hi guys so i am here begging ccp to remove the esi endpoint to send mail. while it does have some practical use (for example…sending mail to a client automatically when a contract is delivered) it is more than often not used for that.
so. what is it used for?
well, the most obvious is spam. make a new toon and tell me u don’t get like 5 automated messages inviting you to crap corps.
now sure…that isn’t much more than an inconvenience but let’s dig a little deeper. when an average user auths into an endpoint allowing someone to send mail they often forget of a very certain something.
by authing a program to send mail…you let them spend money on your behalf
that is done through CSPA charges. if I didn’t like someone in my alliance, for example, I could just empty their wallet.
so sure, we could just wait for that to happen and remedy the situation OR we could be proactive and do one of two things:
a) remove ability to send mail to CSPA protected characters AND require some sort of user interaction with the character before sending mail over esi (perhaps like accepting a contract); or
b) remove esi endpoint to send mail altogether because it’s useless
now yeah this is probably a controversial opinion but like let’s be honest. who here knew someone could empty your wallet just by granting the send mail esi thing on an auth.
p.s. my wallet was not emptied by means of this but I tested it out and it seems likely that someone could do it lol
anyway thanks for listening to my rant ima go take a dump
That does sound worrisome, but since IIRC CSPA is just sent to NPCs it should be relatively easy to revert and the joker who thought he was clever permabanned for violating the license agreement for third-party developers.
id rather not wait for ccp to figure that all out. they should be proactive about it and just remove the functionality to send cspa mail over esi. there is no legitimate need for it tbh.
at the very least they should put a warning at that scope saying that isk can be removed from your wallet with it.
if I was a noob and logged into see my wallet drained to “cspa” id be so confused.
Idk, every time I make a market alt I get one even without chatting.
Try it lol.
Regardless, like I could just imagine CCP trying to revert everone’s accounts after a spai in test or goons or som just empties everyone’s wallets with this.
So, uh, here is the thing…you came here just to be argumentative. How do I know that? Well, you totally skimmed over the larger picture just to nit-pick my thread for issues you have with it. In the future, if you aren’t being constructive…don’t post.
To answer your concerns though:
You can’t trust anyone in EVE. Directors have disbanded alliances, CEOs have robbed members, etc. Everything has happened. Who is to say that one of your alliance’s IT people doesn’t just get bored of the game and empty everyone’s wallets? At the least…the scope should come with some sort of warning.
They are varied amounts because CCP does admittedly do ban waves. Those waves do make the amount fluctuate but the 6 or so toons I’ve created have all gotten at least two of the same mail within an hour of their creation. Same character, etc. Hell, one of the characters is named like ESIMAILER or something LOL. It is an issue with that kinda spam. Sending mail in mass like that should not be possible. I urge you to find one use case when someone will need to send like 50 mails consecutively over the ESI.
I mean, the whole point of this is automation right. A bad actor can just automate emptying the wallets of everyone in a coalition. The ramifications of that could be horrible even if CCP does eventually intervene (which would take ages as it could be thousands of toons).
For example, lets say a bad actor empties the wallets of everyone in a coalliton…then begins to reinforce a keepstar. How is that coalition supposed to buy ships, etc. while the keepstar is being reffed? It creates a huge issue.
Similar to my response to Geo…try to name one reason why the scope shouldn’t have some sort of warning on it at the very least OR why being able to send CSPA charges over the ESI are even needed.
I hate spam myself, but I’m reluctant to get rid of it without knowing whether or not it is bad for the game. On one hand, joining a corp is correlated with much higher player retention. On the other hand, I suspect some of these guys of being scam corps (i.e. they skim tax revenue while offering little to no value in return).
Oh, and btw, there are players (who send out no spam) who check and send evemails outside of game. So, I’m sure they wouldn’t be happy if the ESI endpoint was straight up removed.
@Mkikaden_Tiragen
Hey, aren’t you a member of SiCo? Do you have any thoughts on the recruitment spam?
The new player invite messages for LinkNet (the current name for the coalition that includes the Silent Company alliance) have certainly been helpful in getting new players to be aware of player corporations as a thing and get them engaged in the wider EVE community. Of course, these mass mails are only issued by specific recruiters and then players are listed as mailed so they don’t get a second message. That’s the right way to do it.
With regard to the original issue raised by the thread: most ESI perms don’t give any warnings. If players don’t know what a perm can do, they shouldn’t grant it. If a corp is demanding mail send access for their line members, that should be a red flag anyway - what corp really needs to send mail on behalf of their members? If it’s about contract completion have a central character that handles ALL of those on behalf of the corp, no individual accesses required.
Granting any ESI access is at-your-own-risk. Players shouldn’t do things they do not understand. If folks get fleeced because they handed over account powers without knowing what they could be used for, they deserve the lesson.
This is a harsh game full of scams and backstabbing. That’s EVE.
