Originally posted by The Fires of Heck:

Originally posted by norby89:

please don't assume that we don't care about our users or that we're happy with the current situation because we're not.

I know this isn't an easy situation, and I know that you (personally) care because you're taking time to answer people's complaints on internet forums. The only thing I'm assuming is that the end product isn't currently something I'll spend money on. I would *like* to, but the phishers ruin the experience.

True, that's not constructive criticism, (I lack the technical expertise to provide a working solution) but I suppose you could say that at least it's honest, profanity-free feedback.

On the curious side, no other trading site I've used has caused phishing adds. I have active trades on multiple sites, but 100% of the phishers add me within 30 seconds of bumping my Outpost trades. So...what's unique to Outpost?

I should point something out to enforce the claim in my last post. I just checked out bazaar and on the homepage each trade has a link to the user's profile in the following form: /profiles/{steamid}. This makes it trivially easy to harvest steamids using a bot by loading the homepage over and over and extracting that string.

Outpost, however, prevents listing your steamid until an actual trade is loaded. This means that bots have to load the homepage, extract all trade links, load each trade individually and extract the steamid. This process is a factor of 20x slower.

The only reason you get more adds from Outpost is because the active userbase per day is so much bigger.

Originally posted by NiceTraderJoe:

Currently, my user experience has been greatly negatively impacted to the point where I am posting in the site forum, asking for information and making suggestions. I am not likely the only one who feels this way.

As for site functionality, I am not sure why anonymous site users need to see my Steam ID. Requiring Steam login (currently not implemented) seems like a reasonable minimum standard to view any Steam ID, be it my Steam ID or someone I wish to trade with. If an anonymous person wants to trade with me, using Steam Trade Offer link seems to be a reasonable method in my opinion.

Going beyond that measure, I cannot think of a reason why a logged in member would need to view my Steam ID until the user is ready to add me as a friend to trade. (Again, if they don't want to friend me to trade, they can use the Steam Trade Offer link.) Requiring a captcha at that point also seems reasonable to me, especially given the current rampant phishing activity. An explanation of the reasons for the captcha would help educate users: "We have implemented this captcha as a response to the wide usage of phishing bot scammers scraping Steam IDs from this site. This is a pilot program to gauge the captcha effectiveness as a phishing countermeasure. We don't like phishers and we hope you support us during this trial period. If you have any questions or would simply like to voice your opinion, please visit our forum linked here." You can then see how well that measure works for 2 weeks or so.

The current site attitude comes across to me as, "We won't try" and that truly makes me sad.

I'll try and explain this as best as I can. Outpost is currently the largest TF2 trading site around, with a large amount of users actively visiting the site every day. For this reason we're the primary target for phishing bots.

The reason that anonymous users are able to see some portions of the website (homepage, backpacks + profiles) is because our Search Engine Optimisation relies on it. If we blocked anybody that isn't logged in from accessing those pages then our SEO would tank and the site would receive less traffic and not even appear on search engines in good results. As you said somewhere else in this thread, Outpost is a business. We need good SEO, so that option is out (and no, before you suggest, we can't selectively block the pages for search engine bots because phishers could impersonate googlebot incredibly easily).

If we were to not display your steamid unless you agree to a trade then that would cause a couple of issues:

- User experience would be slower - people would have to offer on a trade, wait until the other user eventually comes back on the site, accepts the trade. The buyer then has to visit the site again after this and add the trade owner. The trade owner then accepts at some arbitary time and the trade is performed. Having to wait for users on Steam is slow enough, adding another layer at Outpost would be too much.

- We'd still have to show your avatar and username (partially SEO, partially user experience) which would mean that any bot could perform a quick lookup of the name on steam community and match the avatar url with the one on Outpost. Hey presto, they have your profile.

Valve added a counter-measure a couple months ago that limited the # of requests that could be sent per day. We saw phishing bots decrease 90%+ after that was implemented, but they removed the limit because some users complained that 3 friend requests per 24 hours was too harsh of a limit. If they re-introduced it with a 20 friend limit then I believe the bot issue would become much less significant.

Of course, we're always looking for ways to limit the effects of phishing bots but we haven't yet found a solution which doesn't cause damage to our own website at the same time.

Fixed, sorry about the problems.

This should be fixed now.

We had to disable this for now due to server load issues - it'll be back soon.

Can you give me an example of the search you're using?

Fixed that for you - for some reason your trade got borked and the user information wasn't saved in the cache.

Originally posted by You Schmuck!:

Good to know, I did previously have the 6 month premium from my leftover donator when it swapped from donating to premium, but sadly it ended in march. So when I started getting ads again I noticed it wasn't exactly normal ads being served sadly.

This is actually the third time we're switching providers because they haven't been able to give us clean ads. It's a stupid problem that shouldn't be happening but I guess they have no review process to ensure ads aren't malicious.

We're transitioning to another new ad provider soon apparently because of the issues we've been getting with the current one. I don't have an ETA but I'm pretty sure within 2 weeks.

When Steam's API dies we can't verify that you're in the Outpost steam group, so you temporarily lose 5 trade slots. As c313 said, waiting for a bit and then re-logging will fix it.