V4NSH4J
commented
2 years ago Hey Laurin! Thank you for the issue. This is a genuine issue, I'd like to take the time and explain in detail what can be done about this. There's no way to spot an observer token, it'll just look like any other account as it's dormant and just looking at the reactions. It has no distinctive traits. To understand what can be done, I need to explain what is being exploited here. This "React to gain access" adds no security to a server as reactions can be botted and DMs can be sent without reacting. So an elementary solution would be completely removing it, it serves no purpose really. But if it's kept, how it works is that a user reacts to the message, he gets a role to view the rest of the server and the channel where the reaction is added is hidden. This is fundamentally how most "React to gain access" servers work, so your observer token is one of the tokens which doesn't have the role to view the rest of the server. So a secondary solution can be to kick every user who hasn't got the role to view the server (What are they even doing in the server when they don't have access to it, they're probably bots or people who won't engage in your server and well, observer tokens) You can setup a real Discord bot to occasionally kick every account which doesn't have access to the server. But this is easily bypassable, as they can join a new observer token when it's kicked (Atleast would temporarily bypass this repository as it doesn't have any such functionality and it'll have to be added.) Scams on discord are a big problem, it's important to secure your servers from this to ensure your audience has a good experience. In a nutshell, I would say to completely remove the "React for Access" or if you want something like that, replace it with a "Click for access" which is done using Discord's button interactions implemented in API v9, those don't do a websocket event like the reaction does (to increment the count on the message), that will completely stop react on DMs on your server. Ofcourse, this button can be clicked by bots too but there's no event and hence no "React on click". But there are several ways to target new users on your server, not just react on DM. People can send DMs from the logs channel if it's visible, so I'd recommend hiding it. One other thing people do is scrape your memberlist and check for new users (This is slower and bit more inefficient), to avoid this, you can hide the memberlist in your verification channels. Only members who have access to a channel appear in the memberlist, usually less people are in the verification channels so they can be scraped very fast and targetted, so hiding the memberlist or having every user access to verification channel after reacting can slow them down and make that sort of messages very hard to do on larger servers (As ofcourse they can still scrape your general or announcement channel but it'll be much much much slower)
TL;DR -> Replace your "React for Access" with buttons and hide the memberlist and logs channel
If you have any questions, I'll be happy to answer them to help you through this!
We just got attacked and the hackers are still sending DMs when users react to certain emojis. Is there a way to prevent scammers from sending malicious links to our community? We need to find out the observer token in our server. Is there a way to do this?