Anti-Bypass Policy
This page explains how Luarmor detects bypassed completions and how it handles them.
Luarmor utilizes active & passive detections against bypassed redirections and puts the user on a cooldown, although most of the time, we are limited to the APIs provided by advertiser platforms (like Linkvertise hash, work.ink token callback etc...) and some browser headers.
However, on 20th of August, we began detecting the presence of certain "userscripts", known to be undetectable even by the advertiser platforms, which shouldn't be a challenge for them considering that the userscript is literally running on their page.
From now on, Luarmor detects some of these "premium" userscripts with high accuracy and blacklists the user. Between 23/08 - 31/08, more than 2500 sessions have been blacklisted and 1700+ discord IDs flagged for bypassing the ad steps.
You can see the effectiveness of these new mitigations below:
What does this mean for you?
If you are using the ad system, it is possible that some users might get prompted with "Connect Discord" prompt. It is there to detect blacklisted discord IDs, and force bypassers to find another aged discord account.
When does this "connect discord" prompt pop up?
If your visitor is visiting the site with an abusive IP address (e.g Mullvad, M247 EU, Datacamp, some datacenter ASNs), they will be prompted with Discord linking screen.,
If visitor is triggering certain soft detections, they will be prompted with a discord connection screen.
Statistics: - Bypassed completions are less than 2% of the overall Luarmor ad traffic in most cases, and it does not have a noticeable impact on your revenue. In fact, these bypass mitigations will result in more authentic conversions, a.k.a higher CPM.
- VPN users only have to link their discord accounts once, and they will never be prompted again. This process is frictionless, and only a very small % of total visitors are prompted to connect their discord. - Not every userscript is detected, some of them can't be detected due to their nature. However, we are currently working with the Lootlabs and Linkvertise team to give us access to certain APIs that will allow us to see more than just the callback headers. - In some cases, Luarmor might not blacklist the user right away, but let them complete a few more times. This might be needed to make sure that there's no room for false detections.
Are you aware of a bypass method? Share it with us in our discord server and we will reverse engineer it to see what can be done.
For script users / visitors:
This section gives details about Luarmor's ad system and the anti bypass measures it has.
Script owners on Luarmor can earn money through ad-link services like Linkvertise, Lootlabs. If somebody bypasses them, it does not count as a valid click and script owner misses out on that potential revenue.
To combat this issue, Luarmor performs extensive checks against bypass services, userscripts and bots. When a session is blacklisted, we don't want the user to get around this blacklist by switching browsers, therefore we ask them to connect their discord account to Luarmor so we can be sure that they are not the same person as the one who got blacklisted. (Because it is more time consuming to create an alt account and verify it, than to simply open an incognito tab)
For regular users who don't bypass, or have no idea about bypassing, they don't have to connect their discord at all. You are only required to do it when something looks off with your browser. Plugins, VPN, antibot scores etc... All of these parameters contribute to this "risk score" to decide if you should connect your discord or not.
Connecting discord? Is it safe? A: Yes, Luarmor OAuth2 integration does not require any privileged scope. It can only see your discord ID.
https://discord.com/developers/docs/topics/oauth2
You can see the scope requirements of Luarmor:
This means that it can only see the discord ID and any data that can be derived from it (like discord username, avatar). But Luarmor only cares about the discord ID. Can not see your guilds, can not see your messages.
It can not change anything on your profile, it's read-only. Discord API does not have any vulnerability in their OAuth2 implementation. Therefore it is safe to link.
This is the most minimal form of OAuth2. Other apps on discord usually require a lot more personal level access to your account, email, guilds you're in (e.g Vaultcord, restorecord etc).
If you prefer extra caution, feel free to link an alt account.
Activity in bypass communities?
Luarmor does not blacklist you for just being in a bypass-related community, that would be unfair and prone to a lot of false positives.
We have "self bots" in certain communities related to bypassing ad links, and we check messages sent by their developers to catch up with their methods. This is entirely automated, because manual review would be time consuming and impractical. Here is an example of a flagged message sent in a public channel with 40K members:
This bot only scans public discussions for technical methods being shared, where people don't usually expect reasonable privacy (because it is a public chat room). Thanks to this bot, we have detected their method before anyone had the chance to use it.
If you are a part of a community like this, you don't need to worry because we don't specifically care about your activity. Anyone can use the "search" box on discord to lookup any message sent by anyone. We just automate this process with certain keywords and users. This does not mean you are being "tracked" unless you are one of few people who develop malicious bypass methods against ad-link services. π We are only interested in activity directly related to developing or distributing bypass methods, not ordinary participation.
Browser cookies, IP address etc..?
Luarmor tells you exactly what it collects when you visit a Luarmor link for the first time:
After all, it is a website running on your browser and it can not access anything personal other than your IP address and whatever data is accessible by browser's JavaScript API. It can not track your activity on other sites, it can not track anything about you when you close the tab. That is simply how browsers work. Most browsers utilize anti-fingerprinting methods that makes it nearly impossible to track you on an incognito tab with a VPN. If you want privacy, use an incognito tab that completely vanishes when you close it. Or, don't bypass the links and you don't need to worry about any of this. After 7-10 days of inactivity, Luarmor does not retain any data about you or your session unless you are blacklisted for bypassing.
Conclusion:
These methods are proven to be efficient when it comes to detecting bypasses and we observed a ~70% decrease in bypass attempts because no one wants to be bothered with getting around a blacklist every time with a fresh discord account. This does not affect everyday regular visitors, only 10% of them are prompted with a "connect discord" requirement.
For questions, join discord.gg/luarmor and create a ticket.
Last updated