We've unplugged all the scanners, the bug doesn't exist anymore.

It's basically a raw account ID, see: https://docs.google.com/drawings/d/1gcRHaISLbJoIswaRcNbaNx7dgD0xTvtUBmr7I1f0xCg/edit?usp=sharing

Yeah, I know how to convert 32 bit IDs to 64 bit.

Originally posted by HusKy:

I have posted this elsewhere but you should protect trade offer URLs as well.

Hm. That's a good idea.

Originally posted by HusKy:

Originally posted by wat:

Proxy detection is a totally different beast.

Yep. I have hinted this on bazaar and the admin told me they already bypassed the resolver by switching proxies.

This was discussed, but it was thought that it would be uneconomical to do this at any real scale.

Sneeza posted recently that we had implemented some measures to mitigate phishing attacks launched on our users via TF2 Outpost, and many of you have seen reduced phishing attempts since it was implemented.

The mode of operation for these phishing bots is pretty simple:

1. Load front page of tf2outpost.com et al
   
2. Scan for 64 bit steamIDs (just 17 digit numbers -- /\d{17}/g)
   
3. Add these people -- some bots do this by loading steam://addfriend[...] URLs, others (I hope) are more sophisticated than this.
   
4. Bot periodically, or someone manually copies and pastes (yes really) some kind of link that looks like steamhost.cn/steamcommunity_com but isn't.
   
5. The not-really-steamcommunity website records your login details when you type them in.
   
6. They do what they want with your account.

After some discussion we isolated that phishing on Steam is difficult to solve because we don't have data on the activities on users like Valve do.

Solving this problem, then means we need to measure how many people someone is attempting to add.

Our solution works like this:

• Where we would normally have SteamIDs, we have URLs that pass through to the steamID, for example my steamcommunity link now goes to: http://www.tf2outpost.com/user/4/resolve/community which uses my Outpost user ID and not my 64 bit SteamID. The actual redirect is done through a Location header, which shouldn't confuse any good HTTP client and shouldn't impact our SEO.
  
• We record hits on a per-IP basis on these pass-through links.
  
• If someone makes too many requests for SteamIDs, we lock them out.

If any other website want to pick up the baton and implement these measures, I'm sure we'd see a reduction in phishing activity.

Something close to that -- that generates searches and trades from item names is being considered, but this is also the wrong section.

[color=yellow]yellow[/color]

I think the cache is dying

As Currier Bell said, the number is determined by the severity of the offences, rather than any standard.

That guy made 85 phishing links exactly the same, and none are correct.