Added scam detector and first version of scam blocker

Zabuzard · Zabuzard · commit c05f23706478 · 2022-02-21T17:21:02.000+01:00
diff --git a/application/config.json.template b/application/config.json.template
@@ -21,5 +21,12 @@
        "channelPattern": "tj_suggestions",
        "upVoteEmoteName": "peepo_yes",
        "downVoteEmoteName": "peepo_no"
+   },
+   "scamBlocker": {
+       "mode": "AUTO_DELETE_BUT_APPROVE_QUARANTINE",
+       "hostWhitelist": ["discord.com", "discord.gg", "discord.media", "discordapp.com", "discordapp.net", "discordstatus.com"],
+       "hostBlacklist": ["bit.ly"],
+       "suspiciousHostKeywords": ["discord", "nitro", "premium"],
+       "isHostSimilarToKeywordDistanceThreshold": 2
    }
 }
diff --git a/application/src/main/java/org/togetherjava/tjbot/commands/Features.java b/application/src/main/java/org/togetherjava/tjbot/commands/Features.java
@@ -9,6 +9,7 @@
 import org.togetherjava.tjbot.commands.free.FreeCommand;
 import org.togetherjava.tjbot.commands.mathcommands.TeXCommand;
 import org.togetherjava.tjbot.commands.moderation.*;
+import org.togetherjava.tjbot.commands.moderation.scam.ScamBlocker;
 import org.togetherjava.tjbot.commands.moderation.temp.TemporaryModerationRoutine;
 import org.togetherjava.tjbot.commands.system.BotCore;
 import org.togetherjava.tjbot.commands.tags.TagCommand;
@@ -65,6 +66,7 @@ public enum Features {
         // Message receivers
         features.add(new TopHelpersMessageListener(database, config));
         features.add(new SuggestionsUpDownVoter(config));
+        features.add(new ScamBlocker(config));
 
         // Event receivers
         features.add(new RejoinMuteListener(actionsStore, config));
diff --git a/application/src/main/java/org/togetherjava/tjbot/commands/moderation/scam/ScamBlocker.java b/application/src/main/java/org/togetherjava/tjbot/commands/moderation/scam/ScamBlocker.java
@@ -0,0 +1,72 @@
+package org.togetherjava.tjbot.commands.moderation.scam;
+
+import net.dv8tion.jda.api.events.message.guild.GuildMessageReceivedEvent;
+import org.jetbrains.annotations.NotNull;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.togetherjava.tjbot.commands.MessageReceiverAdapter;
+import org.togetherjava.tjbot.config.Config;
+import org.togetherjava.tjbot.config.ScamBlockerConfig;
+
+import java.util.regex.Pattern;
+
+/**
+ * Listener that receives all sent messages from channels, checks them for scam and takes
+ * appropriate action.
+ * <p>
+ * If scam is detected, depending on the configuration, the blockers actions range from deleting the
+ * message and banning the author to just logging the message for auditing.
+ */
+public final class ScamBlocker extends MessageReceiverAdapter {
+    private static final Logger logger = LoggerFactory.getLogger(ScamBlocker.class);
+
+    private final ScamBlockerConfig.Mode mode;
+    private final ScamDetector scamDetector;
+
+    /**
+     * Creates a new listener to receive all message sent in any channel.
+     *
+     * @param config the config to use for this
+     */
+    public ScamBlocker(@NotNull Config config) {
+        super(Pattern.compile(".*"));
+
+        mode = config.getScamBlocker().getMode();
+        scamDetector = new ScamDetector(config);
+    }
+
+    @Override
+    public void onMessageReceived(@NotNull GuildMessageReceivedEvent event) {
+        if (event.getAuthor().isBot() || event.isWebhookMessage()) {
+            return;
+        }
+
+        if (mode == ScamBlockerConfig.Mode.OFF) {
+            return;
+        }
+
+        String content = event.getMessage().getContentDisplay();
+        if (!scamDetector.isScam(content)) {
+            return;
+        }
+
+        takeAction(event);
+    }
+
+    private void takeAction(@NotNull GuildMessageReceivedEvent event) {
+        switch (mode) {
+            case OFF -> throw new AssertionError(
+                    "The OFF-mode should be detected earlier already to prevent expensive computation");
+            case ONLY_LOG -> takeActionLogOnly(event);
+            case APPROVE_FIRST, AUTO_DELETE_BUT_APPROVE_QUARANTINE, AUTO_DELETE_AND_QUARANTINE -> throw new UnsupportedOperationException(
+                    "Mode not supported yet: " + mode);
+            default -> throw new IllegalArgumentException("Mode not supported: " + mode);
+        }
+    }
+
+    private static void takeActionLogOnly(@NotNull GuildMessageReceivedEvent event) {
+        logger.warn("Detected a scam message ('{}') from user '{}' in channel '{}' of guild '{}'.",
+                event.getMessageId(), event.getAuthor().getId(), event.getChannel().getId(),
+                event.getGuild().getId());
+    }
+}
diff --git a/application/src/main/java/org/togetherjava/tjbot/commands/moderation/scam/ScamDetector.java b/application/src/main/java/org/togetherjava/tjbot/commands/moderation/scam/ScamDetector.java
@@ -0,0 +1,105 @@
+package org.togetherjava.tjbot.commands.moderation.scam;
+
+import org.jetbrains.annotations.NotNull;
+import org.togetherjava.tjbot.commands.utils.StringDistances;
+import org.togetherjava.tjbot.config.Config;
+import org.togetherjava.tjbot.config.ScamBlockerConfig;
+
+import java.net.URI;
+import java.util.regex.Pattern;
+
+public class ScamDetector {
+    private static final Pattern TOKENIZER = Pattern.compile("[\\s,]");
+    private final ScamBlockerConfig config;
+
+    public ScamDetector(@NotNull Config config) {
+        this.config = config.getScamBlocker();
+    }
+
+    public boolean isScam(@NotNull CharSequence message) {
+        AnalyseResults results = new AnalyseResults();
+        TOKENIZER.splitAsStream(message).forEach(token -> analyzeToken(token, results));
+        return isScam(results);
+    }
+
+    private boolean isScam(@NotNull AnalyseResults results) {
+        if (results.pingsEveryone && results.containsNitroKeyword && results.hasUrl) {
+            return true;
+        }
+        return results.containsNitroKeyword && results.hasSuspiciousUrl;
+    }
+
+    private void analyzeToken(@NotNull String token, @NotNull AnalyseResults results) {
+        if ("@everyone".equalsIgnoreCase(token)) {
+            results.pingsEveryone = true;
+        }
+        if ("nitro".equalsIgnoreCase(token)) {
+            results.containsNitroKeyword = true;
+        }
+
+        if (token.startsWith("http")) {
+            analyzeUrl(token, results);
+        }
+    }
+
+    private void analyzeUrl(@NotNull String url, @NotNull AnalyseResults results) {
+        String host;
+        try {
+            host = URI.create(url).getHost();
+        } catch (IllegalArgumentException e) {
+            // Invalid urls are not scam
+            return;
+        }
+        if (host == null) {
+            return;
+        }
+
+        results.hasUrl = true;
+
+        if (config.getHostWhitelist().contains(host)) {
+            return;
+        }
+
+        if (config.getHostBlacklist().contains(host)) {
+            results.hasSuspiciousUrl = true;
+            return;
+        }
+
+        for (String keyword : config.getSuspiciousHostKeywords()) {
+            if (isHostSimilarToKeyword(host, keyword)) {
+                results.hasSuspiciousUrl = true;
+                break;
+            }
+        }
+    }
+
+    private boolean isHostSimilarToKeyword(String host, String keyword) {
+        // NOTE This algorithm is far from optimal.
+        // It is good enough for our purpose though and not that complex.
+
+        // Rolling window of keyword-size over host.
+        // If any window has a small distance, it is similar
+        int windowStart = 0;
+        int windowEnd = keyword.length();
+        while (windowEnd <= host.length()) {
+            String window = host.substring(windowStart, windowEnd);
+            int distance = StringDistances.editDistance(keyword, window);
+
+            if (distance <= config.getIsHostSimilarToKeywordDistanceThreshold()) {
+                return true;
+            }
+
+            windowStart++;
+            windowEnd++;
+        }
+
+        return false;
+    }
+
+    private static class AnalyseResults {
+        private boolean pingsEveryone;
+        private boolean containsNitroKeyword;
+        private boolean hasUrl;
+        private boolean hasSuspiciousUrl;
+    }
+}
diff --git a/application/src/main/java/org/togetherjava/tjbot/commands/moderation/scam/package-info.java b/application/src/main/java/org/togetherjava/tjbot/commands/moderation/scam/package-info.java
@@ -0,0 +1,5 @@
+/**
+ * This package offers classes dealing with detecting scam messages and taking appropriate action,
+ * see {@link org.togetherjava.tjbot.commands.moderation.scam.ScamBlocker} as main entry point.
+ */
+package org.togetherjava.tjbot.commands.moderation.scam;
diff --git a/application/src/main/java/org/togetherjava/tjbot/config/Config.java b/application/src/main/java/org/togetherjava/tjbot/config/Config.java
@@ -27,6 +27,7 @@ public final class Config {
     private final List<FreeCommandConfig> freeCommand;
     private final String helpChannelPattern;
     private final SuggestionsConfig suggestions;
+    private final ScamBlockerConfig scamBlocker;
 
     @SuppressWarnings("ConstructorWithTooManyParameters")
     @JsonCreator(mode = JsonCreator.Mode.PROPERTIES)
@@ -41,7 +42,8 @@ private Config(@JsonProperty("token") String token,
             @JsonProperty("tagManageRolePattern") String tagManageRolePattern,
             @JsonProperty("freeCommand") List<FreeCommandConfig> freeCommand,
             @JsonProperty("helpChannelPattern") String helpChannelPattern,
-            @JsonProperty("suggestions") SuggestionsConfig suggestions) {
+            @JsonProperty("suggestions") SuggestionsConfig suggestions,
+            @JsonProperty("scamBlocker") ScamBlockerConfig scamBlocker) {
         this.token = token;
         this.databasePath = databasePath;
         this.projectWebsite = projectWebsite;
@@ -54,6 +56,7 @@ private Config(@JsonProperty("token") String token,
         this.freeCommand = Collections.unmodifiableList(freeCommand);
         this.helpChannelPattern = helpChannelPattern;
         this.suggestions = suggestions;
+        this.scamBlocker = scamBlocker;
     }
 
     /**
@@ -169,7 +172,7 @@ public String getTagManageRolePattern() {
      *
      * @return the channel name pattern
      */
-    public String getHelpChannelPattern() {
+    public @NotNull String getHelpChannelPattern() {
         return helpChannelPattern;
     }
 
@@ -178,7 +181,16 @@ public String getHelpChannelPattern() {
      *
      * @return the suggestion system config
      */
-    public SuggestionsConfig getSuggestions() {
+    public @NotNull SuggestionsConfig getSuggestions() {
         return suggestions;
     }
+
+    /**
+     * Gets the config for the scam blocker system.
+     *
+     * @return the scam blocker system config
+     */
+    public @NotNull ScamBlockerConfig getScamBlocker() {
+        return scamBlocker;
+    }
 }
diff --git a/application/src/main/java/org/togetherjava/tjbot/config/ScamBlockerConfig.java b/application/src/main/java/org/togetherjava/tjbot/config/ScamBlockerConfig.java
@@ -0,0 +1,113 @@
+package org.togetherjava.tjbot.config;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonRootName;
+import org.jetbrains.annotations.NotNull;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * Configuration for the scam blocker system, see
+ * {@link org.togetherjava.tjbot.commands.moderation.scam.ScamBlocker}.
+ */
+@SuppressWarnings("ClassCanBeRecord")
+@JsonRootName("scamBlocker")
+public final class ScamBlockerConfig {
+    private final Mode mode;
+    private final Set<String> hostWhitelist;
+    private final Set<String> hostBlacklist;
+    private final Set<String> suspiciousHostKeywords;
+    private final int isHostSimilarToKeywordDistanceThreshold;
+
+    @JsonCreator(mode = JsonCreator.Mode.PROPERTIES)
+    private ScamBlockerConfig(@JsonProperty("mode") Mode mode,
+            @JsonProperty("hostWhitelist") Set<String> hostWhitelist,
+            @JsonProperty("hostBlacklist") Set<String> hostBlacklist,
+            @JsonProperty("suspiciousHostKeywords") Set<String> suspiciousHostKeywords,
+            @JsonProperty("isHostSimilarToKeywordDistanceThreshold") int isHostSimilarToKeywordDistanceThreshold) {
+        this.mode = mode;
+        this.hostWhitelist = new HashSet<>(hostWhitelist);
+        this.hostBlacklist = new HashSet<>(hostBlacklist);
+        this.suspiciousHostKeywords = new HashSet<>(suspiciousHostKeywords);
+        this.isHostSimilarToKeywordDistanceThreshold = isHostSimilarToKeywordDistanceThreshold;
+    }
+
+    /**
+     * Gets the mode of the scam blocker. Controls which actions it takes when detecting scam.
+     *
+     * @return the scam blockers mode
+     */
+    public @NotNull Mode getMode() {
+        return mode;
+    }
+
+    /**
+     * Gets the set of trusted hosts. Urls using those hosts are not considered scam.
+     *
+     * @return the whitelist of hosts
+     */
+    public @NotNull Set<String> getHostWhitelist() {
+        return Collections.unmodifiableSet(hostWhitelist);
+    }
+
+    /**
+     * Gets the set of known scam hosts. Urls using those hosts are considered scam.
+     *
+     * @return the blacklist of hosts
+     */
+    public @NotNull Set<String> getHostBlacklist() {
+        return Collections.unmodifiableSet(hostBlacklist);
+    }
+
+    /**
+     * Gets the set of keywords that are considered suspicious if they appear in host names. Urls
+     * using hosts that have those, or similar, keywords in their name, are considered suspicious.
+     *
+     * @return the set of suspicious host keywords
+     */
+    public @NotNull Set<String> getSuspiciousHostKeywords() {
+        return Collections.unmodifiableSet(suspiciousHostKeywords);
+    }
+
+    /**
+     * Gets the threshold used to determine whether a host is similar to a given keyword. If the
+     * host contains an infix with an edit distance that is below this threshold, they are
+     * considered similar.
+     *
+     * @return the threshold to determine similarity
+     */
+    public int getIsHostSimilarToKeywordDistanceThreshold() {
+        return isHostSimilarToKeywordDistanceThreshold;
+    }
+
+    /**
+     * Mode of a scam blocker. Controls which actions it takes when detecting scam.
+     */
+    public enum Mode {
+        /**
+         * The blocker is turned off and will not scan any messages for scam.
+         */
+        OFF,
+        /**
+         * The blocker will log any detected scam but will not take action on them.
+         */
+        ONLY_LOG,
+        /**
+         * Detected scam will be sent to moderators for review. Any action has to be approved
+         * explicitly first.
+         */
+        APPROVE_FIRST,
+        /**
+         * Detected scam will automatically be deleted. A moderator will be informed for review.
+         * They can then decide whether the user should be put into quarantine.
+         */
+        AUTO_DELETE_BUT_APPROVE_QUARANTINE,
+        /**
+         * The blocker will automatically delete any detected scam and put the user into quarantine.
+         */
+        AUTO_DELETE_AND_QUARANTINE
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -21,5 +21,12 @@`
`21`	`21`	`"channelPattern": "tj_suggestions",`
`22`	`22`	`"upVoteEmoteName": "peepo_yes",`
`23`	`23`	`"downVoteEmoteName": "peepo_no"`
	`24`	`+ },`
	`25`	`+ "scamBlocker": {`
	`26`	`+ "mode": "AUTO_DELETE_BUT_APPROVE_QUARANTINE",`
	`27`	`+ "hostWhitelist": ["discord.com", "discord.gg", "discord.media", "discordapp.com", "discordapp.net", "discordstatus.com"],`
	`28`	`+ "hostBlacklist": ["bit.ly"],`
	`29`	`+ "suspiciousHostKeywords": ["discord", "nitro", "premium"],`
	`30`	`+ "isHostSimilarToKeywordDistanceThreshold": 2`
`24`	`31`	`}`
`25`	`32`	`}`