I have sent several emails about phising / scamming on IPFS. ( abuse@protocol.ai, abuse@ipfs.io, security@ipfs.io )
It’s unbelievable there is no abuse team to take down urls like this:
https://fleek.ipfs.io/ipfs/QmQ7fRju6sqwuDtt86KmqiY5GGKtxRDqwJLwoYdEJWqvBA/?andy@firman.us
and this:
https://ipfs.io/ipfs/QmcpM8VS3x46iYYvQrvNBE8y2MWmurWBqqRfnqkCVshnwY/#andy@firman.us
I have emailed several times to abuse@protocol.ai, abuse@ipfs.io, security@ipfs.io
No answer. Phishing urls are still active.
Where are the security or abuse teams?
Thanks for reporting this. I’ve relayed the message to the team handling these.
They have already replied last week and issued takedowns for some of the submitted CIDs. We’re investigating why they’re still available via the ipfs.io gateway.
Thanks @danieln and @firmdog …
We corrected an issue in the gateways that was preventing the actual blocking of the urls you provided, even though the requests had been processed as they arrived. Normally the abuse team doesn’t reply and directly trigger blocks, but they were unaware of the issue, so they didn’t raise it up to the infra team. Sorry for the distress it caused and thanks again for raising it up.
The two urls should now appear as 410 (mind your browser might still display cached results).
Every time I get a phishing link hosted by IPFS, it takes me days / weeks for a response by your abuse team. If you are going to launch a product, you need to scale appropriately with a properly staffed abuse team. This has happened about 10 times now for just one of my email addresses. IPFS needs to take this seriously and provide proper monitoring and decent cyber security. It’s irresponsible what I am seeing with IPFS abuse.
I’d like to second this. I work at a CERT and currently, the majority of account phising emails that come to us use either ifps.dweb.link or ifps.io links. A quick and easy-to find shutdown mechanism for these cases is sorely needed! Please also see documentation issue 1458.
Here’s a few I reported yesterday to abuse@ifps.io but which still seem to be online (some seem to occasionally give 503 Service Temporarily Unavailable):
Oh wonderful, an automated spam filter hid my post giving examples of ifps links with phishing content.
I work for a CERT, and the majority of spammed phising messages these days have ifps.io or ipfs.dweb.link links. Here is a bunch of links I sent to abuse@ifps.io yesterday and which still seem to be up (replace xx with tt, of course):
Today is your day in the barrel, and you better get your act together quickly or people will start blocking outgoing links to these systems.
I removed the flag, sorry for the inconvenience.
This one instance has been removed (openresty returns 410 Gone) but all the rest of these scams still work.
We’ve worked on blocking a number of reported CIDs so this should be sorted now.
if there are still any CIDs that should be blocked and have been reported, please let us know either via the abuse email or in a private message.
I’ve now submitted a batch of dozen to abuse@ifps.io, I hope they get taken down before the weekend.
https://ipfs.io/ipfs/bafkreifg4e3x56b6zlpc7ikkp2g7hcxatmehhslxqlgtmowixhrufmjif4#email@example.com
https://ipfs.io/ipfs/Qmb4ECqGKhgw1TSKUvHELY3pfw3rMkG7Hhykvmu45x8SVH#email@example.com
https://ipfs.io/ipfs/QmSdN8AMq8ChSUb4DXhJAvMipaAHyHKNrYDs8KLTkWdKP7#email@example.com
https://ipfs.io/ipfs/QmQ5Y2WjHk18nMaoPGt7CSvSK17jtzovTiMWhaVAEKgXoi?clientID=email@example.com
https://ipfs.io/ipfs/QmWpDiZWwJABmzMBpCP5HHrX4wXTdsmGfFHU1whK2C2Rqa#email@example.com
https://ipfs.io/ipfs/QmXvhJRwPE3XTEbaNYhnVwcuKqxWumP97KkcJhAH3kjbTc#email@example.com
They keep on phishing at ipfs, here is anotehr one:
https://ipfs.io/ipfs/QmPo9XAHybNtDnSnu95BDDeMFCPwHdsAtBACqo8MkRKe8X?clientID=andy@firman.us
Here are again a bunch of active phishing sites I’ve just sent to abuse@ifps.io:
https://ipfs.io/ipfs/Qmb4ECqGKhgw1TSKUvHELY3pfw3rMkG7Hhykvmu45x8SVH#email@example.com
https://ipfs.io/ipfs/QmPo9XAHybNtDnSnu95BDDeMFCPwHdsAtBACqo8MkRKe8X?clientID=andy@firman.us
https://ipfs.io/ipfs/QmQ5Y2WjHk18nMaoPGt7CSvSK17jtzovTiMWhaVAEKgXoi?clientID=email@example.com
https://ipfs.io/ipfs/QmWpDiZWwJABmzMBpCP5HHrX4wXTdsmGfFHU1whK2C2Rqa#email@example.com
https://ipfs.io/ipfs/QmXvhJRwPE3XTEbaNYhnVwcuKqxWumP97KkcJhAH3kjbTc#email@example.com
https://ipfs.io/ipfs/bafkreifg4e3x56b6zlpc7ikkp2g7hcxatmehhslxqlgtmowixhrufmjif4#email@example.com
I don’t think IPFS has a well staffed, in any staff at all, for an abuse or infosec team.
I think it’s irresponsible to put a live service on the Internet without any phishing or abuse protection.
And I think you are missing the point entirely.
Do you expect your ISP to block you from anything malicious on the internet? No, they are just a gateway to the internet, where you go is your responsibility.
Well, ipfs.io is just a gateway to the ipfs network, where you go on ipfs is your responsibility.
It’s nice that they actually try to filter some things, but it’s really not their focus, they have better things to do.
Then IPFS will eventually get blacklisted by SURBL or other tools. The reputation of IPFS will suffer greatly if this continues. Good luck to all of you at IPFS.
FWIW (and maybe you already understand this), the ipfs gateway at ipfs.io is just one of many, and an HTTP gateway is more of just a portal into IPFS. Just like HTTP anyone can make any content they want available though, so it’s an endless task to block every single malicious CID.
With this understanding, the reason ipfs.io isn’t blocked (because it has been in the past), is because some spam lists (like Google’s) can be configured to see the gateway as a gateway, and only block certain CIDs / IPNS addresses.
In this case, the malicious links are of the form //ifps.io/... or //...ifps.deweb.link/ and since it is not immediately obvious they are hosted somewhere else, they have become your problem. Your service is being used by scammers for link obfuscation, since there is no obvious way to “dereference” the links to find the actual hosting site.
PS. I’m glad to see that at least a part of the links I posted above are now “410 Gone”.