Hi, I have problem dealing spam accounts, they are created through local accounts, If I look into one spam account, it says primary email not verified, I want to disable this kind of accounts to create a new Topic until they verify their email, how to achieve this?
I dont know if this setting will help deleting unverified users
purge_unactivated_users_grace_period_days
setting this to 0 will allow unactivated users forever? it seems entirely opposite of what this field is for.
If their emails arenât verified then they shouldnât be allowed to post. Are they staged users? (That is, do you allow anonymous users to email in?)
3 Likes
That is, do you allow anonymous users to email in?
how to check this? there is a settings enable staged users which says Automatically create staged users when processing incoming emails. and it is checked. is this what you are asking?
This is how that spam account permission looks right now.
It doesnât look like thatâs a staged user.
Iâm not sure how people are logging into your site with an unactivated account. Do you have any special login methods?
2 Likes
Do you have any special login methods?
Only two methods, local login and google oauth. Iâm pritty sure he is not using google his domain is not under gmail.
I see there is another thread with similar issue as mine
I dont know if any progress on that thread.
Ah yes, we discussed that further in PM. That was down to SSO not verifying the emails before passing them to Discourse.
1 Like
How can I proceed further to find the root cause of this issue? should I contact you (or someone) through DM?
No, youâre best off having a public topic so other people can weigh in with ideas if they have some. 
Iâm afraid I donât have many more ideas for what has happened. Did someone deactivate their account after they posted? (You can check your staff action logs for âdeactivate userâ)
1 Like
Yes, I deactivated that account after I saw that account created one spam topic, nginxâs access.log didnât show any new topic activity either from this user. Iâm really confused how this guy creating new topic without using web interface, there should be some other way to create topic other then the web interface, thats why asking help here.
If you deactivated the account then that would explain why the email is unverified (them needing to reverify their email is part of the deactivation)
1 Like
No, the account posted a spam topic first with unverified email, thats why I deactivated that account.
I think we may be talking cross-purposes. 
I donât mean Silence or Suspend, but specifically âdeactivateâ:
Did you check your staff action logs?
1 Like
sorry, I meant to say I silenced and suspended that account after that spam topic.
If you didnât deactivate the account, then I think youâve got to work out how they managed to bypass the normal email verification step. From what youâve described so far, I donât see how this is possible.
Signing up locally would send them an email to activate their account, which verifies their email, and signing up using google would also verify their email.
3 Likes
do we have any logs which can give some clue? apart from nginx logs.
Not that I can think of. Are you the only mod/admin for the site?
Iâm an admin to that website, Iâm just trying to see whats going on, I donât even know where that box is running and donât have ssh access.
Meanwhile, I see something strange, somebody logged in as âsystemâ, created a âTestâ account and deleted immediately
I asked the admin guys did anyone logged in as system account and created Test account, yet to get reply from them. If they say nobody logged in as system at that time, then it looks like that box is compromised.
In this case, can anyone create user account through db bypassing email verification? can we see their activity in db logs?
If the user delete their account from their profile, do the logs will show system in user field? it should be showing âTestâ in user field right? there is something fishy here.