You know you're on a programming video when the comments are full of "a better way to do this would be to..."

The great thing about this white hat kind of project is there’s always more work to be done. Great for intermediate beginners that like trolling as a force for good

To make it harder for him to sort through the list, you should just random select from the list of top 10k commonly used passwords instead of auto generating them.

Yes, there are better ways to do it. Yes, you should share them here. No, you shouldn't berate Engineer Man for not doing them. He did 90% of the work that cost 10% of the time here. He isn't going to turn his 5 minute video into half an hour just to squeeze out that last 10%. It's a proof of concept, people.

That was a delight to watch. I’m learning Python and I find this so inspiring.

Imagine if you had one of those emails and were wondering how scammers gets your email 😂

Breaking news man in Nigeria with no family or friends dies with millions of dollars of cash he had been trying to give away

Unless you have that thing running all the time (looping), then your requests will all basically be in one giant block with 8 character passwords. It would be easy for him to crop them out. It would be better to kick them out slower with a bigger name base that's more randomized with passwords that are better randomized (including length). And run it constantly.

You should randomize the length of the password, and randomize the domain of the email. As it is, all he has to do is filter out all yahoo domains with a password length of 8, and he would have minimal loss of acquired real passwords.

Great video. :-) Reading through the comments, I'm reminded of the classic joke: Q: How many programmers does it take to change a light bulb? A: 35. One to actually change the bulb and 34 to say after the fact, "I could have done that better."

I have no idea what just happened but I'm glad it did

Maybe a better idea is to try to make passwords seem legit, also adding random names or literally the whole dictionary, cuz not everyone makes their passwords in symbols, but instead words or phrases, so if he just scrolls through the yahoo and passwords lists and find a combination that seems unique, he will know which one is the real one and which one is not.

504 Nigerian Princes disliked the video...

A way to make this more convincing would be to have a 1000 most common passwords json file and a 10 most common email providers json file (or just a list), load those and it will be very convincing. Also, you could make it randomly sleep or get it done in batches as well if he stores a created_at time.

You need to run this as a service across multiple IPs over several days/weeks so he can’t easily delete your responses.

You know this mans legit because he uses incognito mode

I think this is my new favorite channel... My apartment complex made us register times to use facilities during Covid. They released the availability to register for gym/spa/exercise room EXACTLY 7 days in advance, and they all got booked immediately through the UI- it was very competitive. So, I back-engineered the site and wrote a python script to sign up for whatever future gym times I wanted. It never failed. I love to see other quality abuses of python!

I've been learning C for the last two months and I'm so damn happy that I can understand what you're doing. I doubt I could implement it right now, but just understanding it is so cool to me.

he is just going to delete everything from yahoo during that time span

A couple extra ideas: 1) I did similar, but I grabbed tom sawyer off Project Gutenberg and used it for usernames. 2) The user agent can be long, like 2k long. The user agent gets logged. The log is often on tmpfs, Which is smaller than the user space. (It just crashed, Idon't know why. ) 3) randomly generate the domain from the same words so he can't just delete all yahoo addresses. 4) the domain is hosted on godaddy, you should report it to godaddy abuse.

Excellent. Excellent. If I had your skills, I'd do the same to these scammers and con artists. Keep up the good work.

I don't know anything about coding and I don't know anything about python. But I also hate scammers. And I found the speed and clarity of this presentation very satisfying. Especially the part where all the fake emails start popping up to waste this guys time lol 10/10 l33tHax0r ^^

This is the first video I’ve seen of yours and it definitely won’t be the last. Keep up the great work!

As someone new to python and still relatively inexperienced with programming this was a fun video to see work in action and the context made it entertaining to think about. I want to find more videos of contextual coding that are more demonstrative like this and less about "the technicality of the programming process'. It gives me ideas to try!

I love this because it literally only took 5 minutes of your time, and yet it is such a nasty little trick. Bravo sir

Nice regex trick, I'm going to steal that! I would have used a vim macro, but I like the search and replace better.

I work in computer repair and I get numerous people coming in and calling due to scammers. This just brings me all types of joy. Keep up the good work.

cool but he'll just filter the @yahoo.com since they will be sequential. a better way to pwn this cockgoblin would be to randomize the concatenation of the email service, and set a random timer to drip post into his form. so he might get one in 5 minutes, or 2 hours. let it run in the torrent computer since that thing just sits all day, and maybe run a dynamic VPN as well. that would cripple any data collection effort due to the inability to validate submissions

Nice! To make it even better, the e-mail domains could be randomized, passwords could be less random (there are too many special characters in them), maybe some longer then others, and you could space out the rate in which the info is sent.

Next time, run with different emails other than Yahoo as well in order to prevent them from filtering. Ideal solution would be Proxies, run it for at least 24 hours, and the email ending change in order to prevent ANY form of filtering out the results you placed . Because right now if I was that scammer, I’d just remove all emails ending in Yahoo that were sent in within a time frame, or just remove by IP.

You just became my number one creator.

Nice job! Similar story: I was being texted non-stop from some outfit in Miami that said "we buy junk cars!" in English and in Spanish, along with their phone number, which was a disposable Metro PCS mobile number. After repeatedly asking them to take me off of their spam list, they ignored me every time; they hung up on me, never took my name off their list, and kept texting me. So I thought, if they want phone calls, they're gonna get some phone calls. I opened a Twilio account and put $20 on it, then wrote a script that told them what my number was and that I wanted it removed from their spam list. I wrote a simple PHP script to call the Twilio APIs and then put it to work, calling every two minutes for hours on end. I never heard from them again.

Should have thrown in a couple Bobby Tables into the list, just in case he isn't sanitizing his data.

This is amazing content and I’m about to binge all your coding videos. I reallllly appreciate you telling us the logic behind each step. I’m also appalled at the idiots in the comments, please keep making these! I learned more in 5 minutes than an entire semester of CS freshman year 😂

You know, even almost 5 years later I still use this video and what it taught me. Thanks Engineer Man!

I know im gonna need requests I know im gonna need os I know im gonna need random I know im gonna need string I know im gonna need json

This is awesome. Thank you for doing this. I also love seeing inside python as I don't know how to do that but it makes it seem like something that would be cool to learn more about.

The scammer seeing a bunch of emails getting logged in just 2 minutes: interesting

what I thought a python was gonna eat him I didn't understand a single word

This is amazing!!! I dont know how I found this but you have my sub sir. Thank you.

Me: Stumbles on to this video Me: Heads on over to my spam folder Me: Opens the first email that looks like a phishing attempt Me: Let's the fun begin... Thanks for this awesome tutorial. I haven't laughed this hard in a long time.

From the console right click on "copy as curl". After that simply go and convert curl to python request. So you can skip the basic request code part.

Improvement: 1. hide your IP address using tor network to prevent the scammer blacklist out your IP. 2. randomize 'yahoo.com' email with more email providers. 3. deploy to cloud server, randomize the intervals and bomb that service for a couple of days. HAHA.

That's awesome thank you for this. Mechanical engineer here, always wanted to work more on the little coding knowledge I have this has been inspiring and entertaining. Subscribed

Love what you do, thanks from all us non tech savvy people 👍

Scammer see's what's going on and just deletes all the data from Yahoo emails. But yea, the videos are great, keep 'em coming. If you spent a heck of a lot more time making the plan more devastating to the spammer, it would make the videos too long (perhaps unwatchable) and you'd just get fewer comments (bad for the all mighty algorithm). Good job.

"Wow. All these people with random passwords of the same length logged in at the same time from the same place" :P

Would have been cool to add variable lengths in the passwords / emails so that the submissions aren’t so uniform. It would be fairly trivial for him to purge the database of all email/password combinations of a certain length.

Not sure if anyone mentioned, but you could have tried SQL injection, as he might not be escaping it. Could blow up the whole database if you wanted to.

Great Video. Just found it 4 years later. Clearly, it's a timeless one. Thanks.

You learn something every day... Didn't know you could regex replace in a code editor. Awesome!

I missed the part after you said "hello everyone". ha ha ha

Should probably have tested also ';DROP TABLE USERNAMES;

Lol That must pissed him off, and you did that in a matter of minutes! You're good!

That form name and url seems a random code. Are you sure the request is always the same? That may be used as a unique ID. If that's the case your code isn't doing anything, but simply overwriting with a new username and password all the time. I would have verified that those fields and url were always the same. Or, if they changed, also looped that with random shit inside my code. Field names could just be part of a "any" type data structure accepting all sort of shit. This means you can maybe even do more damage.

Some kind of fun. I have only a basic understanding of what you did but I love it when people scam back.

Dude this is savage, way to restore justice in the world 😁🙌🏽

I'm gonna be totally honest here... These videos are the most satisfying thing I've seen in the past 3 years. :)

Thanks for fighting a battle that many of us do not know how to. Scamming takes good money and confidence out of consumers and does significant damage over time as we lose faith in good commerce.

Great video idea. I think a more efficient approach would be to send it over time. Because what he's going to do as a scammer is see everything that came in at a start time and end time notice that he got 10000 or so while phishing. Most likely he will just delete all the data that came in during a certain time frame.

I mean sadly it's gonna be easy for him to just exclude all emails from yahoo with 8 chars of password, but it's a decent idea.

Nice! Maybe randomizing a set of emails (yahoo, gmail, aol) etc would really add to his confusion. I like it!

A great example of data poisoning. Obviously, you could randomize the send interval, the email domain, and proxy-hop to obfuscate the origin of each request. Another technique I've had fun with... submit the Anti Virus test string, lol. This rarely works, but when it does, it's hysterical. They store the collected data as plain text and upload it to cloud storage like Dropbox, google drive etc, where it's flagged as a virus and promptly deleted. It confuses the fuck out of the novice scammer. Looking at the unconvincing password phish, I'd assume either your target had no discernible skill, or they were specifically targeting idiots (which may be the case... you can run a scam for longer if tech-savvy people just ignore you). In a more advanced attack, if you knew anything about their collection methods and how the data was processed after collection, you could do a lot more damage. SQL injection for example. Even seemingly trivial things like using UTF32 characters (especially hybrid glyphs like the Ninja Cat emoji) can really fuck up the collection, and a lot of scammers don't regex those things out, or they do it in the java script on the form page which you can easily bypass. One thing to be aware of.... they may validate email addresses before committing them. They have a mailing list, they bait those specific people and only collect passwords from people who they sent messages to. In many real-world scenarios, this wouldn't work all that well in practice. For that reason a simple DDOS would be of greater utility. This is probably a phish specifically for craigslist accounts for use in spamming. If it were a general cred-sweep targeting email accounts, you could have some fun with that by honey-potting an account and handing it over. A RAT in your Dropbox, maybe some bullshit "classified emails" between US intelligence officers, something that will let you screw with them once they take the bait. I know the point here was to fuck with them quickly, but sometimes it's fun to draw out the engagement.

Cute, but you didn't perform some basic checks. Given that the username and password elements appeared to be named randomly, it is possible they are generated dynamically per each request of the main page (as well as the submission URL). The web server could simply be accepting your requests but not recording them as a result. Also, the email addresses are formulaic enough that they could be easily stripped out. I would have gone for a dictionary and a large pool of domain names.

So glad I stumbled on this video. Awesome video dude.

I've only just come across your channel and I'm amazed at how swiftly you deal with scammers. Have you ever considered teaming up with Jim Browning or, Scambaiter et al? If any of you guys combined you'd destroy scammers globally in a matter of minutes! Great channel. Subscribed!

The whole world uses vs code and it’s auto completion. This legend still uses Atom and rocks. Great video man.

I have 0 experience with this but the way it is presented makes it so understandable.

I just wasted time looking at this video thinking you were going to troll a scammer with Monty Python quotes.

You're amazing. You are doing noble work. Just glad you're on the side of goodness and light.

Initially, I read it as “Showing a Craiglist scammer, and this scanner is a boss using Python”. Nice garden path sentence!

Where is the python ? I thought you were going to release a python to some scammer on the street !?

Wish I was that cleaver to write those programs would love to keep flooding the scammer’s with junk.

This one video is enough to get a glimpse of your skills. You earned a subscriber.

I wish I was as smart as you with computers. Awesome work 👍🏻

I love this. Someone needs to create a meetup where coders get together once a week and hit scammers like this over coffee. Great job!

I don't know why you would thumb down this. Thank you for doing this for those that are powerless against these scammers

Bro the comments dissapeared lol

How apropos that the json file probably included "Jason" somewhere.

I dream of a World where everyone has an app being fed with codes like that, running in background for just a few seconds a day.

I just want you to know that thanks to you and your videos, I finally know what to study. Thank you. I was so lost but just watching you work cleared everything for me.

Some random Luke: "nice! I hate scams too!" Also, some random Luke seeing his email being randomly generated: "well, that explains a lot 🧐👀" Great vid though :)

I have absolutely no clue what he is talking about, but a good deed never goes unnoticed

Well if your IP is logged when you post your form, it will be easy for him to figure out which credential are legit or not 🙄

should use a list of top 1000 passwords instead

I'm a beginner, I know nothing about programmer until several months ago when I started doing CS courses for fun. And man, I'm so happy that I could actually understand about 70% what he was doing in this video. After more courses and finishing more fun programming projects, hopefully, my understanding would've reach 100%. Awesome video and fuck those scammers!

the scammer can add in the php file these: $subj = "Login from".$ip." "; in now he can delete all the fake logins, that came from the same ip address. ;) and he can also prevent you from entering his fake website by blocking your IP using IP deny Manager in cPanel :D The Best way to make a scammer crazy is by reporting his Phishing Page to Google Safe Browsing and spambots. and the phishing page will be down in 24 hour.

not all heroes wear capes lol

I love that your giving it back to those scumbags.

Hey Cool work, You could have also made an array of email domains and randomly assign it to name strings to confuse the scammer more. Coz he may simply filter the @yahoo domain guys now but with randomizing the domain the scammer will be more confused

I love the casual way he uses the scammer's setup against the scammer!

Keep it up. I feel better now you got a scammer. Thank you, John.

I like your vids. They're short and to the point. I don't know any better so I'll trust that you're actually being a headache to scammers. Maybe you'll encourage other with similar skills to do the same and life will become difficult for scammers.

This is f'n awesome.

This might be my favourite video on YT

nice work man... you could have create an array for the email domain and randomly take from there , cause now he has loads of yahoo, easy pattern !! nice video!

What's he doing logged in as root in terminal?

you are a genius... thank you from all of us non tech people who've been scammed in the past!

Why not just use a faker library?

Is no one else going to talk about this guy running his python interpreter as root or not including a shebang at all? No? Just me? Alrighty then...