Confession. This vaguely reminded me of something (now admittedly, terrible) I did way back in highschool to give myself a bit more time on an assignment: submit a corrupted docx by putting in some random bytes in the file.
This would give you time until the teacher would get to grading (and opening) the file at which point you’d hopefully have finished.
Learning not to procrastinate as much turned out to be the better life skill.
LOL this was a common thing in high school for me but one teacher was more technically literate than we gave him credit for and in class (with overhead projectors LOL) called the student out in front of the whole class and had printouts of the hex where he had fucked with it and gave him a 0. I don't think you could drag a kid publicly that way today, some parent would get the administration up your ass.
Back in high school in ye olden days of 2003, the trick was to put a powerful magnet on your floppy disk prior to turning in the assignment. Floppy disk failures weren’t too uncommon, so it was hard to prove intent.
Frankly I’m amazed computers were trusted by anybody back then. Imagine if iCloud randomly corrupted 1 in 100 photos.
Not exactly the same story, but there was this one time when I was working on a long document, several days work, on an Amstrad PPC 640 (this was the early 90s). Saving the file on a floppy took around 1 minute I think (maybe more) so I didn't do it often and had no copy or backup of any kind.
It was around midnight, I was done and hit save. I had an external monitor, and for no particular reason, decided to move it around during the save. It was big and heavy, and while moving it I accidentally hit the power switch of the PC.
Powering off the machine during disk write destroyed everything. I couldn't believe it, I stared at the machine for a while.
Then I spent the rest of the night recreating the document from memory, while making frequent copies on different disks.
It was a horrible moment that I remember vividly, but it taught me a valuable lesson. I never again lost any file for lack of appropriate backup.
There are some people that knows the bible by heart, and I suppose if you work with it a lot, you have a general idea of the order of all things, and what's going on in each part without having to know the exact words. Like an essay you've been working on for months.
So seems about right.
Maybe it's time for a new metric: 1 floppy is what you can hold. More is too much.
The hex was clearly corrupted manually, something had been typed there. I don't think it was just the word "fuck" but I think the word "fuck" was in it. Was decades ago.
Ah, it was only "hjfsagufsaiugasfigsaigsg78wafg7fas fuck you teacher! fhadiuofashofhsaibsaiu" Notepad corruption? Huh, that's a fun one! /s But seriously, I'm impressed by that teacher.
Not the parent and not sure what s/he meant, but one could imagine software that borks when there are invalid (but nonobvious) characters in the filename, for example. Or file permissions or other extended filesystem attributes / resource forks if somehow you can get them delivered to the teacher that way.
The files are also often delivered via USB Stick which are usually formatted with a filesystem without bitrot detection. That would be indistinguishable from someone manually screwing with the file too.
You can never be certain wherever the damage was caused by bitrot or a person screwing with the file, but certain patterns are very unlikely to occur naturally so a reasonable guess is at least somewhat possible
My whole form of copy protection on AIR apps through about 2013 was basically to have the login system side-load another SWF once the user logged in - but the SWF's bytecode would be tweaked and corrupted in a way that required a valid response to the login to de-corrupt on the client side before it could be executed. Probably just the fact that you would've had to decompile the side-loader was enough to prevent it from being stolen.
Hah. It's pretty awesome to hear that from a Firefox dev.
I look back at it and wonder... what was the point? I think I was just having fun. I even went as far as having two "patches", where the first one made the software work but without the second one, it would send your VM and browser into a death loop after about 30 seconds. It was just the right amount of time to cause an SWF decompiler on Windows to crash the whole system. Anyone who wanted it badly enough would have gotten it, and I doubt anyone ever put in the effort to hit that spiral, so I must have just been entertaining myself ;)
Based on OP comment about showing the hex to the clas, my bet is the perp opened the file in notepad, jammed on the keyboard (ascii characters) or worse yet, typed a message proceeding or following the content (depending on the format), making it very obvious that it was an intentionally introduced error.
You could just do what I did instead. To make it less evident that it was tempered with, I'd copy a random chunk of the original file and insert it a few times with random offsets.
Another way: corrupt the formatting such that the file doesn’t show anything. Think the equivalent of adding a CSS property like body {margin-left: -10000px}. File would be perfectly valid but display as blank.
That's not too useful when plenty of students just send in a plain blank document. Corrupting it in one way that looks like a -different- way of slacking isn't so useful.
Because a blank file will have a tiny file size and will look like... a blank file. You want it to look like something went wrong such that the file couldn't be opened, but that it would have content if you could.
I'd bet that for the average tech illiterate teacher that's used to lazy students, it would be more work to explain how it could possibly NOT be the student's fault if they got an empty(looking) docx.
"The Windows NT NTFS can support forks (and so can be a file server for Mac files), the native feature providing that support is called an alternate data stream."
One of my college compsci professor didn't know anything about manipulating SMTP headers or manually crafting email messages. Couldn't abuse it too much, but could certainly turn in an assignment 8-12 hours late... because the timestamps would be before the cutoff. Any questions were allayed with "oh, you know email. Strange things happens, delays and all that".
We weren't even sending email on a public server, we were just using email on the local compsci server. Checking our messages with pine/alpine. The excuses didn't make any sense... but....
> Any questions were allayed with "oh, you know email. Strange things happens, delays and all that".
The funny thing is, on the real internet with SMTP (so, not in your case but commonly), that's actually true; I once worked at a company that sent a massive amount of email to customers with our own postfix clusters, and it turns out things like "MX was down for a few hours" or "customer's email system rate limited us" - or rarely even "our servers are overloaded and trickling mail out" - are real things and sometimes emails do get held up for hours or days.
dunno the back-story, but I've had some "valid for 5 minutes" password reset emails that would arrive expired (after 6 minutes+). And it didn't seem like the kind of company to do shenanigans, just technical voodoo.
Nitpickingly, while some SMTP (reicpients list) duplicated that in the email message, SMTP doesn't care about timestamps. It's the MIME stamp that can be messed with.
Most servers add a "Received" line to the MIME contents with some SMTP info, and you can't fool the timestamp inside that.
Wow, I totally forgot about doing this. It was a great trick in a pinch. Dropbox offered me a much better solution to do the same thing in college, which was to submit my assignment on time, via a Dropbox link in email, but to a blank word file. It always gave me several hours to finish my papers.
Now, I'm on the other side of it. My spouse is a teacher and I get to see the base tactics that some students try to pull off and the hair-pulling toll that hundreds of these paper cuts inflict on teachers when they have to chase down students.
My memory of what happens when they are caught is that that “<something something>, stress, grandma, sick, boyfriend/girlfriend, dog, car, flatmate <something something>, I’ve learned a lesson, please let my attempt at cheating slide.”
Faculty gives compassionate consideration and everyone moves on. Used to infuriate me.
When I worked retail at a big box store in college, the operations manager kept a spreadsheet tally of the death, disease and mishap that afflicted store employees.
After Christmas at the annual party he announced the total death toll (it was like 80 people and 50 pets for a staff of 120), and presented the person with the most fake death a funeral basket of flowers and summer sausage.
The payoff here (looking like a giant asshole) doesn't seem worth the risk (publically humiliating someone who had the worst year of their life and lost a ton of family and friends)
How would you abuse that? Choose to drop 3 results, that's your choice. Then get an emergency and have to forgo a forth. Well, that truly is your own fault since you chose to drop the first 3.
But when dad calls up the administration and reminds them of how much he's paying for the course, little Karen gets allowed to have that '3' number increased to 6...
There’s a machine called a postage machine which will print stamps on envelopes so you don’t need to run to buy stamps all the time. My dad had one at his law office that you could change the date to and the date printed on the stamp, and in doing so you could essentially post-date mail like it was mailed at an earlier date. If we ever missed deadlines or needed an extra day to work on a project it could have been an indispensable tool, but I bet that would count as some sort of mail fraud so of course we never did that…
This reminds me of an unrelated but interesting story an old Art teacher told.
She spoke of someone else submitting three pieces of artwork for a job or college app, but the person only included two pieces of art in the envelope. A letter was also included, which suggested the third piece was on the outside of the envelope. On the outside was a stamp, which was hand-made but good enough to get the package delivered.
As I think about it today, I doubt that would get you a job or access to college, but it’s an interesting story. And, it was impressionable enough that I’m recalling it 30 years later.
I recall a counterfeit artist with a "similar" story - he meticulously forged currency and claimed the fact that it was passable as the real thing proved its value as being at /least/ as much as the value of the bill it represented, and therefore was not, in fact, counterfeit money but was an art trade.
I don't think the feds agreed.
Edit - i believe I'm thinking of J. S. G. Boggs - https://en.wikipedia.org/wiki/J._S._G._Boggs
He didn't actually try to pass his bills as money, they had clear indicators that they weren't real (like being one-sided), and he'd trade them for the equivalent amount in goods and services as a performance art.
Do envelopes that were printed with a postage meter not get postmarked? My impression is that the stamp the postage meter puts on is just proof of payment (ie. instead of a stamp), but at the sorting facility they still apply a postmark which has the real date it arrived at the facility.
In college most profs were aware of this and explicitly stated that malformed files would be graded either as a 0 or under whatever late policy they had.
There isn’t a great excuse for it anymore, as Canvas (or your favorite other LMS) has a big button pre and post submit that will show your document as it appears for the teacher.
I'd be curious to know what the natural rate of docx corruption is, and what the sources are. What are the odds of cosmic rays flipping a meaningful bit right as the docx is written to disk but not before, and in a way that doesn't cause a crash? What are the actual error modes with both spinning and solid state disks, across a variety of filesystem types and usage patterns? Is the damage normally like one bit, or a would it normally flip a few in some (physically) localized region?
(It's just not something I think about very often, and only now do I realize how useless my knowledge is! I could speculate based on the flux of high-energy particles and the layout and energies involved in various storage media. I would expect the energies on non-volatile storage to be much higher than volatile storage, and so for bit flips to be rare. I would expect flips to be singular, and not come in groups - but if they did it would be temporal, not spatial - something like a solar flare. The interesting flips would be the least likely ones, where the serialization code is running. The threat-model here is the relatively large memory region consisting of the union of something like [cpu, kernel, jvm, thread, bytecode]. That's quite a surface area, and while it's fun to speculate about what a bit flip could do at various interesting points, but I assume for simplicity they all just crash your code. (I wonder how often random bit flips are why restarting software is unreasonably effective at fixing problems - or is it just an epidemic of thoughtless race conditions as I've always assumed?)
Conferences are aware of it too! At least one major conference requires you to either upload your documents at the deadline, or a cryptographic hash of your documents, which can be submitted up to a week later. That way, they mitigate the load from the thundering herd of last minute submissions, and thereby avoid the inevitable excuse that the submission server died or that the internet was too clogged to upload their gargantuan video figure by the deadline.
You weren’t the only one! My email client in high school also had a terrible tendency to “corrupt” words docs. It was a good way to buy a few days extension.
I did a similar thing and handed in a bogus file to buy me some more time to actually finish the assignment … but then I got an A from the teacher, turns out she didn’t look at it at all!
Oh yeah, I used to do that quite a lot. At first, just a docx file of random jumbled characters was enough, as everyone was used to compatibility issues around the Office 2003 -> 2007 migration. After everyone moved on to 2007, corrupting the file and saying "I did it on a Mac" was a common excuse, since everyone knew the Mac version of Office was kind of trash. I figured out a way to get Office to give you the "corrupted file, attempting repair" dialog and have it actually succeed, but then the contents was just random unicode with a couple sentences from Wikipedia in between, so it looked like there was something there, but the auto repair couldn't quite recover it.
Teaching others to do this, even classmates teachers knew I wasn't friends with, meant that there wasn't a pattern for them to see and so they never suspected we were faking it. They just assumed "it's just a thing that happens sometimes".
On the other side of avoiding it, I started college using OpenOffice, which worked fine until one day I got queried from a professor about why I had opted to go with a 5 column layout for the assignment submission when he opened it in MS Office for Mac. The content was all there, so it clearly wasn't a case of "Oops, corrupted, let's resubmit after the date".
The doc in OpenOffice that I had made had the most basic formatting, just headings, a table of contents, paragraphs and the required double line spacing. Certainly no columns of any kind.
After that I switched to PDF submissions for every module where they would be accepted.
Not too much, especially after the first few times. And I had the bad habit (still sort of do) of spending far more time avoiding things that I found boring than it would take to actually do them.
And yes, I did have to do it eventually, but this helped stretch the deadline by a week or so, which is quite nice when you get like 4 assignments dumped on you in the same month (because god forbid the teachers work together and make us an evenly-loaded schedule).
One of my bosses did this to a VP of a telecom company early in my career. Answered several questions in an email and then said “and I’ve attached the graphic.”
Did not actually attach the graphic, knowing that the message wouldn’t be checked until EOD.
Sent the completed version the next morning with a “whoops”.
A few students tried that on me but I just used the strings command to see if there is actually any text inside or just looked at the file size. Game on
Our trick was zipping the file and renaming it to have the original file extension again. You get some plausible deniability this way (which we ended up never needing to invoke)
As someone who has worked long hours to finish difficult homework assignments during my student years, it really annoys me when I get blank submissions corrupted by sites like corruptmyfile.com. Recently, a few colleagues have started grading such files with a zero and will report it to student affairs if the corruption process is extremely obvious.
In the future this will be more difficult: Is this not signed with your private key at exactly 23:59 Feb 5 parhamn? Are you claiming inconsistency of the system? You’re of the hook when you can prove that.
No doubt the kids will find a way, they have practically infinite time.
I know that you're making a joke about rejecting legitimate email from small senders, but if you wanted something to hit spam, sending from a VPS where the SPF wouldn't pass would be a decent way (though it might just get rejected entirely).
For those who don't know, SPF allows one to specify which IP addresses can send mail for a domain. Your VPS likely wouldn't match the range for whatever domain you're trying to send from.
Careful with this, multiple failed SPFs might lead to an abuse report. As others have said I've found even with SPF/DMARC and everything set up correctly it still goes into spam so you don't even do need anything special!
I've read so much conflicting information only whether it's even feasible to run your own mailserver that I had to try it.
Turns out I'm one of the lucky few (or silent majority) that had no problems whatsoever after getting my newly acquired ip off from a few lists. Google recieved my mail first try without even looking into spamlists.
...Maybe it helps that my domain is a relatively expensive one?
I think the challenge is keeping it up for years. And issues like you thinking that the mail is sent, only to learn later that a spam filter ate it somewhere. Now you have to think: what else is being eaten? For how long? What if you do need to send the email right now because of a deadline or similar?
So currently it's not infeasible, just an uphill battle.
I had no issues with Google's mail servers, however, Microsoft's let a few of my mails just vanish. They were accepted with a 200 OK but didn't even go into the spam folder. Granted, I'm using an .xyz domain, but still, I think this is hostile behavior.
Another fun story, I once tried to contact a public authority and my mail was rejected. I then tried to contact the postmaster inbox, same thing. I had to use my gmail account and was initially met with a dismissive reply. Only after asking what the job of the postmaster incorporates if not helping users with delivery issues and whom else to contact I got helped reluctantly.
#1 $$$ 100% Act now Action Additional income Affordable All natural/new Amazed Apply now Avoid Be amazed/your own boss Beneficiary Billing Billion Bonus Boss Buy Call!!!!!! free/now Cancel Cash Casino Certified Cheap Click here Clearance Collect Compare rates Congratulations Credit card/check/offers Cures Deal Dear friend/somebody Debt Discount!!!!!! Direct email Don't delete/hesitate Double your income/cash Earn Extra Expire Fantastic Free!!!!! access/money/gift Freedom Friend Get it now/started/paid Great Guarantee Hello Income Increase sales/traffic Instant Investment Junk Limited Lose Lowest price Luxury Make $/money???? Medicine Money Name!!!!!!! No credit check/experience Now Obligation Offer Only Open Order now Please Presently Problem Promise Purchase Quote Rates Refinance Refund Remove Request Risk-free Sales Satisfaction!!!!!! Save Score Serious Spam Success Supplies Take action Terms Traffic Trial Unlimited Urgent!!!!! Weight While supplies last Win Winner XJSC4JDBQADN1.NSBN32IDNENGTUBE-STANDARD-ANTI-UBE-TEST-EMAILC.34X
I'm disappointed that Bitcoin, crypto, currency or NFT isn't in there. Those are parts of my custom spam filter in addition to whatever Office 365 has by default as they don't always catch all spam and I have no legitimate reason to receive such content.
I think by "invisible message" they mean it's invisible to the receiver because it's in their spam folder. I also thought this was a way to send a normal email to the spam folder, but looks like it is assuming the spam filter removes the email based on content. I wonder if there is a way to use this method with a tracker pixel, so that it gets filtered out because of the content, but the reader can't see it.
Send a multipart email. Include the spam keywords in the text/plain part, and your ordinary message in the text/html part. Almost all email clients these days will ignore the text/plain part, so they'll only see the text/html and there won't be any suspicious 1pt white text. As long as they don't view the raw message, you should be in the clear.
Or even better, use base64 transfer encoding for the spam keywords. Spam filters HATE base64.
Yes, you could do that, but it might be harder. Do you know of domains that are block-listed? If your email has links to malicious websites, they'll aggressively filter them. However, it might just be blocked entirely rather than ending up in SPAM. That's always a risk if you'er trying to hit the SPAM folder - if you make it too bad, they might simply reject it.
Doesn't work, instead of ending in the spam folder it is instantly dropped, by my own mailserver at least:
The response from the remote server was:
550 High scoring spam message has been dropped
Yeah, these are the worst. I couldn't email some company because they contracted google, set the filters to max, and it would filter on SMTP level. There was no way to reach them short of going out to a post office and buying stamps.
also, this is going to make your address reputation plummet, if you enjoy convincing (often in exchange for a 30$+ commission) 100+ different blacklist operators that you're not a spammer please use this tool
I irregularly clean out my spam folder, and it's rare, but I do catch the odd legitimate email in there. But last month I was nearly caught out by a dumb phishing attempt.
There was an ex of mine who would quite regularly send nonsense cutesy videos to a bcc list including my own email. However, one email I spotted in spam had a personal message and a bitly shortcode.
I forgot to check the sender domain, it was something like my-ex@i-phone-asia.pk... I was very very nearly about to click on that link, doubting the spam filter could effectively tell a phishing attempt from a tidal wave of internet forwarded garbage.
I wonder if this random string of words (now present on sites with higher reputation, like HN) will feed into spam training systems, and now it won't be spam.
No, the gtube string (GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL) is a special string made for testing anti spam systems (there is another for antivirus systems). That's the only part of the block of text that is going to work 100%. The rest looks like filler.
Anyway, you cannot (shouldn't) train a system to accept the gtube string).
I hate how there is only 1 type of message. I often want to send something that isn't urgent enough to make their device bleep. Sending to spam could also be a useful marketing tool.
The email filtering topic had me think it would be useful to offer some options if you received mail from multiple potentially bad actors since the last time you logged in. Beyond 4-8 I wouldn't want it in my inbox.
Perhaps some cryptographic contact of contact is also possible.
If something is urgent they should call me. Messages depend on the person. But emails are well within the category of reading whenever I have time, every other day or so. If people's devices beep every time anyone sends them an email, that's their choice.
Which is not to say that a priority indication can't be helpful. Telegram has "send without sound" as an option if you long press the message button, which I use at night with my mom because I know she usually leaves sound on 24/7 (apparently other, "normal" people don't message after midnight!).
Email has this system too but the other way around (priority flag) and I've received about a dozen high-priority emails, mostly while interning at a bigcorp. They could literally all have been deleted unseen. People set the flag when they think you'll otherwise not read it, it's that level of useless.
There's also a low-priority flag that I've seen used maybe once ever. You could start using that if you're worried someone has standard emails set to audio notifications.
Wouldn't having a list of un-whitelisted smtp servers also help... or is the concern that the email would be blackholed and simply never be delivered, exposing your scam?
Don't you also want a fake UTF16 version of their email address that bounces... so that everybody else who looks thinks they were in the CC list?
Corrupted email in the CC list could be the best strategy.
Other people can vouch that everyone was invited, and there is no weird spam text mail left that could get displayed in unexpected ways (if they try to forward it to some other mail for instance)
I pasted this in my Gmail compose message box without entering the Subject. And then when I clicked on the Subject box, it gave me suggestions such as "Credit alert!", "Last chance!" etc.
I received a data breach notice from a local business as required under GDPR and it had failing SPF and DKIM as if it was intended to go straight to spam.
Hard to say if it was intentional or incompetence, but it seemed like a good way to fulfill the requirements of the law without the reputation hit!
I just don’t reply to emails unless I absolutely have no other option. Works the same way, my whole inbox is a spam filter. I very seldom receive email that warrants response anyway.
I have a similar approach. If someone asks me for something twice, I know they meant it. If they ask once, it wasn't that important or they were just being lazy.
This would give you time until the teacher would get to grading (and opening) the file at which point you’d hopefully have finished.
Learning not to procrastinate as much turned out to be the better life skill.