Programming Forums > Script Programming > Python

Sane · Nov 3rd, 2007, 4:26 PM

Hey guys, I'm having trouble making a script of mine automatically register for an account on Gmail.

Don't worry, my intentions aren't evil.

The URL is here: https://www.google.com/accounts/CreateAccount

I just need someone to help me confirm that my header and post data is correct... I've poured over it for hours upon hours, and am unable to find out why it's not working.

Relative Pretext:
- One may successfully register for an account on Gmail with javascript disabled
- One may successfully register for an account on Gmail with cookies disabled
- urllib2 automatically handles HTTPS

What Happens:
- I get the registration form thrown back at me asking me to re-enter the captcha, because I entered it incorrectly.

Problem:
- The captcha entered was the correct captcha's value from the registration form's captcha <img> tag.

Here is the debug information provided by urllib2. This shows the URL that was accessed, the exact raw data that was sent over the socket, and the response headers.

(Toggle Plain Text)

Header Portion of Request
POST /accounts/CreateAccount?service=mail&continue=http%3A%2F%2Fmail.google.com%2Fmail%2Fe-11-109261412b2ba1b86fe6f7540c0a0915-87808d66b2f17471a9e7c89689534c17152e4c60&type=2 HTTP/1.1\r\nHost: www.google.com\r\nAccept-language: en-us\r\nAccept-encoding: *\r\nContent-length: 1400\r\nContent-type: application/x-www-form-urlencoded\r\nConnection: close\r\nAccept: */*\r\nUser-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727)\r\n\r\n

Post Data Portion of Request
rmShown=1&IdentityAnswer=6731234&selection=What+was+your+first+phone+number&PersistentCookie=yes&FirstName=Tim&LastName=O%27veily&program_policy_url=http%3A%2F%2Fmail.google.com%2Fmail%2Fhelp%2Fprogram_policies.html&newaccounturl=https%3A%2F%2Fwww.google.com%2Faccounts%2FCaptcha%3Fctoken%3DgmaZxhjXZAoRl1UaJ3ofVf4e9JxsCYqvzfoOD6UCnRT0Yrby8vK0B0PbbN9VlTsV%3AYkbaUYhrKp5gvXrBOucOuw&privacy_policy_url=http%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fprivacy.html&SecondaryEmail=&checkavail=check+availability%21&Email=tim.oveily&served_tos_location=CA&service=mail&Passwd=blahblahblah&requested_tos_language=en&ownquestion=None&smhhk=1&dsh=6566250601099324917&edk=gmail.com&submitbutton=I+accept.+Create+my+account.&served_tos_language=en&type=2&PasswdAgain=blahblahblah&loc=CA&smhck=1&hl=en&newaccounttoken_audio=AftDX-SM_8UmkQi3lETC-aLodrazoX58d7uy8ReaQbgn6WfV8vQu5rOzt89gzpIk%3A6jqty9WxWkskjI1r57pPhA&change_location=Change&nshk=1&newaccountcaptcha=wudec&default_submit=&p=&newaccounturl_audio=https%3A%2F%2Fwww.google.com%2Faccounts%2FCaptcha%3Fctoken%3DAftDX-SM_8UmkQi3lETC-aLodrazoX58d7uy8ReaQbgn6WfV8vQu5rOzt89gzpIk%3A6jqty9WxWkskjI1r57pPhA&continue=http%3A%2F%2Fmail.google.com%2Fmail%2Fe-11-109261412b2ba1b86fe6f7540c0a0915-87808d66b2f17471a9e7c89689534c17152e4c60&t=null&newaccounttoken=gmaZxhjXZAoRl1UaJ3ofVf4e9JxsCYqvzfoOD6UCnRT0Yrby8vK0B0PbbN9VlTsV%3AYkbaUYhrKp5gvXrBOucOuw&UsernameSelector=None

Reply Header Showing Success
HTTP/1.1 200 OK\r\nheader: Set-Cookie: GoogleAccountsLocale_session=en\r\nheader: Content-Type: text/html; charset=UTF-8\r\nheader: Transfer-Encoding: chunked\r\nheader: Cache-control: private\r\nheader: Date: Sat, 03 Nov 2007 21:03:57 GMT\r\nheader: Server: GFE/1.3\r\nheader: Connection: Close\r\n\r\n

Header Portion of Request
POST /accounts/CreateAccount?service=mail&continue=http%3A%2F%2Fmail.google.com%2Fmail%2Fe-11-109261412b2ba1b86fe6f7540c0a0915-87808d66b2f17471a9e7c89689534c17152e4c60&type=2 HTTP/1.1\r\nHost: www.google.com\r\nAccept-language: en-us\r\nAccept-encoding: *\r\nContent-length: 1400\r\nContent-type: application/x-www-form-urlencoded\r\nConnection: close\r\nAccept: */*\r\nUser-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727)\r\n\r\n

Post Data Portion of Request
rmShown=1&IdentityAnswer=6731234&selection=What+was+your+first+phone+number&PersistentCookie=yes&FirstName=Tim&LastName=O%27veily&program_policy_url=http%3A%2F%2Fmail.google.com%2Fmail%2Fhelp%2Fprogram_policies.html&newaccounturl=https%3A%2F%2Fwww.google.com%2Faccounts%2FCaptcha%3Fctoken%3DgmaZxhjXZAoRl1UaJ3ofVf4e9JxsCYqvzfoOD6UCnRT0Yrby8vK0B0PbbN9VlTsV%3AYkbaUYhrKp5gvXrBOucOuw&privacy_policy_url=http%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fprivacy.html&SecondaryEmail=&checkavail=check+availability%21&Email=tim.oveily&served_tos_location=CA&service=mail&Passwd=blahblahblah&requested_tos_language=en&ownquestion=None&smhhk=1&dsh=6566250601099324917&edk=gmail.com&submitbutton=I+accept.+Create+my+account.&served_tos_language=en&type=2&PasswdAgain=blahblahblah&loc=CA&smhck=1&hl=en&newaccounttoken_audio=AftDX-SM_8UmkQi3lETC-aLodrazoX58d7uy8ReaQbgn6WfV8vQu5rOzt89gzpIk%3A6jqty9WxWkskjI1r57pPhA&change_location=Change&nshk=1&newaccountcaptcha=wudec&default_submit=&p=&newaccounturl_audio=https%3A%2F%2Fwww.google.com%2Faccounts%2FCaptcha%3Fctoken%3DAftDX-SM_8UmkQi3lETC-aLodrazoX58d7uy8ReaQbgn6WfV8vQu5rOzt89gzpIk%3A6jqty9WxWkskjI1r57pPhA&continue=http%3A%2F%2Fmail.google.com%2Fmail%2Fe-11-109261412b2ba1b86fe6f7540c0a0915-87808d66b2f17471a9e7c89689534c17152e4c60&t=null&newaccounttoken=gmaZxhjXZAoRl1UaJ3ofVf4e9JxsCYqvzfoOD6UCnRT0Yrby8vK0B0PbbN9VlTsV%3AYkbaUYhrKp5gvXrBOucOuw&UsernameSelector=None

Reply Header Showing Success
HTTP/1.1 200 OK\r\nheader: Set-Cookie: GoogleAccountsLocale_session=en\r\nheader: Content-Type: text/html; charset=UTF-8\r\nheader: Transfer-Encoding: chunked\r\nheader: Cache-control: private\r\nheader: Date: Sat, 03 Nov 2007 21:03:57 GMT\r\nheader: Server: GFE/1.3\r\nheader: Connection: Close\r\n\r\n

The HTML of the reply:
- It is the registration form again
- It has all of the correct data (IE 'tim.oreily@gmail.com') entered into the fields already
- It is missing the fields for the password and captcha
- It says the captcha was incorrectly entered, and the password should be re-entered.

The contradiction:
- The "newaccounttoken" variable in the POST data is "gmaZxhjXZAoRl1UaJ3ofVf4e9JxsCYqvzfoOD6UCnRT0Yrby8vK0B0PbbN9VlTsV%3AYkbaUYhrKp5gvXrBOucOuw"
- This token represents the URL: https://www.google.com/accounts/Capt...Kp5gvXrBOucOuw
- At the time of registering, this was the URL used by the captcha's <img> tag
- This captcha, after visiting the registration form, was visited and confirmed by me to say "wudec"
- The value "wudec" is consistent with the POST variable "newaccountcaptcha" in my request

Furthermore:
- I know the "newaccountcaptcha" variable was sent intact, because the reply I got contained new HTML that was not there before:

(Toggle Plain Text)

<input type="hidden" name="newaccountcaptcha" value="wudec">

Could someone confirm that I'm sending this data correctly? Double check my logic? Maybe I don't know the HTTP as well as I should for this.

Thanks in advance for your time reading this long post.

Jessehk · Nov 3rd, 2007, 6:03 PM

A kitten dies every time somebody tries to automate a site registration.

Sane · Nov 3rd, 2007, 6:13 PM

Well, gmail is making it very difficult to keep any-o'-those kittens alive then.

grumpy · Nov 3rd, 2007, 10:06 PM

The reason your script isn't working is probably that your script is assuming the server has fixed behaviour but the server is keeping track of state and has some elements of dynamic behaviour, so it recognises that the data you are sending is spoofed or hacked (i.e. it is not actually being typed in by a user) regardless of how you modify your headers.

That is actually the purpose of schemes, such as the one you're trying to bypass. Automated registration is the one of the first goals of spammers.

Sane · Nov 4th, 2007, 7:38 AM

Grumpy, I was thinking that too originally. But figured out that's not the case.

When my script downloads the first registration form, I saved that to a file. I opened that file locally, entered all of the information in manually, clicked submit, and the account was created.

Also, all of the post data I'm sending is parsed dynamically from the registration form. So that aspect of dynamic behaviour has its solution.

The reason I can't just capture that network packet and compare it to my urllib debug information is because that's sent https. Maybe I should look into how to decode an https packet.

titaniumdecoy · Nov 4th, 2007, 2:09 PM

The engineers at Google have done everything possible to prevent automated Gmail registrations. The engineers at Google are very, very smart. It is therefore highly unlikely that you will find a way to successfully automate Gmail registrations.

DaWei · Nov 4th, 2007, 4:30 PM

I don't like this thread. It's very marginal when it comes up against the rules regarding discussions of "hacking". While it isn't concerned with actual hacking, it is an attempt to bypass protections put in place by the target.

I'm not going to issue an infraction, but I'm going to close this thread to further discussion. Feel free to appeal my unilateral decision.

Nov 3rd, 2007, 4:26 PM	#1
Sane Programming Guru Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 1,885 Rep Power: 5	Automatically Registering A Gmail Account Hey guys, I'm having trouble making a script of mine automatically register for an account on Gmail. Don't worry, my intentions aren't evil. The URL is here: https://www.google.com/accounts/CreateAccount I just need someone to help me confirm that my header and post data is correct... I've poured over it for hours upon hours, and am unable to find out why it's not working. Relative Pretext: - One may successfully register for an account on Gmail with javascript disabled - One may successfully register for an account on Gmail with cookies disabled - urllib2 automatically handles HTTPS What Happens: - I get the registration form thrown back at me asking me to re-enter the captcha, because I entered it incorrectly. Problem: - The captcha entered was the correct captcha's value from the registration form's captcha <img> tag. Here is the debug information provided by urllib2. This shows the URL that was accessed, the exact raw data that was sent over the socket, and the response headers. (Toggle Plain Text) Header Portion of Request POST /accounts/CreateAccount?service=mail&continue=http%3A%2F%2Fmail.google.com%2Fmail%2Fe-11-109261412b2ba1b86fe6f7540c0a0915-87808d66b2f17471a9e7c89689534c17152e4c60&type=2 HTTP/1.1\r\nHost: www.google.com\r\nAccept-language: en-us\r\nAccept-encoding: \r\nContent-length: 1400\r\nContent-type: application/x-www-form-urlencoded\r\nConnection: close\r\nAccept: /\r\nUser-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727)\r\n\r\n Post Data Portion of Request* rmShown=1&IdentityAnswer=6731234&selection=What+was+your+first+phone+number&PersistentCookie=yes&FirstName=Tim&LastName=O%27veily&program_policy_url=http%3A%2F%2Fmail.google.com%2Fmail%2Fhelp%2Fprogram_policies.html&newaccounturl=https%3A%2F%2Fwww.google.com%2Faccounts%2FCaptcha%3Fctoken%3DgmaZxhjXZAoRl1UaJ3ofVf4e9JxsCYqvzfoOD6UCnRT0Yrby8vK0B0PbbN9VlTsV%3AYkbaUYhrKp5gvXrBOucOuw&privacy_policy_url=http%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fprivacy.html&SecondaryEmail=&checkavail=check+availability%21&Email=tim.oveily&served_tos_location=CA&service=mail&Passwd=blahblahblah&requested_tos_language=en&ownquestion=None&smhhk=1&dsh=6566250601099324917&edk=gmail.com&submitbutton=I+accept.+Create+my+account.&served_tos_language=en&type=2&PasswdAgain=blahblahblah&loc=CA&smhck=1&hl=en&newaccounttoken_audio=AftDX-SM_8UmkQi3lETC-aLodrazoX58d7uy8ReaQbgn6WfV8vQu5rOzt89gzpIk%3A6jqty9WxWkskjI1r57pPhA&change_location=Change&nshk=1&newaccountcaptcha=wudec&default_submit=&p=&newaccounturl_audio=https%3A%2F%2Fwww.google.com%2Faccounts%2FCaptcha%3Fctoken%3DAftDX-SM_8UmkQi3lETC-aLodrazoX58d7uy8ReaQbgn6WfV8vQu5rOzt89gzpIk%3A6jqty9WxWkskjI1r57pPhA&continue=http%3A%2F%2Fmail.google.com%2Fmail%2Fe-11-109261412b2ba1b86fe6f7540c0a0915-87808d66b2f17471a9e7c89689534c17152e4c60&t=null&newaccounttoken=gmaZxhjXZAoRl1UaJ3ofVf4e9JxsCYqvzfoOD6UCnRT0Yrby8vK0B0PbbN9VlTsV%3AYkbaUYhrKp5gvXrBOucOuw&UsernameSelector=None Reply Header Showing Success HTTP/1.1 200 OK\r\nheader: Set-Cookie: GoogleAccountsLocale_session=en\r\nheader: Content-Type: text/html; charset=UTF-8\r\nheader: Transfer-Encoding: chunked\r\nheader: Cache-control: private\r\nheader: Date: Sat, 03 Nov 2007 21:03:57 GMT\r\nheader: Server: GFE/1.3\r\nheader: Connection: Close\r\n\r\n Header Portion of Request POST /accounts/CreateAccount?service=mail&continue=http%3A%2F%2Fmail.google.com%2Fmail%2Fe-11-109261412b2ba1b86fe6f7540c0a0915-87808d66b2f17471a9e7c89689534c17152e4c60&type=2 HTTP/1.1\r\nHost: www.google.com\r\nAccept-language: en-us\r\nAccept-encoding: \r\nContent-length: 1400\r\nContent-type: application/x-www-form-urlencoded\r\nConnection: close\r\nAccept: /\r\nUser-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727)\r\n\r\n Post Data Portion of Request rmShown=1&IdentityAnswer=6731234&selection=What+was+your+first+phone+number&PersistentCookie=yes&FirstName=Tim&LastName=O%27veily&program_policy_url=http%3A%2F%2Fmail.google.com%2Fmail%2Fhelp%2Fprogram_policies.html&newaccounturl=https%3A%2F%2Fwww.google.com%2Faccounts%2FCaptcha%3Fctoken%3DgmaZxhjXZAoRl1UaJ3ofVf4e9JxsCYqvzfoOD6UCnRT0Yrby8vK0B0PbbN9VlTsV%3AYkbaUYhrKp5gvXrBOucOuw&privacy_policy_url=http%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fprivacy.html&SecondaryEmail=&checkavail=check+availability%21&Email=tim.oveily&served_tos_location=CA&service=mail&Passwd=blahblahblah&requested_tos_language=en&ownquestion=None&smhhk=1&dsh=6566250601099324917&edk=gmail.com&submitbutton=I+accept.+Create+my+account.&served_tos_language=en&type=2&PasswdAgain=blahblahblah&loc=CA&smhck=1&hl=en&newaccounttoken_audio=AftDX-SM_8UmkQi3lETC-aLodrazoX58d7uy8ReaQbgn6WfV8vQu5rOzt89gzpIk%3A6jqty9WxWkskjI1r57pPhA&change_location=Change&nshk=1&newaccountcaptcha=wudec&default_submit=&p=&newaccounturl_audio=https%3A%2F%2Fwww.google.com%2Faccounts%2FCaptcha%3Fctoken%3DAftDX-SM_8UmkQi3lETC-aLodrazoX58d7uy8ReaQbgn6WfV8vQu5rOzt89gzpIk%3A6jqty9WxWkskjI1r57pPhA&continue=http%3A%2F%2Fmail.google.com%2Fmail%2Fe-11-109261412b2ba1b86fe6f7540c0a0915-87808d66b2f17471a9e7c89689534c17152e4c60&t=null&newaccounttoken=gmaZxhjXZAoRl1UaJ3ofVf4e9JxsCYqvzfoOD6UCnRT0Yrby8vK0B0PbbN9VlTsV%3AYkbaUYhrKp5gvXrBOucOuw&UsernameSelector=None Reply Header Showing Success HTTP/1.1 200 OK\r\nheader: Set-Cookie: GoogleAccountsLocale_session=en\r\nheader: Content-Type: text/html; charset=UTF-8\r\nheader: Transfer-Encoding: chunked\r\nheader: Cache-control: private\r\nheader: Date: Sat, 03 Nov 2007 21:03:57 GMT\r\nheader: Server: GFE/1.3\r\nheader: Connection: Close\r\n\r\n The HTML of the reply: - It is the registration form again - It has all of the correct data (IE 'tim.oreily@gmail.com') entered into the fields already - It is missing the fields for the password and captcha - It says the captcha was incorrectly entered, and the password should be re-entered. The contradiction: - The "newaccounttoken" variable in the POST data is "gmaZxhjXZAoRl1UaJ3ofVf4e9JxsCYqvzfoOD6UCnRT0Yrby8vK0B0PbbN9VlTsV%3AYkbaUYhrKp5gvXrBOucOuw" - This token represents the URL: https://www.google.com/accounts/Capt...Kp5gvXrBOucOuw - At the time of registering, this was the URL used by the captcha's <img> tag - This captcha, after visiting the registration form, was visited and confirmed by me to say "wudec" - The value "wudec" is consistent with the POST variable "newaccountcaptcha" in my request Furthermore: - I know the "newaccountcaptcha" variable was sent intact, because the reply I got contained new HTML that was not there before: (Toggle Plain Text) <input type="hidden" name="newaccountcaptcha" value="wudec"> <input type="hidden" name="newaccountcaptcha" value="wudec"> Could someone confirm that I'm sending this data correctly? Double check my logic? Maybe I don't know the HTTP as well as I should for this. Thanks in advance for your time reading this long post. Last edited by Sane; Nov 3rd, 2007 at 4:38 PM.*

Nov 3rd, 2007, 6:03 PM	#2
Jessehk The Oblivious One Join Date: May 2005 Location: Ontario, Canada Posts: 644 Rep Power: 4	Re: Automatically Registering A Gmail Account A kitten dies every time somebody tries to automate a site registration. __________________ Dr. Zoidberg: [ecstatic] I'm going to a movie... with FRIENDS!

Nov 3rd, 2007, 6:13 PM	#3
Sane Programming Guru Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 1,885 Rep Power: 5	Re: Automatically Registering A Gmail Account Well, gmail is making it very difficult to keep any-o'-those kittens alive then.

Nov 3rd, 2007, 10:06 PM	#4
grumpy Programming Guru Join Date: Jun 2005 Location: Adelaide, South Australia Posts: 1,223 Rep Power: 5	Re: Automatically Registering A Gmail Account The reason your script isn't working is probably that your script is assuming the server has fixed behaviour but the server is keeping track of state and has some elements of dynamic behaviour, so it recognises that the data you are sending is spoofed or hacked (i.e. it is not actually being typed in by a user) regardless of how you modify your headers. That is actually the purpose of schemes, such as the one you're trying to bypass. Automated registration is the one of the first goals of spammers.

Nov 4th, 2007, 7:38 AM	#5
Sane Programming Guru Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 1,885 Rep Power: 5	Re: Automatically Registering A Gmail Account Grumpy, I was thinking that too originally. But figured out that's not the case. When my script downloads the first registration form, I saved that to a file. I opened that file locally, entered all of the information in manually, clicked submit, and the account was created. Also, all of the post data I'm sending is parsed dynamically from the registration form. So that aspect of dynamic behaviour has its solution. The reason I can't just capture that network packet and compare it to my urllib debug information is because that's sent https. Maybe I should look into how to decode an https packet.

Nov 4th, 2007, 2:09 PM	#6
titaniumdecoy Expert Programmer Join Date: Nov 2005 Posts: 855 Rep Power: 3	Re: Automatically Registering A Gmail Account The engineers at Google have done everything possible to prevent automated Gmail registrations. The engineers at Google are very, very smart. It is therefore highly unlikely that you will find a way to successfully automate Gmail registrations.

Nov 4th, 2007, 4:30 PM	#7
DaWei Resident Grouch Join Date: Jun 2005 Posts: 6,453 Rep Power: 10	Re: Automatically Registering A Gmail Account I don't like this thread. It's very marginal when it comes up against the rules regarding discussions of "hacking". While it isn't concerned with actual hacking, it is an attempt to bypass protections put in place by the target. I'm not going to issue an infraction, but I'm going to close this thread to further discussion. Feel free to appeal my unilateral decision. __________________ Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code. Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
how i handle a system that automatically become crshed	amitpansuria	C++	9	Sep 5th, 2007 5:36 PM
Limiting guest account	Samuaijack	Coder's Corner Lounge	8	Jan 19th, 2007 5:08 PM
How to create a schedule task using the NT Authority\System account	jerryleo	Visual Basic	1	Jan 10th, 2006 12:39 PM
Is there a way to make a website automatically execute ...	Sane	Coder's Corner Lounge	18	Jul 23rd, 2005 7:07 AM
Gmail Invite Please!	Cipher	Coder's Corner Lounge	1	Mar 10th, 2005 7:36 PM

Programming Forums > Script Programming > Python

Automatically Registering A Gmail Account