got an email from "amazon.com" today with a hyperlink that looked like this:

<a href="http://secure.amazon.com.amazonsaccess.com/
signin.php?exec/obidos/flex-sign-in/ref=gw_hp_si/103-3177084-
7567864?opt=a&page=recs/sign-in-secure.html&response=tg/
recs/recs-post-login-dispatch/-/recs/pd_rw_gw_ur/ref=xxx_x/x-x&ref=xxx&emaddr=xxx@xxx.xxx.edu">https://www.amazon.
com/exec/obidos/flex-sign-in/ref=pd_irl_gw_r/
103-3177084-7567864?opt=oa&page=recs/sign-in-secure.html</a>

9/10/2005 2:49:52 PM

and then you scroll down to the bottom and you see that they....fucked up.

but i could see how an average schmoe would get sucked in to that trap.

[Edited on September 10, 2005 at 3:26 PM. Reason : better yet, you click on any other link and see that they....fucked up.]

9/10/2005 3:21:22 PM

the best thing to do is set up a script to bomb the CGI with fake username/password combos to pollute their DB

9/10/2005 4:22:46 PM

meh, I entered a real email adress (one of my spam accounts) and a fake password and it returned an error. it's possible it only accepts passwords for accounts with email adresses matching the list of spam recipients. either that or it just spits out an error as a default response.

9/10/2005 4:47:37 PM

there are a lot of very subtle mistakes like 31 not 32 and the beginning (c) date is off by a year and the fonts are slightly smaller etc...

9/12/2005 5:01:13 PM