Fraudsters, Bots, and cybercriminals are doing their best to circumvent existing anti-fraud technology. Foretoken was designed with the most modern anti-fraud tools adapted to developing threats and the most modern trends from hackers, cybercriminals, and abusive users.
Installation and Config
The installation is simple, you can either run it locally using:
git clone https://github.com/domgolonka/foretoken
cd ./foretoken
make build && ./bin/foretoken
or run it in a Docker format:
docker build -t foretoken .
docker run --rm -t foretoken
Configuration File
One of the benefits of Foretoken is that it’s profoundly customizable. By default, the config.yml
in the root directory will be used. If you want to use a different config file, for Staging or Production, you can start foretoken using the--config
command:
./bin/foretoken --config=./config.prod.yml
The configuration file can be customized to suit your needs. The main variables to change are the ones below:
publicport: ":8080"
grpcport: ":8082"
env: "dev"
autotls: false
debug: true
More available here: https://foretoken.domgolonka.com/docs/config
External API Keys
You can define all your external API keys in the .env
file. Foretoken uses a few external services you help you improve the score of IPs and Emails including Maxmind, Ip2Location, and Haveibeenpwned.
PWNEDKEY=
MAXMIND=
Storage
It uses in-memory SQLite, file SQLite or PostgreSQL. It’s recommended that you leave the default in-memory SQLite for faster data write/reads. If you want to change the database, you must do it in the config.yml
file:
database:
type: "postgresql"
name: "foretoken"
host: "localhost"
port: 5432
username: "postgres"
password: "postgres"
timezone: "America/Vancouver"
ssl: false
Preventing Fraud using Foretoken
Foretoken can be used async/synchronously from any other microservice to detect any bad actors. The diagram above is a simple implementation of where we use Foretoken to check IPs and Emails from login in and/or signing up for our services.
Preventing Bad Actors Using The Scoring System
The overall Fraud Score of the email and IP’s reputation and recent behaviour across the threat network. Fraud Scores >= 75 are suspicious, but not necessarily fraudulent. The fraud scoring is customizable in the config.yml
file.
Fraud Sources
The source files are listed below and are located in the resource
directory. My advice would be to add and modify the files. Add your own sources to increase the chances of preventing fraud. Each file has a different function in the database. Any file starting with email_
has to do with the email component of the application, while the ip_
has to do with the IP component of the application.
Each file takes in an array of sources:
{
"name": "stopforumspam",
"url": "https://www.stopforumspam.com/downloads/toxic_domains_whole.txt",
"timeout": 10,
"feed": [
{
"score": 3,
"expression": "domain"
}
]
}
- Name: The name of the source
- URL: the URL of the source, this can be a text file, ipset or something similar
- Timeout: Time before the link should timeout.
- Feed: An array of feeds
- Score: The score between 0–5 (with 5 being the highest priority).
- Expression: This part references the regex expression name below.
For each source, you can have multiple feeds with multiple expressions. For example, if a source has both Ipv4 and Ipv6 in it, you can reference different regular expressions.
Regex (expressions.json)
The regular expression file,resource/expressions.json,
is used for the source files above to find an IP or domain/email.
{
"name": "domain",
"expression": "^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$",
"type": "domain"
},
- Name: The name of the expression (which will be referenced in the files above
- Expression: a golang friendly REGEX.
- Type: The type that will be saved in the database. The following are recommended; ipv4, ipv6, sock5, sock4, https, http, domain.
I will write an article on how to use the REST and gRPC endpoints in part 2….