Help prevent phishing / spamming in MEW Slack about mycrypto HOT 21 CLOSED

It may also be worth jumping into this thread if you're not already:
aragon/governance#7

from mycrypto.

@jet86 👍 It's not worth to build fixes around slack. It's probably more easy to totally abandon slack.

from mycrypto.

Proposed Solution

Create a Slack App for easy distribution to various teams to perform the following;

• Monitor signups and detect if a user has joined with a temporary/disposable e-mail address. Using team_join event.
• Monitor messages triggered with /remind and delete them immediately if they were created by a non-admin/non-whitelisted user.
• Auto-delete/change any channel topic change that wasn't issued by a team admin. Relevant APIs/events:
  channels.setTopic and channels.info
• Detect messages with spam/fake links impersonating established websites. Relevant event: message.

The Slack app itself will pass its logic to a 3rd party open-source project (https://github.com/409H/Slack-AdminOnlyReminders) that will publish (on its homepage) banned messages and users in real-time and store them in the database so we can start building metrics on the data and reporting.

Currently, on my test slack team and application, I have the system monitoring and deleting /remind commands that were not set by admins. I am to tidy the code up a little, and setup the repo to have a "deploy to heroku" button and slack app to easy distribute. I think testing on this feature can commence late Friday (June 7, 2017) night (GMT timezone).

(I've renamed the repo since the app will do more than SAOR. https://github.com/409H/Slack-ICO_Safe)

from mycrypto.

Closing due to staleness - happy to re-open should we need more discussion around this issue.

from mycrypto.

Although it won't be bulletproof, we could set up a directory of known e-mail addresses that are on the scammers addresses and autoblock them.

Then we could use reminders.list to fetch all the reminders on a channel (for specific users using users.list, look to see if reminders.creator is in a whitelist (of admins or something), and then issue a reminders.delete request of any reminder that wasn't created by an admin. This could be run every minute as a Slack App and manageable via a 3rd party site.

Would be happy to collab with someone. I'll start on that solution tonight within this repo: https://github.com/409H/Slack-AdminOnlyReminders

(I've renamed the repo since the app will do more than SAOR. https://github.com/409H/Slack-ICO_Safe)

from mycrypto.

So [email protected] was one that was in our slack channel.....

from mycrypto.

@tayvano perhaps we should auto-ban users with temporary e-mail addresses also

from mycrypto.

I think this is good plan. We have started a master list of known malicious addresses (fake ico links) and URLs...keeping that up to date and figuring out an easy way to push those updates live fast to slack bots or a chrome extension or whatever it may be (API?), I think we're In a better place.

From there it's just a matter of making sure slacks use it, people use it, and there are easy ways for people to submit bad links / addresses to it.

The latter is probably the easiest part of this.

from mycrypto.

With solo testing, I've got the app to remove reminders with the reminders.delete method. When you did your testing, did you use webhooks or a slack app with the appropriate auth to each collection?

from mycrypto.

The issue we ran into is that an admin cannot delete any @slackbot IM channel reminders other than their own. We tested it on the API by checking reminders.list for any slackbot IMs other than our own – and had this confirmed by Slack.

A bandaid we thought we could do is take a look at writing an incoming webhook that triggers a slackbot response in a user's @slackbot IM channel when any reminders are posted there.

We did it with 4 user accounts and sent various slackbot reminders to other users directly. We tested using reminders.delete to query the IDs of user slackbot IM channels - not public channels. We could not see, and therefore could not delete slackbot IMs that were not related to us, even as main admin. Slack confirmed it is not possible to delete other user's slackbot IMs, including reminders. They can only be deleted by the recipient or sender if sent as IM.

from mycrypto.

But I have heard we can do this: You can add a bot who listens to slackbot DMs and deletes every message from him

from mycrypto.

@altcoinio have you got a program in the works, or would you like me to push mine to the repo with slack app instructions/config for you to work off?

from mycrypto.

Hi @409H - yes please if we can have look that would be great - are you using the node bot kit?

from mycrypto.

@altcoinio Sorry, I was out last night, I'll commit and push later. No, a slack bot pointing to a PHP application.

from mycrypto.

You all might want to check out MatterMost or RocketChat instead of slack. Slack leaves you with very little power to control and stop things like this. I am urging everyone to move away from slack to these free tools that enable us to run bigger communities without the insane hassle of dealing with these types of users. If scammers know your self hosted chat server log everything they need to protect against said scammer, scammers will bother other chats that remain on slack. Just my 2 cents

from mycrypto.

Hey @mikeyb that was what we found too. I wrote our findings up here: https://medium.com/@altcoinio/slack-api-for-icos-de61df6448c3

from mycrypto.

@altcoinio yes thanks! I had just finished reading that a few minutes ago. Thank you for the write up. Seems like a silly attack vector Slack leaves available. Still not sure why slack is used so much, it is the most unfriendly chat app I have ever seen for unpaid use (and not that great when paid for either)

from mycrypto.

@mikeyb I'll add your suggestions for other chat tools at the bottom of the post - thank you. We use Slack at work and hack it quite a bit for our own purposes – but only as a trusted team.

from mycrypto.

Disabling the Slack API can help to prevent phishing attacks.
https://medium.com/@Paul__Walsh/how-to-disable-the-slack-api-to-prevent-phishing-attacks-inside-cryptocurrency-communities-4953d35db10c

from mycrypto.

Disabling the Slack API only limits one small attack vector. It's definitely worth doing, but there's still plenty of phishing attacks happening in communities with the API already disabled.

from mycrypto.

That's exactly my point.

from mycrypto.