Links in Embed Messages

This feature checks if the custom embed message contains links and blocks it if any are found.

Scam Mechanics.

Discord offers an option to make posted links look more attractive by adding what are called Embeds. This is when a proper widget appears below the user's message if it contains a link. To enable this feature, you need to turn on the Embed Links permission in the role or channel settings. However, the Embed functionality is also widely used by bots and admins to create vibrant and attractive custom embeds, which can include links.

The truth is, the scammers can do it as well sometimes! As mentioned above, you need to have special permissions to post such embeds - either you must be a bot or have Administrator permissions on the server and access to the server's API to create webhooks and use them to post such embeds via services like Discohook. So technically, this case is hardly reproducible, but still, we have been facing cases on our server where regular users without obligatory permissions found a way to post custom embeds in public channels!

Explanation of the Feature.

And this is where the Links in Embed Messages feature comes into action! It detects if the custom embed message contains a link, and if it does, blocks the message.

The Problem of the Feature Usage.

This feature would serve as an ideal temporary protection if an admin or bot on your server were hacked and the attacker gained access to post custom embeds using that bot or account. However, Discord does not allow bots to block each other, so this feature cannot protect your server from compromised bots.

And if we took a compromised admin case, here is a kind of similar situation. The previous feature's default behavior was to block admins' custom embeds containing links just as any other role. This behavior could be changed by manually configuring the bot through the Dashboard for the period when admins post their embeds. This could become quite a good temporary protection, giving the server owner time to react until the attacker kicks Bocto.

However, for many server owners, this pipeline was complicated and unclear, so we had to exclude roles with Administrator permissions from the check, and now it is impossible to change it through feature configuration.

Summarizing everything above, we can describe this feature as a "just in case" one, which might never even be triggered.

We Don't Know If It Is a Bug or a Feature...

...but, we noticed that while Discord automatically deletes links, if any, from default embeds it creates (when you post a regular link to a page with a feature image and a first paragraph containing a link), it retains links in the embeds it generates within the X posts. This is why the Links in Embed Messages feature blocks these posts by default.

This is how the X-autogenerated embed with a link looks when being posted by an authorized user:

This is a trusted link to the trusted X post that contains the trusted link to the space hosted by our friends.

But if someone else posts the same link, the message will be blocked if the Links in Embed Messages feature configuration settings are set by default:

Depending on your Guard Settings, Bocto can also post a detailed alert to the #alerts channel it created during the setup on the server:

Currently, we noticed this behavior only for X links. So if you really want to prevent anyone but administrators from posting X links, no action is needed, but if you want to allow posting X links for certain roles in certain channels, you need to change this feature configuration.