LittleBITS: Issue #1600, Card Testing Attack, Preventing Inadvertent Unsubscribes

Is it really TidBITS#1600 already? The weeks just keep slipping by as we write and edit TidBITS and keep up with all that’s necessary for a modern-day Internet presence.

Celebrating TidBITS#1600

The longer you do something, the more milestones you hit. This issue marks our 1600th publishing of a collection of articles about the Apple world, so I took the opportunity to travel back through some of the twisty little passages we’ve taken in getting here.

1. First came TidBITS#100, where we unveiled our new setext format in “TidBITS in new format” (6 January 1992). Setext later provided some inspiration for John Gruber’s Markdown.
2. Then there was “Two Hundred Issues?” (1 November 1993), where I thanked some of the people who played key roles in the early years of TidBITS.
3. Next, we invited some friends to help brainstorm entries for “300 Reasons the Mac is Great” (23 October 1995). I wonder how many of those reasons are still true?
4. Another two years brought a new site, as explained in “Four Hundred Issues and a Dynamic Web Site” (6 October 1997).
5. For the next milestone, we announced a new home page design in “Five Hundred Issues and a New Home Page” (4 October 1999).
6. In “Six Hundred Issues and New TidBITS Services” (8 October 2001), we rolled out an RSS feed along with an HTML email version of the TidBITS issue.
7. For TidBITS#700, we could only announce our choice of a new content management system in “Seven Hundred Issues, a CMS, and Creative Commons” (6 October 2003) because we weren’t ready to make the switch—publishing on the Internet was getting harder.
8. With no infrastructural changes to announce, “Trends to Watch from 800 Issues of TidBITS” (10 October 2005) reverted to punditry. Happily, it’s not embarrassing to read now.
9. Our 2007 site redesign couldn’t wait for our 900th issue, so Glenn Fleishman and I gave away an ebook version of The Wireless Networking Starter Kit, announced in “900 Issues and a Free Ebook on Wi-Fi” (15 October 2007).
10. For TidBITS#1000, I mused about what sets TidBITS apart from other publications in “1,000 Issues of TidBITS: It’s All about Our Readers” (18 October 2009)

After 1000 issues, we ran out of steam when it came to writing something to commemorate the next notch on the odometer. Just as with birthdays, once you’ve hit a high enough number, the specifics no longer have the power to thrill like they once did. And as with birthdays, it’s probably best not to promise too far into the future—2000 issues of TidBITS would require more than 8 more years of regular publication. That’s not inconceivable, but just as Jim Dalrymple announced today (congratulations, Jim!), retirement is likely at some point in our future.

Dealing with a Card Testing Attack

It was a Sunday, and I was sitting in a comfortable chair with Polly the MacBook Air in my lap and the cat at my side (she’s a right-hand cat, so I sometimes have to resist the temptation to use her head as a pointing device). A notification appeared, telling me that someone had created a TidBITS account in WordPress and signed up for a membership. Such notifications aren’t unusual, but what was strange was when another one appeared, and then another, and another. Curious, I loaded the Users page on our site and realized that a bot was creating accounts with random Gmail addresses, all of which were TidBITS members with $2 monthly subscriptions.

It was clearly not a good thing to have bogus TidBITS memberships created at the rate of about one every 10 seconds. By the time I figured out what was happening and stopped the attack by turning off the Custom Monthly Amount option on our membership page, 70 accounts had been created. I then texted our developer, who enabled Cloudflare’s Bot Fight Mode as well. I had some errands to run, and when I returned a few hours later and enabled Custom Monthly Amount as a test, the attacking bot created a new account within 15 seconds. I shut it off again.

The next day, I contacted Stripe support to see what to do about all the $2 subscriptions. They were all on legitimate credit cards, though many of the accounts used the same card number. Stripe told me that this was likely what’s called “card testing,” a process designed to identify which stolen credit card numbers are still active. I refunded all 71 of the fraudulent charges, and Stripe asked for a report of the refunds; although they aren’t promising anything, I think they may refund me the $25.84 in transaction fees that I would otherwise pay.

After my developer added a reCAPTCHA (which theoretically prevents bots from submitting forms) to the TidBITS membership signup page, I again turned on the Custom Monthly Amount option. No further accounts were created, so I’m hoping the reCAPTCHA does the job.

There’s no great moral to the story here, apart from noting that the Internet has become a place where constant vigilance is necessary for those who try to roll their own services.

Preventing Future Inadvertent Unsubscribes

Finally, I want to close the loop on another recent event that I shared in “LittleBITS: Unsubscribe Bug Reversed and Virtualizing Monterey on an Old Mac” (14 February 2022). We discovered that 201 people had inexplicably been unsubscribed from TidBITS on 6 December 2021, right after that day’s issue went out in email. In TidBITS Talk, Eng Aun Cheng gave me the clue I needed, and correspondence with the developer of the Sendy app that we use for email distribution both confirmed it and provided the solution.

As part of best practices for bulk email, Sendy includes a List-Unsubscribe header in every email it sends. That header contains a unique unsubscribe link for each recipient, and many email clients use it to display a user-friendly Unsubscribe link or button in the message. So far, so good.

The problem comes when an email provider examines all the links in incoming email messages to identify and block phishing attempts. Although there’s no telling what was special about that particular issue, it seems likely that some widely used filter triggered the List-Unsubscribe link for those people. Instant unsubscribe, without alerting anyone.

The solution was a Sendy setting I wasn’t previously familiar with: Double Opt-Out for unsubscribes. With that option set, clicking the List-Unsubscribe link loads a page with a confirmation link that the user must click as well. That’s now in place, which should prevent these inadvertent unsubscribes in the future.

Although the List-Unsubscribe link works, we recommend that you use your profile management page on our site if you want to manage your TidBITS subscriptions. The List-Unsubscribe approach doesn’t communicate back to WordPress, so you’d need to ask us for help to resubscribe in the future.