This post is for educational purposes only. If you succeed in getting NUS banned from future Dropbox space races, you will singlehandedly incur the wrath of all current and future NUS students. Honestly, I couldn't care less.
In 2012, students from MIT hacked dropbox space race by mass creating mailing lists and signing these emails up with Dropbox to inflate the number of MIT email addresses. MIT was subsequently banned from participating in the 2015 space race. A detailed account of how they managed to pull it off can be found here.
All the steps in the blog post can be replicated except for one. As far as I know, NUS does not allow students to create mailing lists. So how can we generate unique NUS email addresses in bulk? The answer to that is the NUS FriendlyMail service.
There is no limit on the number of times you can change your email address and the change is also effected almost immediately. The short dropdown menu allows you to select either "_" or "." while the last input box allows you to select numbers from 01 to 99. Thus, every user can potentially generate a lower bound of ((6 * 2) * (4 + 3 + 2 + 1) * 100) =~ 12,000 unique email addresses, which is plenty for our purposes.
Automating the process is also trivial, authentication is done through basic auth. You will need to echo back a number of session IDs and handle errors such as email address already in use. Python should make short work of it.
1 2 3
GET /pea/applypea/pea.asp HTTP/1.1 Host: exchange.nus.edu.sg Authorization: Basic redactedforprivacy
Response (after a few 301s and 302s):
1 2 3 4 5 6
HTTP/1.1 200 OK Set-Cookie: ASPSESSIONIDQARHCSAT=redactedforprivacy; secure; path=/ Cookie: __RequestVerificationToken=redactedforprivacy; ASPSESSIONIDQARHCSAT=redactedforprivacy; ASP.NET_SessionId=redactedforprivacy; ASPSESSIONIDQERCBRAS=redactedforprivacy
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
GET /fea/ HTTP/1.1 Host: exchange.nus.edu.sg Authorization: Basic redactedforprivacy Cookie: __RequestVerificationToken=redactedforprivacy; ASPSESSIONIDQARHCSAT=redactedforprivacy; ASP.NET_SessionId=redactedforprivacy; ASPSESSIONIDQERCBRAS=redactedforprivacy Name1: generate Seperator1: your Name2: email Seperator2: address Name3: and Seperator3: paste Name4: the Seperator4: stuff Number: here
HTTP/1.1 200 OK
At the end of it, you will receive an email confirming the successful change. Don't bother intercepting the GET request and trying to change the field to email@example.com or something similar, input validation is done on the server side.