap easy to do, requires very little actual work , and it returns some profit.
It doesn’t make a lot of money but it’s more than no money at all so it is worth doing.
I’m not 100% sure what you’re asking, but spam is generally a very low margin, very high volume kind of business. So I wouldn’t assume these people are making ungodly amounts of money. I did a bit of searching and found estimates on the order of $200 million per year for spammers and spam-advertised businesses combined. Sure, it’s not nothing. But on a global scale that’s not necessarily ungodly amounts.
Compare for example revenues in the illegal drug trade, which globally accounts for hundreds of billions of dollars yearly.
One of the major issues with creating legislation to block spam emails (and spam phone calls) is that it would also impact the fundraising capabilities of political parties.
Politicians don’t talk about spam, because politicians use spam to raise money money for their campaigns.
Right. The rules are different in the US. Where I live, they dont/cant do that.
I mean, give folk a few years and it’ll be something to add to the “you can’t assume X about a name field” list.
but even in the early 2000s nobody called their kid zombo.com
What would be a solution? How do you know Albert/III.jr is not a valid name?
never trust user input. the web site should be looking for and filtering this shit out.
the other one (the submission page at the university, was right above this one in my ‘all’ feed) shows it better–with a full valid link in a text box. should be filtered and rejected by the form submission handler and never inserted into the database. in the case of no ‘http’ as part of it, links still follow a format, and those should be rejected too.
mod_security filters that shit out on my sites, the rules on what’s allowed in a form field hardly ever get ‘tested’ anymore since i turned that on.
Never trusting user input, sure. That, I know. And probably the university’s devs do as well.
However, it’s not the university’s website’s fault that the email client is converting the name to a link.
So what you’re saying is, email clients should not convert link-like text to actual clickable links. Correct?
it’s a valid name but it shouldn’t add the hyperlink… wait a moment…
*** went to check the source of the emails that i received ***
the senders (i’m targeted by an asshole that did this on hundreds on sites) DIDN’T add any hyperlink, this is a huge security issue by gmail: they’re automatically adding hyperlinks! This is very stupid, especially with the new google domains .zip and .mov. Someone sends an email like “attached there’s bank-statement.zip” and then gets phished
Email clients and web browsers making anything that vaguely looks like a link clickable is nothing new.
You’ve landed on this page because you followed a link for a .zip file. This domain was registered to prevent its misuse for potentially harmful or malicious activities.
Well, what do ya know. There’s still some good guys out there.
I was just going to point out that it’s the responsibility of the email service to filter that as well.
It was a big bug ticket at my company, that our email service kept automatically turning plaintext to links like www.example.com for convenience. We couldn’t fix it on our side at all.
Edit: lol either Lemmy or my Lemmy app also turns plaintext links into real links! www.Rofl.lol
