Great. If i just post my payment info here with a pic of my card etc I can trust you to take care of the transaction for me, right?
Maybe you can send me a link to click where I can get a fancy PDF with executable code for my hi tech receipt.
If you've got any spare punches in the face that I can activate when standing in front of a mirror while singing "you've lost that loving feeling", I'd be happy to buy a dozen of those as well. And a mirror.
And I'm in the market for a bridge, if you know of any going spare.
Dude, I got you! Gonna just drone it all to you since you’re not very good at email. Be on the lookout for a mirrored bucket of face punches from the highest point you can climb to on the closest bridge to you which is now yours.
Bro, we need to talk. I been on this mo'f-er of a bridge all day. Ain't no sign of a drone with my shiny bucket. The ambulance and cops just ignoring me telling them to "get off my property". I wanna refund!
Good tip. Thank you.. One can only wonder at substack lack of interest. ?? Being a domain name owner with IP I would act like you suggest. Maybe substack is part of the "Cabal DS" ?
Occam's razor. If you look at substack at the simplest level of its business model, its sole interest is in flooring costs and transferring all content risk to its userbase. In this way, it gets labour and content for free and only has to generate enough revenue to cover this minimised operational costbase. This is evident from the total lack of any quality control or support aspects on the platform. I explain this in this article:
Therefore, substack has zero interest in providing anything but minimal "support". I have tested this twice now and the outcome has proven me correct both times. The first was a request to deal with plagiarism on this platform. substack didn't give a shit. "But he's acknowledged with a credit now" was the end of a matter around the wholesale plagiarism of a VST article, which VST had forced the thief to credit. The thief also was asking for money off the back of that plagiarism. substack did nothing at all. Now this total disinterest in phishing.
People write here because, but give it enough time and you'll see it revealed as nothing but the same old, same old. It's just a case of picking away at the paint to find a rotten core.
Wow, this isn't a great way to run a platform or any business. They're cutting their own throats if they end up not caring about their clients. I guess we take our business elsewhere or create one.
What were you expecting them to be able to do? These messages never even touched substack's computers. Perchance they could add an SPF DNS record, to make it more likely for YOUR spam detector to reject the incoming message. But beyond that, there's basically nothing they can do.
Wow. Another person who has utterly failed to read my request. I believe substack should have messaged its user base and warned them that hackers have begun a brand impersonation email phishing hack, so that as few as possible would fall for it.
That's got nothing to do with any internal or external technical actions.
So why you or anyone else thinks it appropriate to patronize on the grounds of things that VST never asked for and fully understood to be out of scope says a lot about your failure to understand VST's request of substack:
"To protect your users please publicise this attack as per the details below."
"The point of my email to you was to request that you tell all of your users and writers that such attacks are being made and that they should be aware of the format... There are plenty of people who will fall for this. You could reduce that number by communicating to your users."
Plenty of people are annoyed by or ignore such warning mail. They accomplish little, because there is no single template for spammers/scammers messages. Surely you don't expect them to broadcast news of each time some bozo impersonates them in email.
So why do decent corporate security protocols and teams periodically remind user cases of general and specific phishing attempts? Because people are easily duped, lose vigilance and actually are ignorant and dumb in some cases. Alerting the platform to this phishing attack then asking them to warn other users is normal internal corporate behavior that does help reduce the success of phishing by pre-alerting and reminding people who are vulnerable.
Phishing works, which means plenty of people keep falling for it.
If you, like substack, think "fuck everyone else, you're all on your own," so be it. VST isn't like you.
> So why do decent corporate security protocols and teams periodically remind user cases of general and specific phishing attempts?
No downside to treating employees as idiots?
Unfortunately, impersonated emails are a fact of life on the internet, and have been for almost three decades.
There are some technical anti-impersonation means (SPF, DKIM, DMARC) which substack could/should be using, but those don't require broadcasting warning emails either.
The sex offenders' register pretty much undermines your point, as a parallel example.
To wit:
"There's always been sex offenders around. Everyone should know by now and be fully on the alert and know who they are and how to spot them in a crowd of strangers. If they don't, tough shit."
"Would a sex offenders register help? So people could check their area or get alerts? That way their knowledge base would improve, and their behavior and concerns could be managed and moderated via access to that information."
"Nah. Don't create a sex offenders register. At all. It's useless and its existence will annoy a few people."
Steve Kirsch who owns this substack and runs it with the help of his lieutenants Kevin (the thick one) and Wayne (the clever one) does not give a shit - he is all about making money off it - at the beginning he said he wanted 250,000 memberships - bearing in mind that this substack is like a multi layered cake and covers all industries - type in substack menu or something like that to see how big it is - previously Steve was charging $100 a year membership, do the math, now he has cut it back to $50 year, perhaps times are hard and memberships have to be trimmed accordingly - but it is a yearly expenditure, so Steve profits financially - Steve had 75k members on Facebook before Facebook canned him 75,000 @ $100 each - 7.5 million a year income - that hurt him and he told me so,
Steve is now pushing how he recovered from Diabetes Type 2 and offering to tell you how to do that, if you pay to join his substack - Steve is 66, I am 76 and I've had Diabetes Type 2 longer than he has and if you want to know how to control it, I'll tell you for free, just ask me.
Someone once ran a check to see if Steve owns this substack publicly - Get real, Steve is a multi millionaire from a rich Jewish family, if they don't know how to hide their assets from your Tax Man, then who does?
Just recently I get a reminder from Amazon to be aware of phishing emails and similarly from my banks. It's a stark contrast in business approach.
Also in dealing with these emails, I've had good luck ignoring all emails in the headers and looking at the originating or source sending IP, doing a whois lookup and reporting the raw email to the abuse address provided. Sometimes though the hosting provider of the sending IP isn't the mail provider and when it's separate, the mail provider will almost always include extra custom headers with their own contacts or info. E.g. Mailgun uses other hosters but will have X-Mailgun... etc headers.
For phishing urls I do nslookup on the domain name to get the IP, then whois on the IP for the hoster and report it to them.
For me at least, the effort in doing both of these for serious scam and phishing emails have been fruitful. I don't bother on the regular spammy marketing emails though.
Thanks for the engagement and sharing useful info on the matter raised. Shame you don't work for substack, and that they don't share your attitude towards sharing information that helps people avoid phishing attacks that can lead to serious fallout e.g. identity theft.
I don't have a phone.
Ok, but do you have a bucket?
Nope. I accidentally let go of it when I was emptying the piss out of the window and now the zombies have it.
I have three buckets, I’m happy to send you one. HMU: accountpayables@prog-survey.jp
Please refer to: Bucket Replacement Program: Zombie Crime Wave Department
-ZA9823165OT9960 Ref#32108
Great. If i just post my payment info here with a pic of my card etc I can trust you to take care of the transaction for me, right?
Maybe you can send me a link to click where I can get a fancy PDF with executable code for my hi tech receipt.
If you've got any spare punches in the face that I can activate when standing in front of a mirror while singing "you've lost that loving feeling", I'd be happy to buy a dozen of those as well. And a mirror.
And I'm in the market for a bridge, if you know of any going spare.
Dude, I got you! Gonna just drone it all to you since you’re not very good at email. Be on the lookout for a mirrored bucket of face punches from the highest point you can climb to on the closest bridge to you which is now yours.
Bro, we need to talk. I been on this mo'f-er of a bridge all day. Ain't no sign of a drone with my shiny bucket. The ambulance and cops just ignoring me telling them to "get off my property". I wanna refund!
Good tip. Thank you.. One can only wonder at substack lack of interest. ?? Being a domain name owner with IP I would act like you suggest. Maybe substack is part of the "Cabal DS" ?
Occam's razor. If you look at substack at the simplest level of its business model, its sole interest is in flooring costs and transferring all content risk to its userbase. In this way, it gets labour and content for free and only has to generate enough revenue to cover this minimised operational costbase. This is evident from the total lack of any quality control or support aspects on the platform. I explain this in this article:
https://veryslowthinking.substack.com/p/substacks-place-in-the-fourth-industrial
Therefore, substack has zero interest in providing anything but minimal "support". I have tested this twice now and the outcome has proven me correct both times. The first was a request to deal with plagiarism on this platform. substack didn't give a shit. "But he's acknowledged with a credit now" was the end of a matter around the wholesale plagiarism of a VST article, which VST had forced the thief to credit. The thief also was asking for money off the back of that plagiarism. substack did nothing at all. Now this total disinterest in phishing.
People write here because, but give it enough time and you'll see it revealed as nothing but the same old, same old. It's just a case of picking away at the paint to find a rotten core.
I've had the same issue with virtually non-existent support. There are long-standing bugs that don't get fixed.
Wow, this isn't a great way to run a platform or any business. They're cutting their own throats if they end up not caring about their clients. I guess we take our business elsewhere or create one.
What were you expecting them to be able to do? These messages never even touched substack's computers. Perchance they could add an SPF DNS record, to make it more likely for YOUR spam detector to reject the incoming message. But beyond that, there's basically nothing they can do.
Wow. Another person who has utterly failed to read my request. I believe substack should have messaged its user base and warned them that hackers have begun a brand impersonation email phishing hack, so that as few as possible would fall for it.
That's got nothing to do with any internal or external technical actions.
So why you or anyone else thinks it appropriate to patronize on the grounds of things that VST never asked for and fully understood to be out of scope says a lot about your failure to understand VST's request of substack:
"To protect your users please publicise this attack as per the details below."
"The point of my email to you was to request that you tell all of your users and writers that such attacks are being made and that they should be aware of the format... There are plenty of people who will fall for this. You could reduce that number by communicating to your users."
Plenty of people are annoyed by or ignore such warning mail. They accomplish little, because there is no single template for spammers/scammers messages. Surely you don't expect them to broadcast news of each time some bozo impersonates them in email.
So why do decent corporate security protocols and teams periodically remind user cases of general and specific phishing attempts? Because people are easily duped, lose vigilance and actually are ignorant and dumb in some cases. Alerting the platform to this phishing attack then asking them to warn other users is normal internal corporate behavior that does help reduce the success of phishing by pre-alerting and reminding people who are vulnerable.
Phishing works, which means plenty of people keep falling for it.
If you, like substack, think "fuck everyone else, you're all on your own," so be it. VST isn't like you.
> So why do decent corporate security protocols and teams periodically remind user cases of general and specific phishing attempts?
No downside to treating employees as idiots?
Unfortunately, impersonated emails are a fact of life on the internet, and have been for almost three decades.
There are some technical anti-impersonation means (SPF, DKIM, DMARC) which substack could/should be using, but those don't require broadcasting warning emails either.
The sex offenders' register pretty much undermines your point, as a parallel example.
To wit:
"There's always been sex offenders around. Everyone should know by now and be fully on the alert and know who they are and how to spot them in a crowd of strangers. If they don't, tough shit."
"Would a sex offenders register help? So people could check their area or get alerts? That way their knowledge base would improve, and their behavior and concerns could be managed and moderated via access to that information."
"Nah. Don't create a sex offenders register. At all. It's useless and its existence will annoy a few people."
Remind me when entire cities get email from the police when someone gets added to that list.
Steve Kirsch who owns this substack and runs it with the help of his lieutenants Kevin (the thick one) and Wayne (the clever one) does not give a shit - he is all about making money off it - at the beginning he said he wanted 250,000 memberships - bearing in mind that this substack is like a multi layered cake and covers all industries - type in substack menu or something like that to see how big it is - previously Steve was charging $100 a year membership, do the math, now he has cut it back to $50 year, perhaps times are hard and memberships have to be trimmed accordingly - but it is a yearly expenditure, so Steve profits financially - Steve had 75k members on Facebook before Facebook canned him 75,000 @ $100 each - 7.5 million a year income - that hurt him and he told me so,
Steve is now pushing how he recovered from Diabetes Type 2 and offering to tell you how to do that, if you pay to join his substack - Steve is 66, I am 76 and I've had Diabetes Type 2 longer than he has and if you want to know how to control it, I'll tell you for free, just ask me.
Someone once ran a check to see if Steve owns this substack publicly - Get real, Steve is a multi millionaire from a rich Jewish family, if they don't know how to hide their assets from your Tax Man, then who does?
Just recently I get a reminder from Amazon to be aware of phishing emails and similarly from my banks. It's a stark contrast in business approach.
Also in dealing with these emails, I've had good luck ignoring all emails in the headers and looking at the originating or source sending IP, doing a whois lookup and reporting the raw email to the abuse address provided. Sometimes though the hosting provider of the sending IP isn't the mail provider and when it's separate, the mail provider will almost always include extra custom headers with their own contacts or info. E.g. Mailgun uses other hosters but will have X-Mailgun... etc headers.
For phishing urls I do nslookup on the domain name to get the IP, then whois on the IP for the hoster and report it to them.
For me at least, the effort in doing both of these for serious scam and phishing emails have been fruitful. I don't bother on the regular spammy marketing emails though.
Thanks for the engagement and sharing useful info on the matter raised. Shame you don't work for substack, and that they don't share your attitude towards sharing information that helps people avoid phishing attacks that can lead to serious fallout e.g. identity theft.