1rd

Thanks.

I have posted this elsewhere but you should protect trade offer URLs as well.

AWESOME!! I really like the automated "monitor and react" method of dealing with scanning bots.

To help harden the countermeasure effectiveness, could these be implemented:

• Have seller option "require user Steam login before showing 'resolve' link" (further prevent fresh bots from ever viewing my Steam ID while maintaining SEO for my post contents)
  
• Expand 'resolve' link monitoring to "logged in by Steam" users and block specific users, not just IP addresses

These two measures should help harden the phishing bot countermeasures by:

• Not exposing 'resolves' to fresh collector bots
  
• Prevent proxy server hopping by collector bots even if they are logged in by Steam to beat IP bans
  
• Further increases the complexity of successful collector bot code (disincentive to create smarter bots)
  
• Give sellers more active options to combat phishing

Thanks again for the excellently effective efforts!! ^_^

Joe.

Originally posted by NiceTraderJoe:

AWESOME!! I really like the automated "monitor and react" method of dealing with scanning bots.

To help harden the countermeasure effectiveness, could these be implemented:

• Have seller option "require user Steam login before showing 'resolve' link" (further prevent fresh bots from ever viewing my Steam ID while maintaining SEO for my post contents)
  
• Expand 'resolve' link monitoring to "logged in by Steam" users and block specific users, not just IP addresses

These two measures should help harden the phishing bot countermeasures by:

• Not exposing 'resolves' to fresh collector bots
  
• Prevent proxy server hopping by collector bots even if they are logged in by Steam to beat IP bans
  
• Further increases the complexity of successful collector bot code (disincentive to create smarter bots)
  
• Give sellers more active options to combat phishing

Thanks again for the excellently effective efforts!! ^_^

Joe.

Unlike the others you suggested, these actually may work! But this is up to the admins.

Originally posted by HusKy:

I have posted this elsewhere but you should protect trade offer URLs as well.

People use offer URLs for Backpack.tf price suggestions as proof. I would think that the admins won't do that.

Originally posted by NiceTraderJoe:

AWESOME!! I really like the automated "monitor and react" method of dealing with scanning bots.

To help harden the countermeasure effectiveness, could these be implemented:

• Have seller option "require user Steam login before showing 'resolve' link" (further prevent fresh bots from ever viewing my Steam ID while maintaining SEO for my post contents)
  
• Expand 'resolve' link monitoring to "logged in by Steam" users and block specific users, not just IP addresses

These two measures should help harden the phishing bot countermeasures by:

• Not exposing 'resolves' to fresh collector bots
  
• Prevent proxy server hopping by collector bots even if they are logged in by Steam to beat IP bans
  
• Further increases the complexity of successful collector bot code (disincentive to create smarter bots)
  
• Give sellers more active options to combat phishing

Thanks again for the excellently effective efforts!! ^_^

Joe.

IDs are hidden from all users, it doesn't matter whether they are logged in or not (and it should not matter, phishers do it both ways). Restricting it to logged in users will diminish its effectiveness...

Proxy detection is a totally different beast.

Originally posted by •L•R• MrOmNomNom3:

Originally posted by HusKy:

I have posted this elsewhere but you should protect trade offer URLs as well.

People use offer URLs for Backpack.tf price suggestions as proof. I would think that the admins won't do that.

Trade Offer links have nothing to do with bp.tf

Originally posted by wat:

Proxy detection is a totally different beast.

Yep. I have hinted this on bazaar and the admin told me they already bypassed the resolver by switching proxies.

Originally posted by HusKy:

I have posted this elsewhere but you should protect trade offer URLs as well.

Hm. That's a good idea.

Originally posted by HusKy:

Originally posted by wat:

Proxy detection is a totally different beast.

Yep. I have hinted this on bazaar and the admin told me they already bypassed the resolver by switching proxies.

This was discussed, but it was thought that it would be uneconomical to do this at any real scale.

Originally posted by Zemnmez:

Originally posted by HusKy:

I have posted this elsewhere but you should protect trade offer URLs as well.

Hm. That's a good idea.

Related: https://steamhost.cn/steamcommunity_com/groups/tf2outpost/discussions/0/38596747823331166/#c38596747828890194

Yeah, I know how to convert 32 bit IDs to 64 bit.

Originally posted by wat:

Originally posted by NiceTraderJoe:

AWESOME!! I really like the automated "monitor and react" method of dealing with scanning bots.

To help harden the countermeasure effectiveness, could these be implemented:

• Have seller option "require user Steam login before showing 'resolve' link" (further prevent fresh bots from ever viewing my Steam ID while maintaining SEO for my post contents)
  
• Expand 'resolve' link monitoring to "logged in by Steam" users and block specific users, not just IP addresses

These two measures should help harden the phishing bot countermeasures by:

• Not exposing 'resolves' to fresh collector bots
  
• Prevent proxy server hopping by collector bots even if they are logged in by Steam to beat IP bans
  
• Further increases the complexity of successful collector bot code (disincentive to create smarter bots)
  
• Give sellers more active options to combat phishing

Thanks again for the excellently effective efforts!! ^_^

Joe.

IDs are hidden from all users, it doesn't matter whether they are logged in or not (and it should not matter, phishers do it both ways). Restricting it to logged in users will diminish its effectiveness...

Proxy detection is a totally different beast.

Originally posted by •L•R• MrOmNomNom3:

People use offer URLs for Backpack.tf price suggestions as proof. I would think that the admins won't do that.

Trade Offer links have nothing to do with bp.tf

Ah, sorry. I didn't get much sleep last night. Also, the bots can still view the Profile ID using the User Outpost ID. So I would presume if we lifted the Private Profile rule or have our Outpost ID URL different to our Steam ID URL, the asshole who made these can program the bots to search for us on SteamRep.

So that could work in my opinion. But for a temp solution.
I don't give a shit anyway. They give me a way to let out my frustrations. I pretty much do this:
Bot: hey mate
Bot: blah blah blah
Bot: blah blah blah spam.fakesteampage.banana
Me: (Imagine the most insulting remark you can think of here.)
Me: (Insert sarcastic remark.)
Me: (Allan Please Add Sarcastic Remark.)
Me: I used to be a adventurer like you, but then I took a arrow to the knee. Allan Please Add Funnier Overused.
Me: Allan Please Add Insult.


I could just fuck about with the bots for days. The best part? They don't respond back!
How should I end this? I know! With a list of my current Steam emoticons! Yes, I know that is a pathetic list.

Originally posted by Zemnmez:

Yeah, I know how to convert 32 bit IDs to 64 bit.

These are "partner IDs". I haven't really found and explanation for them anywhere or why is Valve using them. (Probably because Javascript can't handle the "7656..." type properly.)

It's basically a raw account ID, see: https://docs.google.com/drawings/d/1gcRHaISLbJoIswaRcNbaNx7dgD0xTvtUBmr7I1f0xCg/edit?usp=sharing

thank you for this. i was really getting upset wit hthe amount of phshing attempts i was getting on a daily basis ... i would say that i get almost no phishing bot adds anymore (at least not from outpost) .... so thank you.