I've already answered this in your previous thread. There's no way to hide a user's ID without affecting the site negatively, unless you want to have a completely useless website.

Ahh. The message I received in the other thread was, "Since no measure is 100% effective, the site will not attempt any measures whatsoever to combat Steam ID scraping; therefore, TF2 Outpost will remain a prime target for active Steam ID scraping for the foreseeable future." Is this a fair interpretation of your statements, conclusion, and consensus of TF2 Outpost admins?

Anything that negatively affects the user's site experience will not be implemented. This includes Captchas, hiding SteamIDs etc. A solution that doesn't severly cut down the amount of phishers is as good as no solution at all. In no way does that mean that TF2Outpost has given up or won't do anything to combat the issue but until there's a definite solution we're just wasting our time.

Currently, my user experience has been greatly negatively impacted to the point where I am posting in the site forum, asking for information and making suggestions. I am not likely the only one who feels this way.

As for site functionality, I am not sure why anonymous site users need to see my Steam ID. Requiring Steam login (currently not implemented) seems like a reasonable minimum standard to view any Steam ID, be it my Steam ID or someone I wish to trade with. If an anonymous person wants to trade with me, using Steam Trade Offer link seems to be a reasonable method in my opinion.

Going beyond that measure, I cannot think of a reason why a logged in member would need to view my Steam ID until the user is ready to add me as a friend to trade. (Again, if they don't want to friend me to trade, they can use the Steam Trade Offer link.) Requiring a captcha at that point also seems reasonable to me, especially given the current rampant phishing activity. An explanation of the reasons for the captcha would help educate users: "We have implemented this captcha as a response to the wide usage of phishing bot scammers scraping Steam IDs from this site. This is a pilot program to gauge the captcha effectiveness as a phishing countermeasure. We don't like phishers and we hope you support us during this trial period. If you have any questions or would simply like to voice your opinion, please visit our forum linked here." You can then see how well that measure works for 2 weeks or so.

The current site attitude comes across to me as, "We won't try" and that truly makes me sad.

Originally posted by NiceTraderJoe:

Currently, my user experience has been greatly negatively impacted to the point where I am posting in the site forum, asking for information and making suggestions. I am not likely the only one who feels this way.

What do you think will happen when you further annoy already annoyed users? It's not hard to predict the outcome.

Originally posted by NiceTraderJoe:

As for site functionality, I am not sure why anonymous site users need to see my Steam ID. Requiring Steam login (currently not implemented) seems like a reasonable minimum standard to view any Steam ID, be it my Steam ID or someone I wish to trade with. If an anonymous person wants to trade with me, using Steam Trade Offer link seems to be a reasonable method in my opinion.

Again you have ignored what I've carefully explained to you. A scraper can disguise themselves as a completely legit user without us being able to determine their intention. There is simply no way of hiding info just from 1 specific kind of user when there's no distinction between them and a real user.

Originally posted by NiceTraderJoe:

Going beyond that measure, I cannot think of a reason why a logged in member would need to view my Steam ID until the user is ready to add me as a friend to trade. (Again, if they don't want to friend me to trade, they can use the Steam Trade Offer link.) Requiring a captcha at that point also seems reasonable to me, especially given the current rampant phishing activity. An explanation of the reasons for the captcha would help educate users: "We have implemented this captcha as a response to the wide usage of phishing bot scammers scraping Steam IDs from this site. This is a pilot program to gauge the captcha effectiveness as a phishing countermeasure. We don't like phishers and we hope you support us during this trial period. If you have any questions or would simply like to voice your opinion, please visit our forum linked here." You can then see how well that measure works for 2 weeks or so.

User IDs need to be public for several reasons. On one hand it would give people a free pass to trade with scammers ("oh I couldn't check their Steamrep account, the site doesn't allow me to view user profiles") on the other hand it would be impossible to make any trades without being able to add the other party. Trade offer URLs also contain the user ID so that doesn't solve anything.

This has been explained over and over again, Captchas are a useless counter-measure and will never be implemented. They do nothing but annoy legit users and if anything bots can solve captchas without user intervention. As long as there's profit to be made phishers won't be intimidated by simple captchas.

Originally posted by NiceTraderJoe:

The current site attitude comes across to me as, "We won't try" and that truly makes me sad.

You are missing the whole point, it's not "we won't try", it's "we don't have a solution". You can try to turn lead into gold but if you don't know how you'll only waste your time doing so.

Originally posted by norby89:

Anything that negatively affects the user's site experience will not be implemented.

Do you know what negatively affects the user's site experience more than anything else?
Being added by multiple phishing bots every time a trade is bumped, that's what.

Here's how I feel:
- I would like to buy a premium subscription, because the added functionality would be worth the money to me. However,
- I hate phishing bots. And,
- For some reason, TF2Outpost trades result in dozens of phishing adds per day.
- Other trading sites do not cause this, (at least for me). Therefore,
- Tf2Outpost isn't getting any of my money, whereas at least one other trading site is.

Bottom line: TF2Outpost is a business. The product it provides is declining in quality, and soon will not even be on par with what the competition is providing. (It's already not the best, in my opinion, and in my money's opinion). Excuses, however true they may be, count for nothing. Improve your product.

Originally posted by The Fires of Heck:

Do you know what negatively affects the user's site experience more than anything else?
Being added by multiple phishing bots every time a trade is bumped, that's what.

It's not just you who hates that, everyone does. I got added by hundreds of fake accounts in the past week, I'm just as tired of them as you are and as much as I'd like it to stop I know that it's out of our hands.

Originally posted by The Fires of Heck:

Here's how I feel:
- I would like to buy a premium subscription, because the added functionality would be worth the money to me. However,
- I hate phishing bots. And,
- For some reason, TF2Outpost trades result in dozens of phishing adds per day.
- Other trading sites do not cause this, (at least for me). Therefore,
- Tf2Outpost isn't getting any of my money, whereas at least one other trading site is.

TF2Outpost is the largest trading website out there, of course the phishers would target it first. That doesn't mean smaller websites don't suffer from the same issue.

Originally posted by The Fires of Heck:

Bottom line: TF2Outpost is a business. The product it provides is declining in quality, and soon will not even be on par with what the competition is providing. (It's already not the best, in my opinion, and in my money's opinion). Excuses, however true they may be, count for nothing. Improve your product.

Bottom line: it's easy to put the blame on someone else, "it's your site, your fault, you fix it" but so far nobody came here to say "here's what you could do which would work 100%". Constructive criticism is welcome however if you don't have a working solution either then please don't assume that we don't care about our users or that we're happy with the current situation because we're not.

Originally posted by norby89:

please don't assume that we don't care about our users or that we're happy with the current situation because we're not.

I know this isn't an easy situation, and I know that you (personally) care because you're taking time to answer people's complaints on internet forums. The only thing I'm assuming is that the end product isn't currently something I'll spend money on. I would *like* to, but the phishers ruin the experience.

True, that's not constructive criticism, (I lack the technical expertise to provide a working solution) but I suppose you could say that at least it's honest, profanity-free feedback.

On the curious side, no other trading site I've used has caused phishing adds. I have active trades on multiple sites, but 100% of the phishers add me within 30 seconds of bumping my Outpost trades. So...what's unique to Outpost?

Originally posted by NiceTraderJoe:

Currently, my user experience has been greatly negatively impacted to the point where I am posting in the site forum, asking for information and making suggestions. I am not likely the only one who feels this way.

As for site functionality, I am not sure why anonymous site users need to see my Steam ID. Requiring Steam login (currently not implemented) seems like a reasonable minimum standard to view any Steam ID, be it my Steam ID or someone I wish to trade with. If an anonymous person wants to trade with me, using Steam Trade Offer link seems to be a reasonable method in my opinion.

Going beyond that measure, I cannot think of a reason why a logged in member would need to view my Steam ID until the user is ready to add me as a friend to trade. (Again, if they don't want to friend me to trade, they can use the Steam Trade Offer link.) Requiring a captcha at that point also seems reasonable to me, especially given the current rampant phishing activity. An explanation of the reasons for the captcha would help educate users: "We have implemented this captcha as a response to the wide usage of phishing bot scammers scraping Steam IDs from this site. This is a pilot program to gauge the captcha effectiveness as a phishing countermeasure. We don't like phishers and we hope you support us during this trial period. If you have any questions or would simply like to voice your opinion, please visit our forum linked here." You can then see how well that measure works for 2 weeks or so.

The current site attitude comes across to me as, "We won't try" and that truly makes me sad.

I'll try and explain this as best as I can. Outpost is currently the largest TF2 trading site around, with a large amount of users actively visiting the site every day. For this reason we're the primary target for phishing bots.

The reason that anonymous users are able to see some portions of the website (homepage, backpacks + profiles) is because our Search Engine Optimisation relies on it. If we blocked anybody that isn't logged in from accessing those pages then our SEO would tank and the site would receive less traffic and not even appear on search engines in good results. As you said somewhere else in this thread, Outpost is a business. We need good SEO, so that option is out (and no, before you suggest, we can't selectively block the pages for search engine bots because phishers could impersonate googlebot incredibly easily).

If we were to not display your steamid unless you agree to a trade then that would cause a couple of issues:

- User experience would be slower - people would have to offer on a trade, wait until the other user eventually comes back on the site, accepts the trade. The buyer then has to visit the site again after this and add the trade owner. The trade owner then accepts at some arbitary time and the trade is performed. Having to wait for users on Steam is slow enough, adding another layer at Outpost would be too much.

- We'd still have to show your avatar and username (partially SEO, partially user experience) which would mean that any bot could perform a quick lookup of the name on steam community and match the avatar url with the one on Outpost. Hey presto, they have your profile.

Valve added a counter-measure a couple months ago that limited the # of requests that could be sent per day. We saw phishing bots decrease 90%+ after that was implemented, but they removed the limit because some users complained that 3 friend requests per 24 hours was too harsh of a limit. If they re-introduced it with a 20 friend limit then I believe the bot issue would become much less significant.

Of course, we're always looking for ways to limit the effects of phishing bots but we haven't yet found a solution which doesn't cause damage to our own website at the same time.

Originally posted by The Fires of Heck:

On the curious side, no other trading site I've used has caused phishing adds. I have active trades on multiple sites, but 100% of the phishers add me within 30 seconds of bumping my Outpost trades. So...what's unique to Outpost?

I have friends who currently don't use TF2Outpost but do have some trades open on other sites and they told me they still get added by phishers.

Originally posted by The Fires of Heck:

Originally posted by norby89:

please don't assume that we don't care about our users or that we're happy with the current situation because we're not.

I know this isn't an easy situation, and I know that you (personally) care because you're taking time to answer people's complaints on internet forums. The only thing I'm assuming is that the end product isn't currently something I'll spend money on. I would *like* to, but the phishers ruin the experience.

True, that's not constructive criticism, (I lack the technical expertise to provide a working solution) but I suppose you could say that at least it's honest, profanity-free feedback.

On the curious side, no other trading site I've used has caused phishing adds. I have active trades on multiple sites, but 100% of the phishers add me within 30 seconds of bumping my Outpost trades. So...what's unique to Outpost?

I should point something out to enforce the claim in my last post. I just checked out bazaar and on the homepage each trade has a link to the user's profile in the following form: /profiles/{steamid}. This makes it trivially easy to harvest steamids using a bot by loading the homepage over and over and extracting that string.

Outpost, however, prevents listing your steamid until an actual trade is loaded. This means that bots have to load the homepage, extract all trade links, load each trade individually and extract the steamid. This process is a factor of 20x slower.

The only reason you get more adds from Outpost is because the active userbase per day is so much bigger.

I've just had a heated discussion with Zemnmez and we think we may have a good solution which should help throttle phishing bots. I'll keep you posted.

Originally posted by Sneeza™:

I've just had a heated discussion with Zemnmez and we think we may have a good solution which should help throttle phishing bots. I'll keep you posted.

I'm glad to hear that, and I appreciate your work.

Originally posted by Sneeza™:

I've just had a heated discussion with Zemnmez and we think we may have a good solution which should help throttle phishing bots. I'll keep you posted.

pls sneeza bae have a solution im tired of blocking 600 ppl a day. if it wurks ill give you dis

Originally posted by norby89:

Captchas are a useless counter-measure and will never be implemented. They do nothing but annoy legit users and if anything bots can solve captchas without user intervention. As long as there's profit to be made phishers won't be intimidated by simple captchas.

#1: I am a "legit user" although no real definition has been made about what a "legit user" even is, so I may not be. Where's the line from a non-legit user, to "legit"? What defines that.

2. I would be painfully less annoyed with having to enter a captcha than having 2 pishers add me everytime I bump a trade.
And before someone goes and states the opposite, that right there is a cold hard fact; the "legit users" can only express their want for something like a captcha to be implmented so many times before simply getting tired of the admins responding with "The legit users think it's annoying" . Look at the FACTS, ladies and gentleman, it's what we want!

3. The fact that all the big shots are looking for an option that would "work 100% of the time". Quite plainly, that's completely absured! You cannot seriously say "this one solution won't solve it 100% so we won't even try to use it if it helped 60%" (for example).
It's taken you all this long to realize that "there's nothing we can do because there are no soluions" and it's taken you this long to start blaming people who have nothing to do with the problem, nor who are in any way shape or form responsible for it, for "not coming forward wih a 100% foolprof solution", but what have you been doing to try and solve this? Take some responsibility for your actions (or lack thereof).

tl;dr - Something has to be done, regardless of if it will work "100% of the time", and you know it.
I think the people who are trying to find solutions to this issue (I should say, doing the exact opposite because "there are no 100% prof solutions") are at the point where they can nolonger wait for a solution to magically present itself out of nowhere that will work 100% of the time, when clearly there is absolutely no obvious sign whatsoever of something like that happening any time soon.