Closed awsomearvinder closed 2 years ago
thefakequake
commented
3 years ago IMO: just use fuzzywuzzy every time a bunch of members join with a short interval. If all the members usernames' match to each other with a match of at least 70%, then ban them instantly.
awsomearvinder
commented
3 years ago IMO: just use fuzzywuzzy every time a bunch of members join with a short interval. If all the members usernames' match to each other with a match of at least 70%, then ban them instantly.
Issue with this is that they don't have to share their names - we've had raids where the usernames where just 2 random words smashed together.
thefakequake
commented
3 years ago The problem is though, most of the raid bots' intentions is to DM all the members of the server. The moderation bot has to be able to ban the selfbots before they can DM.
thefakequake
commented
3 years ago IMO: just use fuzzywuzzy every time a bunch of members join with a short interval. If all the members usernames' match to each other with a match of at least 70%, then ban them instantly.
Issue with this is that they don't have to share their names - we've had raids where the usernames where just 2 random words smashed together.
Fair enough. We can also just toggle lockdown when enough users join in a given timeframe.
Ganoodles
commented
3 years ago Why don't we just make the user fill out a simple text captcha on each join, instead of "rock"... extremely insecure. We could also keep "rock", but then measure the time in between each join, keep track of the average, if that spikes by a large amount, like 500%, then we enforce the captcha. It also would be pretty easy to create a form of anti-spam, mass-mention.
thefakequake
commented
3 years ago Why don't we just make the user fill out a simple text captcha on each join, instead of "rock"... extremely insecure. We could also keep "rock", but then measure the time in between each join, keep track of the average, if that spikes by a large amount, like 500%, then we enforce the captcha. It also would be pretty easy to create a form of anti-spam, mass-mention.
Good idea, we could take this to the next level by generating a captcha using PIL or something. One of the bots in the server already does that. server-monitoring I believe
Ganoodles
commented
3 years ago Why don't we just make the user fill out a simple text captcha on each join, instead of "rock"... extremely insecure. We could also keep "rock", but then measure the time in between each join, keep track of the average, if that spikes by a large amount, like 500%, then we enforce the captcha. It also would be pretty easy to create a form of anti-spam, mass-mention.
Good idea, we could take this to the next level by generating a captcha using PIL or something. One of the bots in the server already does that. server-monitoring I believe
Or even better, we could use something like this: https://pypi.org/project/captcha/ Extremely straightforward, we could generate a random number/letter combination, dm the user the image, if they get it correct, then we give them the role in the server.
Or, actually, If we wanna avoid using non-built in modules, we could create a captcha with pil like you said, it wouldn't be too hard I don't think.
thefakequake
commented
3 years ago Why don't we just make the user fill out a simple text captcha on each join, instead of "rock"... extremely insecure. We could also keep "rock", but then measure the time in between each join, keep track of the average, if that spikes by a large amount, like 500%, then we enforce the captcha. It also would be pretty easy to create a form of anti-spam, mass-mention.
Good idea, we could take this to the next level by generating a captcha using PIL or something. One of the bots in the server already does that. server-monitoring I believe
Or even better, we could use something like this: https://pypi.org/project/captcha/ Extremely straightforward, we could generate a random number/letter combination, dm the user the image, if they get it correct, then we give them the role in the server.
Or, actually, If we wanna avoid using non-built in modules, we could create a captcha with pil like you said, it wouldn't be too hard I don't think.
Perfect. I don't see the issue with using third party libraries if it decreases development time and yields more efficient code in the first place.
awsomearvinder
commented
3 years ago Alright, talking with the moderation team it sounds like that even self bots stuck in #welcome can DM users despite them not being a part of the member list. As a result the consensus seems to be the captcha idea won't work as they'll still be able to mass DM. It does sound like automated kicks / bans are going to be needed, and in a very short time frame.
Sounds like this is probably the same mechanism used by better discord and the like to view channels users can't access.
awsomearvinder
commented
3 years ago Another thing to note is discord rate limits: 5 anything per 5 seconds. The gross workaround would be having a cluster of bots - fighting fire with fire I suppose. Rather it not come down to that though.
Ganoodles
commented
3 years ago Alright, talking with the moderation team it sounds like that even self bots stuck in #welcome can DM users despite them not being a part of the member list. As a result the consensus seems to be the captcha idea won't work as they'll still be able to mass DM. It does sound like automated kicks / bans are going to be needed, and in a very short time frame.
Sounds like this is probably the same mechanism used by better discord and the like to view channels users can't access.
Hmm, I'm not really all that sure about how we would go about that then. A possible solution would be to measure the join rate like said before, if it spikes automatically ban every user joining until it lowers again.
A way to prevent this from affecting normal users who aren't bots, would be to create another server, and when banning a member, have the bot send them the invite beforehand, and allow them to appeal the ban in case it was false.
But the problem... is in the case of those giveaway bots, they were already in the server beforehand, and setup a planned raid.
Maybe it would be best if we implemented both of those ideas. Captcha, autobans, and a appeal server incase it was a user banned in the heat of action.
One more thing to think about, is user accounts that were compromised, how would we stop those?
awsomearvinder
commented
3 years ago Thing to note with the invite is that it's more actions the bot would have to do while fighting the rate limit.
I don't see how captchas help if bots can do stuff regardless. They can only access #welcome, they never even pass the rock check.
As far as the RFC goes - I'll create an implementation later as an MVP for getting the bot on the server. It as of yet won't bypass rate limits, but that'll be a WIP.
If anyone has any alternative paths I'm more then willing to hear them, or if they have any ideas that don't involve bypassing the rate limit using a cluster of bots...
awsomearvinder
commented
3 years ago Let me know if anyone has any issues with the ideas above or any suggestions - otherwise I think this is probably the path I'm going to move forward with if everyone is okay with it.
Ganoodles
commented
3 years ago Was the rate limit always 5 actions every 5 seconds? Because a year or so ago, I measured it myself and it was standing at 3 per second.
awsomearvinder
commented
3 years ago Looks like that was outdated information - it used to be 5/5 per server, 5/5 in DMs, and then 50/10 for across discord.
Right now the rate limit is dynamic and can change. Either way that's not fast enough.
awsomearvinder
commented
3 years ago It does ask for permission from mods before banning though - which imo is fine. It does not however work past the rate limits.
awsomearvinder
commented
3 years ago Made it into a draft PR, #11
awsomearvinder
commented
2 years ago See reasoning on the PR, closing this
Issue: A lot of raids happen where several members join all at once in a short Interval. Having a feature to counteract that seems to be a well agreed upon consensus.
Things to know
Several members join all at once. They share a profile picture generally.
Drawbacks:
Could falsely kick / ban someone
Proposal: Keep track in memory of how many members have joined within a time interval: say 10 seconds. If it exceeds a certain interval then the server should enter a "lockdown state" and it should prompt, in #staff-chat whether to kick or ban all said members.
Other ideas regarding this: If all members have a similar username - you could use fuzzy matching to verify that the names are similar enough. Ban all users with similar enough of a name. This should not be relied upon, and should only occur if an admin realizes they all share similar names.
The performance of comparing images is something that is as of yet unknown, same with comparing images for likeness. However, discord profile pictures are relatively low resolution, and a similar algorythim to the above could likely be done for images.
Ofcourse, if neither work, we could always resort to banning all who joined within that time interval.