From a37c0157a3d9d695d67aec61c5234994bdd2d45f Mon Sep 17 00:00:00 2001 From: Zabuzard Date: Mon, 17 Nov 2025 11:03:29 +0100 Subject: [PATCH 1/4] fixed steam false positives --- application/config.json.template | 4 ++- .../moderation/scam/ScamDetectorTest.java | 36 +++++++++++++++---- 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/application/config.json.template b/application/config.json.template index 7225704286..11428330fe 100644 --- a/application/config.json.template +++ b/application/config.json.template @@ -62,7 +62,9 @@ "youtube.com", "www.youtube.com", "cdn.discordapp.com", - "media.discordapp.net" + "media.discordapp.net", + "store.steampowered.com", + "help.steampowered.com" ], "hostBlacklist": [ "bit.ly", diff --git a/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java b/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java index 52c9b3dffe..8e45d7c58c 100644 --- a/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java +++ b/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java @@ -38,10 +38,11 @@ void setUp() { "esex", "steam", "gift", "onlyfans", "bitcoin", "btc", "promo", "trader", "trading", "whatsapp", "crypto", "^claim", "teen", "adobe", "hack", "steamcommunity", "freenitro", "^earn$", "^earning", ".exe$", "mrbeast")); - when(scamConfig.getHostWhitelist()).thenReturn(Set.of("discord.com", "discord.media", - "discordapp.com", "discordapp.net", "discordstatus.com", "thehackernews.com", - "gradle.org", "help.gradle.org", "youtube.com", "www.youtube.com", - "cdn.discordapp.com", "media.discordapp.net")); + when(scamConfig.getHostWhitelist()) + .thenReturn(Set.of("discord.com", "discord.media", "discordapp.com", "discordapp.net", + "discordstatus.com", "thehackernews.com", "gradle.org", "help.gradle.org", + "youtube.com", "www.youtube.com", "cdn.discordapp.com", "media.discordapp.net", + "store.steampowered.com", "help.steampowered.com")); when(scamConfig.getHostBlacklist()).thenReturn(Set.of("bit.ly", "discord.gg", "teletype.in", "t.me", "corematrix.us", "u.to", "steamcommunity.com", "goo.su", "telegra.ph", "shorturl.at", "cheatings.xyz", "transfer.sh", "tobimoller.space")); @@ -428,7 +429,25 @@ B2CWorkflow Builder (React Flow) https://cdn.discordapp.com/attachments/1234/5678/1.png?ex=688cd552&is=688b83d2&hm=5787b53f08a488a22df6e3d2d43b4445ed0ced5f790e4f6e6e82810e38dba2aa& https://cdn.discordapp.com/attachments/1234/5678/2.png?ex=688cd552&is=688b83d2&hm=5787b53f08a488a22df6e3d2d43b4445ed0ced5f790e4f6e6e82810e38dba2aa& https://cdn.discordapp.com/attachments/1234/5678/3.png?ex=688cd552&is=688b83d2&hm=5787b53f08a488a22df6e3d2d43b4445ed0ced5f790e4f6e6e82810e38dba2aa& - https://cdn.discordapp.com/attachments/1234/5678/4.png?ex=688cd552&is=688b83d2&hm=5787b53f08a488a22df6e3d2d43b4445ed0ced5f790e4f6e6e82810e38dba2aa&"""); + https://cdn.discordapp.com/attachments/1234/5678/4.png?ex=688cd552&is=688b83d2&hm=5787b53f08a488a22df6e3d2d43b4445ed0ced5f790e4f6e6e82810e38dba2aa&""", + """ + I’ll help the first 10 interested people learn how to start earning over $100,000 within a week. + You only send me 10% of your profits after you receive them. + No pressure. No gimmicks. Just results. + Send a friend request or DM me (HOW) on Telegram: + @Joinna_Dwayno + (Or use the link in my bio.) + If you’re not serious, don’t message.""", + """ + I'll help the first 10 people interested on how to start earning $100k or more within a week, but you will reimburse me 15% of your profits when you receive it. + Note: only interested people should send a friend request or send me a dm! ask me (HOW) via Telegram + @laula_david2 + Or Click /use the the telegram link on my bio""", + """ + I’m looking for a couple of reliable people (🇺🇸) to help with simple recurring tasks. It’s only 1–2 hours of work per week, fully flexible on your schedule, + and pays $150+ per month, with the potential to increase to $300+ later. If you’re interested in easy side income with minimal time commitment, + send me a message💬 and I’ll share more details. + WhatsApp: +12534267893"""); } private static List provideRealFalsePositiveMessages() { @@ -516,6 +535,11 @@ public static void main(String[] args){ It was pretty pricey, and the costs likely differ a lot from country to country (keeping in mind that a portion is importing of equipment to NZ and some is labour in a very different market). We have 13.5KW of storage, a 10KW inverter, 11.5KW of generation and an EV charger. - All up, on a 1% 'green loan', it was $40k NZD (~$23k USD)"""); + All up, on a 1% 'green loan', it was $40k NZD (~$23k USD)""", + "https://store.steampowered.com/app/3176060/Emissary_Zero/", + "https://store.steampowered.com/app/3028330/Battlefield_REDSEC/", + "https://help.steampowered.com/en/faqs/view/49A1-B944-48B8-FF00", + "https://store.steampowered.com/api/appdetails?appids=8930 this endpoint is so cool", + "id play it if it was free maybe https://store.steampowered.com/app/1349230/5DChessWithMultiverseTime_Travel/"); } } From cd9ed91e35c815f63c6c4ea5f7d93474c8dfe587 Mon Sep 17 00:00:00 2001 From: Zabuzard Date: Mon, 17 Nov 2025 11:16:24 +0100 Subject: [PATCH 2/4] fixed a hacking false positive --- application/config.json.template | 3 ++- .../tjbot/features/moderation/scam/ScamDetectorTest.java | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/application/config.json.template b/application/config.json.template index 11428330fe..19d90beb9c 100644 --- a/application/config.json.template +++ b/application/config.json.template @@ -42,7 +42,8 @@ "^claim", "teen", "adobe", - "hack", + "^hack$", + "hacks", "steamcommunity", "freenitro", "^earn$", diff --git a/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java b/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java index 8e45d7c58c..619110b9fa 100644 --- a/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java +++ b/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java @@ -36,8 +36,8 @@ void setUp() { when(scamConfig.getSuspiciousKeywords()).thenReturn(Set.of("nitro", "boob", "sexy", "sexi", "esex", "steam", "gift", "onlyfans", "bitcoin", "btc", "promo", "trader", "trading", - "whatsapp", "crypto", "^claim", "teen", "adobe", "hack", "steamcommunity", - "freenitro", "^earn$", "^earning", ".exe$", "mrbeast")); + "whatsapp", "crypto", "^claim", "teen", "adobe", "^hack$", "hacks", + "steamcommunity", "freenitro", "^earn$", "^earning", ".exe$", "mrbeast")); when(scamConfig.getHostWhitelist()) .thenReturn(Set.of("discord.com", "discord.media", "discordapp.com", "discordapp.net", "discordstatus.com", "thehackernews.com", "gradle.org", "help.gradle.org", @@ -540,6 +540,7 @@ public static void main(String[] args){ "https://store.steampowered.com/app/3028330/Battlefield_REDSEC/", "https://help.steampowered.com/en/faqs/view/49A1-B944-48B8-FF00", "https://store.steampowered.com/api/appdetails?appids=8930 this endpoint is so cool", - "id play it if it was free maybe https://store.steampowered.com/app/1349230/5DChessWithMultiverseTime_Travel/"); + "id play it if it was free maybe https://store.steampowered.com/app/1349230/5DChessWithMultiverseTime_Travel/", + "Why wouldn't they just take the $150 and not bother hacking an account to get the petfood sent?"); } } From 5bf69bb672f039056fec6bd59817ce6b0a3e2238 Mon Sep 17 00:00:00 2001 From: Zabuzard Date: Mon, 17 Nov 2025 11:23:25 +0100 Subject: [PATCH 3/4] fixed microsoft false positive --- application/config.json.template | 3 ++- .../tjbot/features/moderation/scam/ScamDetectorTest.java | 9 +++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/application/config.json.template b/application/config.json.template index 19d90beb9c..8544ff3de5 100644 --- a/application/config.json.template +++ b/application/config.json.template @@ -65,7 +65,8 @@ "cdn.discordapp.com", "media.discordapp.net", "store.steampowered.com", - "help.steampowered.com" + "help.steampowered.com", + "learn.microsoft.com" ], "hostBlacklist": [ "bit.ly", diff --git a/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java b/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java index 619110b9fa..c901cff9e1 100644 --- a/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java +++ b/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java @@ -42,7 +42,7 @@ void setUp() { .thenReturn(Set.of("discord.com", "discord.media", "discordapp.com", "discordapp.net", "discordstatus.com", "thehackernews.com", "gradle.org", "help.gradle.org", "youtube.com", "www.youtube.com", "cdn.discordapp.com", "media.discordapp.net", - "store.steampowered.com", "help.steampowered.com")); + "store.steampowered.com", "help.steampowered.com", "learn.microsoft.com")); when(scamConfig.getHostBlacklist()).thenReturn(Set.of("bit.ly", "discord.gg", "teletype.in", "t.me", "corematrix.us", "u.to", "steamcommunity.com", "goo.su", "telegra.ph", "shorturl.at", "cheatings.xyz", "transfer.sh", "tobimoller.space")); @@ -541,6 +541,11 @@ public static void main(String[] args){ "https://help.steampowered.com/en/faqs/view/49A1-B944-48B8-FF00", "https://store.steampowered.com/api/appdetails?appids=8930 this endpoint is so cool", "id play it if it was free maybe https://store.steampowered.com/app/1349230/5DChessWithMultiverseTime_Travel/", - "Why wouldn't they just take the $150 and not bother hacking an account to get the petfood sent?"); + "Why wouldn't they just take the $150 and not bother hacking an account to get the petfood sent?", + """ + https://learn.microsoft.com/en-us/powershell/scripting/discover-powershell?view=powershell-7.5 + What makes PowerShell unique is that it accepts and returns .NET objects, rather than text. + because of that, but well it says that it returns .NET objects not that the commands are from .NET, + but well as i said i use cmd.exe because i do not know .NET nor powershell"""); } } From 2a47b144c5c74a98f9fc40346c420f3a7ee71d98 Mon Sep 17 00:00:00 2001 From: Zabuzard Date: Mon, 17 Nov 2025 11:46:32 +0100 Subject: [PATCH 4/4] fixed stacktrace false positives --- application/config.json.template | 2 +- .../features/moderation/scam/TokenAnalyse.java | 8 +++++++- .../moderation/scam/ScamDetectorTest.java | 15 ++++++++++++++- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/application/config.json.template b/application/config.json.template index 8544ff3de5..5cfe9ac38e 100644 --- a/application/config.json.template +++ b/application/config.json.template @@ -40,7 +40,7 @@ "whatsapp", "crypto", "^claim", - "teen", + "^teen$", "adobe", "^hack$", "hacks", diff --git a/application/src/main/java/org/togetherjava/tjbot/features/moderation/scam/TokenAnalyse.java b/application/src/main/java/org/togetherjava/tjbot/features/moderation/scam/TokenAnalyse.java index 01ea2fff2f..926e74f356 100644 --- a/application/src/main/java/org/togetherjava/tjbot/features/moderation/scam/TokenAnalyse.java +++ b/application/src/main/java/org/togetherjava/tjbot/features/moderation/scam/TokenAnalyse.java @@ -5,6 +5,8 @@ import java.net.URI; import java.util.Locale; +import java.util.function.Predicate; +import java.util.regex.Pattern; /** * Analyzes a given text token. Populates various metrics regarding the token possibly being @@ -14,6 +16,10 @@ * {@link #analyze(String, AnalyseResults)}. */ final class TokenAnalyse { + // Tokens like: "org.schema.game.common.data.world.Sector.access$200(Sector.java:120)" + private static final Predicate IS_STACKTRACE_TOKEN = + Pattern.compile("(org|com|de|dev)(\\.[^.()]+){4,15}\\([^.()]+\\.java:\\d+\\)") + .asMatchPredicate(); private final ScamBlockerConfig config; TokenAnalyse(ScamBlockerConfig config) { @@ -27,7 +33,7 @@ final class TokenAnalyse { * @param results metrics representing how suspicious the token is */ void analyze(String token, AnalyseResults results) { - if (token.isBlank()) { + if (token.isBlank() || IS_STACKTRACE_TOKEN.test(token)) { return; } diff --git a/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java b/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java index c901cff9e1..e4fda78ec2 100644 --- a/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java +++ b/application/src/test/java/org/togetherjava/tjbot/features/moderation/scam/ScamDetectorTest.java @@ -546,6 +546,19 @@ public static void main(String[] args){ https://learn.microsoft.com/en-us/powershell/scripting/discover-powershell?view=powershell-7.5 What makes PowerShell unique is that it accepts and returns .NET objects, rather than text. because of that, but well it says that it returns .NET objects not that the commands are from .NET, - but well as i said i use cmd.exe because i do not know .NET nor powershell"""); + but well as i said i use cmd.exe because i do not know .NET nor powershell""", + """ + Exception in thread "ServerEntityWriterThread" + java.lang.NoSuchMethodError: org.schema.game.common.controller.rails.RailRelation.isLocked()Z + at org.schema.game.common.controller.rails.RailController.getDockedTag(RailController.java:2686) + at org.schema.game.common.controller.rails.RailController.getTag(RailController.java:2652) + at org.schema.game.common.controller.SegmentController.toTagStructure(SegmentController.java:2813) + at org.schema.game.common.data.EntityFileTools.write(EntityFileTools.java:57) + at org.schema.game.server.controller.GameServerController.writeEntity(GameServerController.java:2938) + at org.schema.game.common.data.world.Sector.writeSingle(Sector.java:2570) + at org.schema.game.common.data.world.Sector.writeEntity(Sector.java:2546) + at org.schema.game.common.data.world.Sector.access$200(Sector.java:120) + at org.schema.game.common.data.world.Sector$3.run(Sector.java:2665) + at org.schema.schine.network.server.ServerEntityWriterThread.run(ServerEntityWriterThread.java:74)"""); } }