Silk Road forums

Support => Feature requests => Topic started by: StExo on May 21, 2013, 11:04 pm

Title: Addressing the issue of vendor & user phishing
Post by: StExo on May 21, 2013, 11:04 pm
Right now on SilkRoad we are experiencing a major assault of phishing attempts on vendors and I am not entirely sure just what measures are being taken to prevent this. Fair enough each individual vendor has his/her own responsibility of security not only for themselves but to their customers, but SilkRoad also has a role to play if it is to continue as a high quality marketplace which is trusted.

1. Aggressive phishing removal

At the moment whenever a vendor receives a phishing message, or even one containing a link to malicious material as in the case of Whiteshark and many others, all that happens is a notice is posted in the forums to warn vendors. I know that most vendors fulfill their orders first, response to messages secondly and lastly check the forum. I feel that a button dedicated to phishing attempts should be brought in, but it needs to be more aggressive. So what can we do?

When a vendor reports a phishing scam, it is automatically forwarded to SR staff. The staff can evaluate this and also should be able to see how many times the message has been sent out by searching for copies both of the body text and user to ensure even if the phisher is using multiple accounts, the same mail being sent out can be detected. Then, if the SR staff determine the message is phishing, then ALL copies of that message to vendors, even to those vendors who haven't opened it, should be deleted meaning if the response is prompt enough then most vendors will not even know they received the message to start with. This does not protect against those who use variable text or who encrypt the message to the vendor using their PGP key, but it at least makes life much more difficult for phishers to attack SilkRoad and hopefully make it not worth their while.


2. Flagging

As the above suggestion contains a proposal for a phishing button, a community method could be implemented at least as an early warning system for others. For example, if 2-3 vendors have reported the message as phishing it will then put some kind of alert or warning to the vendor to warn them others have reported the message as phishing and it has not yet been reviewed by SR staff. Of course this flag can be removed if SR Support deem the message is not phishing and the user should still be able to access it, but still it is another small feature as every vendor is the doorway to potentially revealing customers awaiting orders and their personal details.


3. Content filter

We already know certain domains are scams and so SR should introduce a content filter. For example, bitkoin.com is something I have on my forum account message box whereby I've set a rule any subject header or where the complete domain is mentioned in the message body, then the message is automatically deleted from my account. For known phishing sites confirmed by SR Support, this can be applied across both the forum and within SR. Of course it may be the case the website is being mentioned innocently such as telling another member as a heads up to be careful, so possibly adding a bypass to this past a certain post count (ie 100) or filtering it with asterisks would at least prevent spam accounts giving out the address in an easy copy and paste manner.


---------------------------------------------------------------------

I am not a programmer, I do not know how difficult this would be to implement but I do have a feeling it would not be too difficult. Small steps in the direction of combating the plague of phishers recently however could vastly increase the security of many of us if we can make life more difficult for them to the point where they deem it too much effort to be worthwhile.

I also understand DPR's philosophy of free will and free speech, but this is not censorship, this is merely a precaution and method to tackle the undesirables here on the forum and marketplace.

Thoughts everyone?