It's time to shut down the mailing system.

Started by Zone, Feb 04, 2009, 12:27 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Descent

Quote from: Lai on Feb 09, 2009, 07:55 AM
lol @ all who will take down the mailing system because of this topic.

So, since you're all-knowing, you must have a fix you'd like to share?

The bug is easily exploitable. Tested.

Xeighter

You don't even know how the bug can be done, or if it can be done.

Only one server/ person has so far encountered this, not very persuading.

Auroraâ„¢

Actually, there've been a lot of reports I've glanced at on the eA forums, and I've also been told about it by a couple of friends from various servers. It's not like this is some bug that just popped up out of nowhere, it's been around for awhile, and has always been a buggy system, as JJJ has already mentioned, hence the reasoning behind a lot of private servers disabling the mailing system.

If it's possible through trading and dropping, it's possible via mailing.

Also, it's only been one server in this post that's mentioned it. x:


» Coming Soon! «

Xeighter

Quote from: Auroraâ,,¢ on Feb 09, 2009, 12:20 PM
Actually, there've been a lot of reports I've glanced at on the eA forums, and I've also been told about it by a couple of friends from various servers. It's not like this is some bug that just popped up out of nowhere, it's been around for awhile, and has always been a buggy system, as JJJ has already mentioned, hence the reasoning behind a lot of private servers disabling the mailing system.

If it's possible through trading and dropping, it's possible via mailing.

Also, it's only been one server in this post that's mentioned it. x:

I just gandered at the past 4-5 pages and I think I only saw one within the bug reports. I may have missed one.
Since no one has found a way for it to be reproduced, it's hardly conclusive.

Auroraâ„¢

#19
So, you're saying because they can't figure out how it's happening, it's not really happening, when there've been logs posted about it? Also, I never said one thing about them being in the bug reports. O_o; And, most of what I, personally, have heard about it has come from friends that have done it on various servers, as I've already stated.

If it's happening, it's happening, I don't quite know how people could mistake something like that, especially when they can see it happening in system logs. Also, there have been possible methods posted about it. Again, if it's possible through trade, it's possible through the mailing system, seeing as they're extremely similar systems.


» Coming Soon! «

Xeighter

#20
It may or may not be happening, but no one has yet to figure out how they do it, thus I, personally assume nothing is yet conclusive.
Give me some steps of reproduction and the percentage of your reproduction failure rate and then I'll take this a bit more seriously. But that's just me acting how I would at my job.

I'm not discriminating the possibility, by the way, though I can understand how you've misconstrued my words. If it's not in the bug reports, even less action will be taken, obviously (however, you said "reports", please clarify on your words to avoid any misinterpretations). I don't know why anyone would not put it in the bug reports with the minimal of information they have. You can go ahead and claim x and y of things you did not say, I don't really care, I'm speaking on the matter, not solely based what you said or didn't say.

There may be more than one fashion of reproducing this bug, but has anyone bothered testing them out or actually trying them on their own? Or is this thread lacking details.

Why is a topic made now if this has been a problem for awhile now?

Auroraâ„¢

Quote from: Serenity on Feb 04, 2009, 12:35 PM
Duly noted, just disabled the mailing system on my server. This is the fifth or sixth time something like this has been possible in the SVN that I've noticed in the past year or so since it's implementation. Blegh.

First off, just quoting this for a first reference. ^

Second, no offense, but "please clarify on your words to avoid any misinterpretations," I just wanted to say, I'm not like some of the people you've attempted to debate with on these forums, and I really don't care much to clarify something I was already blunt about to begin with

Anyways, there's a lot of reasons some people may not have posted about this in the bugs section. There are, as I've already said, a few servers who don't realize it's going on, and some servers who may not care either way to point it out, but, whether or not you really care to base it off of what I say or don't say, you're responding and speaking of what I am saying, which is all I have about the situation at hand at the moment, is what I say, and what I'm told.

Also, yes, if you haven't already seen it in the topic you more than likely saw in the bug reports, there are people who have mentioned ways, and people who have said that they are testing the bugs as it is.

Either way, this isn't about whether or not you believe it's happening just because someone can't present results to your face, not everyone believes in seeing things the way you do, or presenting things the way you do, as you can see from some of the people who have reported the bug on the eA forums. I'm, personally, not going to doubt it when I've had multiple sources tell me otherwise, and a test on my own server sooner or later will probably confirm whether or not it's a real thing for me.

I'm not posting here for a debate, I'm posting here to confirm that it has happened, whether people believe it or not. That's all I really have to say.


» Coming Soon! «

Xeighter

#22
Quote from: Auroraâ,,¢ on Feb 09, 2009, 06:32 PM
Quote from: Serenity on Feb 04, 2009, 12:35 PM
Duly noted, just disabled the mailing system on my server. This is the fifth or sixth time something like this has been possible in the SVN that I've noticed in the past year or so since it's implementation. Blegh.

First off, just quoting this for a first reference. ^

Second, no offense, but "please clarify on your words to avoid any misinterpretations," I just wanted to say, I'm not like some of the people you've attempted to debate with on these forums, and I really don't care much to clarify something I was already blunt about to begin with

Anyways, there's a lot of reasons some people may not have posted about this in the bugs section. There are, as I've already said, a few servers who don't realize it's going on, and some servers who may not care either way to point it out, but, whether or not you really care to base it off of what I say or don't say, you're responding and speaking of what I am saying, which is all I have about the situation at hand at the moment, is what I say, and what I'm told.

Also, yes, if you haven't already seen it in the topic you more than likely saw in the bug reports, there are people who have mentioned ways, and people who have said that they are testing the bugs as it is.

Either way, this isn't about whether or not you believe it's happening just because someone can't present results to your face, not everyone believes in seeing things the way you do, or presenting things the way you do, as you can see from some of the people who have reported the bug on the eA forums. I'm, personally, not going to doubt it when I've had multiple sources tell me otherwise, and a test on my own server sooner or later will probably confirm whether or not it's a real thing for me.

I'm not posting here for a debate, I'm posting here to confirm that it has happened, whether people believe it or not. That's all I really have to say.

Now you're making it personal, I apologized if I somehow offended you because I lack the clairvoyance to fully understand the sense you use in each term ("report" is pretty much correlated with the section of "bug reports", so I naturally misassumed). You're hardly blunt, but rather just straight-to-the-point leaving, at many instances, people to misunderstand your choice of words, if I'm going to get some sort defense-mechanism on your part due to innocent misunderstanding, then this is pretty much over (after this post, I will cease to involve myself in this topic, especially if you don't want to converse seriously without adhering any possibility of misunderstanding your bad choice of words).

6 or 7 times out of how many servers? My skepticism remains intact, plus, this is only one witness excluding those who were personally affected. Is this meant to be a persuasive tactic?

Possibilities are possibilities, that's it. Nothing conclusive as clearly stated on numerous occasions, what more can I say without having to sound redundant and repetitive? I've made my point and now you feel personally involved when someone feels the need to push past your first-steps of disagreements.

This is all personal and from my own, my only, personal viewpoint. Was that not clear also or must you state what I just said in the reverse order (i.e "this isn't about whether or not you believe it's happening just because someone can't present results to your face [...]" -> See word: "Personally")

I suppose I am done too, though I won't be surprised if you feel the need to reply (or someone else to take up your invite to continue this discussion with me) as most are compelled to post after I do. Whether you notice or not, you're already within this so-called "debate" you try to so nobly ignore.

Cheers.

Pandora

I'm glad I never enabled @mail in the first place, seemed buggy and I preferred to wait until it was full proof. I think there is a reasonable doubt leading to believe that this zeny abuse is true, and when you have a reasonable doubt, it's good to look at your options and outcome.

For the sake of arguing, let's look at it from the 4 possibilities (right/wrong removed it/kept it) and their outcome. (stole this "template" here: http://www.youtube.com/watch?v=zORv8wwiadQ)

If it's true that there is a zeny exploit with the @mail system and that it was removed then the right thing was done and the server is happy, positive outcome.

If it's false that there is a zeny exploit and nothing was done to remove it, then it's also a positive outcome, nothing bad happened.

If it's false that there is a zeny exploit and it was removed, people lost access to their @mail for a time, the outcome is negative but it's not too bad because people lived fine with before the coming of @mail.

If it's true that there is a zeny exploit and nothing was done to remove it, now that's the really negative outcome because you're left with a WHOLE mess on your hand, zeny to trace, logs to look at, possible zeny wipe for some servers, players are pissed off! If you've ever run a server and checked through weeks of logs you know how tedious it is!

So all in all, taking @mail off seems better, because the outcome is far worse if you just let it be and then end up with massive zeny crisis on your server, compared to just the inconvenience of players not having it for a time.

Cheers all ^_^
[color=darkblue]heRO is a great friendly, pre-renweal, unique and fun server with a great community, give it a try![/color]



[color=darkblue]Click here to find out more about heRO![/color]

Rudolph Zyaber

This is what killed Essence last summer. The mailing system we used was bugged to heck and it's really funny to see people asking for it to be put back in when it's so obviously exploitable.
Bleh

Descent

Quote from: Rudolph Zyaber on Feb 10, 2009, 12:03 PM
This is what killed Essence last summer. The mailing system we used was bugged to heck and it's really funny to see people asking for it to be put back in when it's so obviously exploitable.

And lo and behold, Essence wiped, people.

Is that proof enough that this system is risky...?

Hanyuu

I believe it's still messing up. At a server I recently quit, there's 6 gtb cards even though the droprate is at .10%, and 5 of them are owned by the same guild which had only started 11 days ago, a guild who petitioned for @mail and mailboxes then got it. x_x

I'm sure that there's a way to reproduce the effect, but the ones who are able to do it with a higher success rate aren't going to tell anyone how it's done.
I cannot quench your thirst
Because even if you yearn for the truth, you refuse to believe in it.

I cannot quench your thirst
Because no such truth exists that you are in anticipation for.

But I still want to quench your thirst.
Because I am the one the that put you into the desert.

Pandora

This is only speculation however, you should be reporting that to that server's staff so that they can look into it.
[color=darkblue]heRO is a great friendly, pre-renweal, unique and fun server with a great community, give it a try![/color]



[color=darkblue]Click here to find out more about heRO![/color]

Auroraâ„¢

I actually wasn't aware it happened to Essence, too, until reading about it on their forums today, and it being confirmed by Rudolph, now.

@Hanyuu: There being multiple of a card that has a low drop rate doesn't necessarily mean there's a duping bug being exploited on the server you play on, though what you're saying about that guild is a little ironic. However, there could be a lot of explanations on how a card like that can be gotten.

I know I certainly won't be enabling the mail system on my server, even if no one is able to find a real way to how it's done (even though Descent has already said he successfully tested it?) I'd rather take necessary precautions than have the possibility of bug exploits happening on my server, as Pandora's already stated.


» Coming Soon! «

Tira

#29
I'm assuming this is the same (or extremely similar) issue to the one we had last summer. If so, it's presumably being done in the same way.

mysql> select * from mail where nameid=22205 and amount=2715;
+-------+-----------------+---------+-----------------+---------+-----------------------------------------+------------+------------+--------+------+--------+--------+--------+-----------+----------+-------+-------+-------+-------+
| id | send_name | send_id | dest_name | dest_id | title | message | time | status | zeny | nameid | amount | refine | attribute | identify | card0 | card1 | card2 | card3 |
+-------+-----------------+---------+-----------------+---------+-----------------------------------------+------------+------------+--------+------+--------+--------+--------+-----------+----------+-------+-------+-------+-------+
| 14774 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422769 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14773 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422769 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14772 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422769 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14771 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422766 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14770 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422764 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14769 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422761 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14768 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422761 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14767 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422761 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14766 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422757 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14765 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422754 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14764 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422754 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14763 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE: | dwadwadwad | 1210422754 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14762 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:dwa | dwadwadwad | 1210422749 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14761 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:dwa | dwadwadwad | 1210422746 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14760 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:dwadwa | dwadwadwad | 1210422740 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14759 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:dwadwa | dwadwadwad | 1210422737 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14758 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:dwadwad | dwadwadwad | 1210422733 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14757 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:RE:RE:dwadwad | dwadwadwad | 1210422730 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14756 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:RE:RE:RE:RE:RE:RE:RE:RE:dwadwad | dwadwadwad | 1210422725 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14755 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:RE:RE:RE:RE:RE:RE:RE:RE:dwadwad | dwadwadwad | 1210422722 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14754 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:dwadwad | dwadwadwad | 1210422715 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14753 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:RE:RE:dwadwad | dwadwadwad | 1210422715 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14752 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:RE:RE:RE:RE:RE:RE:dwadwad | dwadwadwad | 1210422708 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14751 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:RE:RE:dwadwad | dwadwadwad | 1210422702 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14750 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:RE:RE:RE:RE:dwadwad | dwadwadwad | 1210422698 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14749 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:RE:RE:dwadwad | dwadwadwad | 1210422690 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14748 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:RE:RE:dwadwad | dwadwadwad | 1210422661 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14747 | R h o d s k i e | 1040711 | HELP ME | 1040716 | RE:RE:dwadwad | dwadwadwad | 1210422646 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14746 | HELP ME | 1040716 | R h o d s k i e | 1040711 | RE:dwadwad | dwadwadwad | 1210422637 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| 14745 | R h o d s k i e | 1040711 | HELP ME | 1040716 | dwadwad | dwadwadwad | 1210422631 | 4 | 0 | 22205 | 2715 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
+-------+-----------------+---------+-----------------+---------+-----------------------------------------+------------+------------+--------+------+--------+--------+--------+-----------+----------+-------+-------+-------+-------+
30 rows in set (0.01 sec)


The above is an excerpt from our logs, and how we eventually pinned down the problem. Basically, this could not be done accidentally. It required WPE (or similar) to sniff the packet for the "return item" email, with a trigger created when the packet went out again to send it twice. eA wasn't appropriately set up to catch this (apparently still isn't, unless this is a new bug), and inevitably created a duplicate of the original sent item.

EDIT: Incidentally, this didn't require the @mail command (I never had this implemented at any point). The ability to pick up mail at all, regardless of whether by command or via script, was all that was required.