Maybe spam attacks are so pervasive that what’s happening to us is just par for the course.
I believe we use SSO, but it’s limited just to our site. We don’t use any external authentications.
The pattern is very clear
they always fill our “Gender” field with a random string of uppper and lower case letters.
The username is almost always a “real” sounding first and last name followed by a string of numbers
The email used is always some custom domain, usually very unusual looking. Never a popular service
We haven’t adjusted anything with our spam filters. We might get three or four of these per day. Maybe 10 per week or more. So far I have just been deleting them so they haven’t had time to post.
Maybe. In any case I’m glad it does. It’s hard to believe that an AI based bot wouldn’t know the next logical answer to a question about gender, though.
Yes, I had this too, and it stopped after I switched to manually approving posts for TL0 users.
I have a custom field that lets registering users select their operating system(s) (my community is for an app), and these bot accounts had random data in that field.
I used a custom Data Explorer query to list all users with an invalid operating system value, that is, a value not included in the predefined list of options for the custom user field.
SELECT
u.id,
u.username,
ucf.value AS user_field_1
FROM
users AS u
LEFT JOIN user_custom_fields AS ucf ON u.id = ucf.user_id
AND ucf.name = 'user_field_1'
WHERE
ucf.value IS NOT NULL
AND ucf.value NOT IN (
SELECT
ufo.value
FROM
user_field_options AS ufo
WHERE
ufo.user_field_id = 1
)
Yes, I’ve also been blocking the IP and email as well. Only once were two accounts using the same IP, but honestly I stopped checking.
I’m slightly worried that I’m blocking so many IPs that it might start preventing real users. Maybe I’m not grasping how many possible IPs there are and the likelihood of a legit user getting blocked.
Should I always be checking to see if it is a shared IP before I block it?
Yeah a custom field on signup can often catch this sort of spam, that dataexplorer query is a good way to try and catch that now… but I think we should provide an automation of some kind that makes this easier.
We’ve been doing it on Meta for years and new account signup has been fairly steady throughout
I also provide an email address on my website for users of my app to contact me directly, so whenever a real user cannot register, I’d probably hear about it (but haven’t yet).
Oh no! I believe it’s a legitimate concern - many parts of the world don’t have loads of IP addresses, and it’s much more common to see them pooled than it used to be.
Hmm, I don’t think that is any assurance of not disenfranchising lots of people.
I think the idea of blocking the IP address of a spammer is a tactic which comes from the USA and the times of individual bad actors and home access from cable-provided internet. I believe it’s quite inappropriate now.
It can be helpful to check an IP address against a well-maintained stoplist, or to check the address’ ASN against a stoplist of unlikely sources (cloud providers, for example). It’s still not great to block on that basis, if you want to allow people to sign up using VPNs.
Sure, it can be trouble for VPNs, but VPNs are also an outsized source of abuse… so there’s a burden to not taking action on them at all. I guess ideally we’d have some sort of IP reputation system so it’s not all or nothing.
Discourse’s official hCaptcha plugin can be a huge help here. It’s specifically intended to help mitigate bot signups.
(I would personally also love to see Discourse support for Cloudflare Turnstile, given that Turnstile’s free tier includes a frictionless non-interactive mode, whereas similar functionality with hCaptcha requires transitioning to their “pro” pricing tier at $99/month—which is absolutely pants-on-head ludicrous for self-hosters.)
If I ran into that as a potential new user, I’d probably just give up instead.
I typically don’t even delete spam users. I suspend them forever. That way I can more easily harvest information from them to see patterns, which makes it easier for me to react quickly as tactics shift.
If I block an IP, they just get a new IP. If I don’t, some of them come back with the same IP and I can react quickly.
At the same time, I have plenty of new spammers whose registration and last used IP are different.
I get a lot of legit usage via VPNs, so it would actually cause random failures to just keep blocking random IPs that don’t actually map to spammers.
I think we should have an option to block email but not block IP when deleting a spam account. Blocking IP ends up being a hidden cost that you can’t directly measure. I think it’s very
Hmm, perhaps I should try doing that. Since a recent onslaught, I’m running in approve-new-users mode, which at my scale is quite manageable, and allows me (or other mods) to check at StopForumSpam.
