STEAM GROUP
TF2 Outpost by Fanbyte
Membership by invitation only
STEAM GROUP
TF2 Outpost by Fanbyte
160,734
MEMBERS
3,841
IN-GAME
28,977
ONLINE
Founded
7 August, 2011
Language
English
Overview Announcements Discussions Events Members Comments Curator
This topic has been locked
[EMP]Shocktrooper 27 Jan, 2013 @ 1:35pm
Phishing links
ok so I think we have all had our fair share of phising links starting to pop up on outpost.Upon investigation of the 7 or so i have reported in the past 2 weeks they look like active user accounts and not dormant accounts so that leaves me to believe one of the following.

A: the phishing links are spreading like a virus and people are clicking on them and getting hacked which are then turned into bots that repost the phishing links on the website through some automatic scripting.

B: someone found a backdoor into sneezas webiste and is doing SQL injection attacks on the database under different users bypassing the need to hack the accounts that post the links and just add a message to trades in the database for that user so it looks like they posted it when in fact they didnt

C: The users are idiots and just post it to get banned on outpost or something like that

D: they were dormant accounts that were sitting around for awhile and they got reactivated for botting purposes by a hacker who maybe did hack steam or bought the accounts or brute forced the accounts etc.

or

E: All of the above

the easy solution for sneeza is to add a server side script that checks posts before they get posted against a blacklist of words/URl's etc. and sneeza sets a ban trigger on these URL's for anyone whos posts them in a comment or trade notes so the links never actually get seen by users and its self managed and no one gets Phished out of the pond of outpost useres. He can even make the list available to mods of the site so they can add links to the blacklist themselves

PS. on a side not too maybe swears can trigger temp bans for users so a user will think before he posts sometihng crude to another user

Thoughts suggestions comments?
< >
Showing 1-15 of 64 comments
His Wardship 27 Jan, 2013 @ 1:53pm 
It's A, I believe

A large amount of phishing bots will have similar IPs to other phishing bots. People get their accounts hijacked and then are used to spread the links. (After all tradable items are stolen of course.)

#1
[EMP]Shocktrooper 27 Jan, 2013 @ 2:03pm 
easy fix then just have sneeza program a trigger for the chats with a little regex then voila problem soved
#2
His Wardship 27 Jan, 2013 @ 2:07pm 
Well this is where you hit a brick wall. It isn't a phishing site, it's multiple, with new ones always being created. If a blacklist/censor was implemented, by the time Sneeza updated it with new sites, people would already be victims of it.
A whitelist I would think would be out of the question, simply for it's confining nature. (Also, people would use the same methods as on YT to bypass censors)

Either way, Sneeza's got the final say, as always.
#3
[EMP]Shocktrooper 27 Jan, 2013 @ 2:45pm 
hmmm well thats where regex comes in though he can search for specific parts of URL's and then automatically blacklist them if say they all start with www and end with .tk so it would be as simple as if regex.match("Some text") to (www.*{free}.tk) then flag for analysis for moderators you can have a partial whitelist for websites that are legit but match the criteria and will not be flagged so its not exact matching like this if website freegifts.com =+ freegifts.com then ban
then if it changes something like this will slip past if freegifts2.com == freegifts.com then ban
that would slip past but not with regex cause the new site will meet the screening criteria and trigger a flag on that post because of the wildcard " * "

Am I making sense to you or is this over your head?
Last edited by [EMP]Shocktrooper; 27 Jan, 2013 @ 2:45pm
#4
His Wardship 27 Jan, 2013 @ 2:50pm 
Makes perfect sense, I'm not an idiot.

Phishers will go to large lengths to get links through, but people sometimes click on them because they actually believe them. So they will go to the lengths of removing spaces, changing characters etc.

But I agree, a censor/blacklist of some form would be advantageous, but I really have no real say in the matter.
#5
[EMP]Shocktrooper 27 Jan, 2013 @ 2:56pm 
well i didnt know if i was going over your head with regex but thats the beauy of regex you can tailor it to whatever u need like how all the Phishing sites got a .tk extension you can just flag that it could be fr33St3amgifts.tk for all that matters but the .tk is flagged so it sets off a trigger now the best thing to do is probably set a trigger on all the free website extensions like .co.cc and .tk which are free domains and if he starts going to .com and paid domains then he is spending money which i dont think he would want to do cause it will become quite costly
Last edited by [EMP]Shocktrooper; 27 Jan, 2013 @ 3:07pm
#6
Uranium235 27 Jan, 2013 @ 3:36pm 
It's not the regexp that is the problem in your suggestion. Your system would need a lot of changes to the existing report system to function properly and without more work for admins and mods than they already have.

However clever you are designing your regexp, there will always be false positives and misses. Phishers will very quickly find a way around them. You'd also have to trigger on every URL shortener service there is.

Only feasible way I see would be to use a white list for URLs. But that would restrict linking too much. Who's then to say (and take the time to evaluate) what sites are allowed to link.

Edit: Also, you need to steal less than a bill's hat to cover the costs of setting up a .com domain.
Last edited by Uranium235; 27 Jan, 2013 @ 3:39pm
#7
norby89 27 Jan, 2013 @ 3:58pm 
Originally posted by Uranium235:
It's not the regexp that is the problem in your suggestion. Your system would need a lot of changes to the existing report system to function properly and without more work for admins and mods than they already have.
It only needs a filter that is run before someone posts a message. No changes need to be done to the report system. If new phishers and/or new ways of phishing are reported, all moderators have to do is pass the info onto Sneeza so he can update the blacklist with a new regexp formula. It wouldn't take more than a couple of mins.
Originally posted by Uranium235:
However clever you are designing your regexp, there will always be false positives and misses. Phishers will very quickly find a way around them. You'd also have to trigger on every URL shortener service there is.
False positives no. New ways of phishing yes. I don't think there are any legit users who should be allowed to post "Get free games *insert URL here*".
Originally posted by Uranium235:
Only feasible way I see would be to use a white list for URLs. But that would restrict linking too much. Who's then to say (and take the time to evaluate) what sites are allowed to link.
A blacklist should be enough. The purpose of this wouldn't be to blacklist each and every single phishing attempt, but to prevent mass phishing that has been happening recently. An IP range ban can only do that much.
Last edited by norby89; 27 Jan, 2013 @ 4:03pm
#8
Uranium235 27 Jan, 2013 @ 4:07pm 
I'm sorry, but all those efforts are futile in my opinion.

A blacklist would only help a little more than reporting and blocking the user. Maybe not even that.

Unless your regexp in effect is a blacklist, you will have false positives. And to avoid that you will have to do at the expense of misses.

The changes to the report system would be needed to update a potential blacklist and distinguish false positives from hits from the regexp filter.
Otherwise it wouldn't be any more efficient than the system of reporting and banning today.
Last edited by Uranium235; 27 Jan, 2013 @ 4:11pm
#9
[EMP]Shocktrooper 27 Jan, 2013 @ 4:11pm 
geez does no one here understand programming at all and typo its regex look it up and what it can do will solve the problems and also maybe not allow a url shortening service to be posted on the forums theres really no need for it anyways and the coding would take practically nothing to implement onto the server sneeza can do the server side part in under 5 minutes and the moderator side in under 1 hr. also if there are misses they can be added to blacklist by mods and if false positives can be whitelisted or exempted and also have u ever set up a website at all i have and its a pain plus you need to update dns every once in awhile
Last edited by [EMP]Shocktrooper; 27 Jan, 2013 @ 4:11pm
#10
Uranium235 27 Jan, 2013 @ 4:14pm 
If you knew anything about programming at all, you would recognize why I spell it "regexp" and not care at all.
Last edited by Uranium235; 27 Jan, 2013 @ 4:24pm
#11
norby89 27 Jan, 2013 @ 4:17pm 
I'm not sure if we have the same concept in mind. In my opinion this is such a filter would work:

  • User attempts to send a message
  • Filter kicks in and compares the user's message against a list of forbidden phrases
  • If no match is found the message goes through
  • If there's a match, post gets hidden and automatically reported

That's it. After that an admin can decide if further action needs to be taken, depending on whether the user is a phisher or the account has been compromised etc.

Can you provide me a false positive for "Get free games *insert URL here*"?
#12
Uranium235 27 Jan, 2013 @ 4:19pm 
And what would be more efficient about that than the current system? I am sure phising links get reported fairly quickly, and more important more reliably than any automatic filter you have.

Automatically hiding is not really worth it, because then you would have all those complaints about why was my post hidden.

It's not about the URL, I can change that at any time to avoid "free" "gift" and such. It's a cat and mouse game. Not worth it.
Last edited by Uranium235; 27 Jan, 2013 @ 4:21pm
#13
[EMP]Shocktrooper 27 Jan, 2013 @ 4:21pm 
thats not the usual way of saying it though maybe thats old timer stuff then
#14
[EMP]Shocktrooper 27 Jan, 2013 @ 4:22pm 
also thats why theres a wild card in regex so you can take care of stuff like that and maybe not auto hide maybe warn a mod before the users have a chance to report it like a priority report
#15
< >
Showing 1-15 of 64 comments
Per page: 1530 50

All Discussions > General Discussions > Topic Details
Date Posted: 27 Jan, 2013 @ 1:35pm
Posts: 64
Start a New Discussion

Discussions Rules and Guidelines