LightZirconite/Microsoft-Rewards-Bot
1
1
Fork 0
mirror of https://github.com/LightZirconite/Microsoft-Rewards-Bot.git synced 2026-01-10 17:26:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
43ed6cd7f87c8bac20a1ace7d758cd40597e97f2
Microsoft-Rewards-Bot/docs/security.md
LightZirconite 43ed6cd7f8 refactor: remove legacy scheduling and analytics code 
- Deleted the scheduler module and its associated functions, transitioning to OS-level scheduling.
- Removed the Analytics module and its related interfaces, retaining only a placeholder for backward compatibility.
- Updated ConfigValidator to warn about legacy schedule and analytics configurations.
- Cleaned up StartupValidator to remove diagnostics and schedule validation logic.
- Adjusted Load.ts to handle legacy flags for diagnostics and analytics.
- Removed unused diagnostics capturing functionality.
2025-11-03 19:18:09 +01:00

194 lines
4.3 KiB
Markdown
Raw Blame History

# 🔒 Security Guide
**Protect your accounts and handle security incidents**
---
## ⚠️ Important Disclaimer
**Using automation violates Microsoft's Terms of Service.**
Your accounts **may be banned**. Use at your own risk.
---
## 🛡️ Best Practices
### ✅ DO
- **Enable humanization** — Natural behavior reduces detection
- **Use 2FA/TOTP** — More secure authentication
- **Run 1-2x daily max** — Don't be greedy
- **Test on secondary accounts** — Never risk your main account
- **Enable vacation mode** — Random off days look natural
- **Monitor regularly** — Check logs and webhook alerts
### ❌ DON'T
- **Run on main account** — Too risky
- **Schedule hourly** — Obvious bot pattern
- **Ignore warnings** — Security alerts matter
- **Use shared proxies** — Higher detection risk
- **Skip humanization** — Robotic behavior gets caught
---
## 🚨 Security Incidents
### Recovery Email Mismatch
**What:** Login shows unfamiliar recovery email (e.g., `ko*****@hacker.net`)
**Action:**
1. **Stop immediately** — Script halts automatically
2. **Check Microsoft Account** → Security settings
3. **Update config** if you changed email yourself:
```json
{
"recoveryEmail": "ko*****@hacker.net"
}
```
4. **Change password** if compromise suspected
---
### "We Can't Sign You In" (Blocked)
**What:** Microsoft blocks login attempt
**Action:**
1. **Wait 24-48 hours** — Temporary locks usually lift
2. **Complete any challenges** — SMS, authenticator, etc.
3. **Reduce frequency** — Run less often
4. **Enable humanization** — If not already enabled
5. **Check proxy** — Ensure consistent IP/location
---
## 🔐 Account Security
### Strong Credentials
```json
{
"accounts": [
{
"email": "your@email.com",
"password": "strong-unique-password",
"totp": "JBSWY3DPEHPK3PXP"
}
]
}
```
- ✅ **Unique passwords** per account
- ✅ **TOTP enabled** for all accounts (see below)
- ✅ **Strong passwords** (16+ characters)
- 🔄 **Rotate every 90 days**
**How to enable TOTP:**
- Go to https://account.live.com/proofs/Manage/additional and turn on two-step verification.
- Choose **"Set up a different authenticator app"**, then click **"I can't scan the bar code"** to reveal the Base32 secret.
- Scan the QR with an authenticator you control (Google Authenticator recommended) and copy the secret into `totp`.
- Enter the app-generated code once to finish pairing. The same secret powers both your app and the bot.
### File Permissions
```bash
# Linux/macOS - Restrict access
chmod 600 src/accounts.json
# Windows - Right-click → Properties → Security
# Remove all users except yourself
```
---
## 🌐 Network Security
### Use Proxies (Optional)
```json
{
"proxy": {
"proxyAxios": true,
"url": "proxy.example.com",
"port": 8080,
"username": "user",
"password": "pass"
}
}
```
**Benefits:**
- IP masking
- Geographic flexibility
- Reduces pattern detection
→ **[Full Proxy Guide](./proxy.md)**
---
## 📊 Monitoring
### Enable Notifications
```jsonc
{
"conclusionWebhook": {
"enabled": true,
"url": "https://discord.com/api/webhooks/..."
}
}
```
**[Webhook Setup](./conclusionwebhook.md)**
---
## 🛠️ Incident Response
### Account Compromised
1. **Stop all automation**
2. **Change password immediately**
3. **Check sign-in activity** in Microsoft Account
4. **Enable 2FA** if not already
5. **Review security info** (recovery email, phone)
6. **Contact Microsoft** if unauthorized access
### Temporary Ban
1. **Pause automation** for 48-72 hours
2. **Reduce frequency** when resuming
3. **Increase delays** in humanization
4. **Use proxy** from your region
5. **Monitor closely** after resuming
---
## 🔗 Privacy Tips
- 🔐 **Local-only** — All data stays on your machine
- 🚫 **No telemetry** — Script doesn't phone home
- 📁 **File security** — Restrict permissions
- 🔄 **Regular backups** — Keep config backups
- 🗑️ **Clean logs** — Rotate or delete old log files
---
## 📚 Next Steps
**Setup humanization?**
**[Humanization Guide](./humanization.md)**
**Need proxies?**
**[Proxy Guide](./proxy.md)**
**Want monitoring?**
**[Notifications Guide](./conclusionwebhook.md)**
---
**[← Back to Hub](./index.md)** | **[Config Guide](./config.md)**
Reference in New Issue View Git Blame Copy Permalink