We have been playing whack-a mole with a few banned users recently. Once their IP blocks were banned they switched to using proxy IPs. Now what I am having to do is manually look at the registrations and if its a server farm like Digital Ocean etc the user gets put on our internal watch list and usually ends up getting banned. I don’t see a better way of doing this, I guess I could start blocking the proxy IPs but there are zillions of proxy servers out there including many that don’t look like server farms. Has anyone else dealt with this issue?
Is there any behaviour by these users that we could look at instead? Are they posting anything? If so, there are some other settings that might help.
The problem is they are intentionally trying to “fake” like they are real users to level up etc. So I don’t think behavior detection helps. Their main goal is to level up and then PM people to try to get them to do illegal things. Fortunately our regulars all know whats up and if they do manage to level up they eventually get reported and banned (yet again). Well, one thing that could be detected is too many unsolicited PMs, the original Bad Guy PMd around 100 people and there was no warning or anything in the admin panel.
Ooo, that wouldn’t be a bad idea. So they are leveling up to be able to PM? Or do you have the ability to PM set really really low?
There’s a setting to limit how many PMs can be sent per day “max private messages per day”. Default is 20, so if all 100 were sent in one day then your limit is really high. If they’re using disposable email addresses like yopmail, you can add them all to the “email domains blacklist” setting.
Tricky situation. Messages are for the most part private and should pretty much be left alone.
The current approach relies on members reporting bad messages. So how to do damage control?
I don’t think it would be the best idea to send them off to Akismet, I assume they respect confidentiality, but maybe not.
I guess you could tweak up
min trust to send messages but that would be punishing the good members as well as the bad.
Likewise with tweaking down
max private messages per day
If you have changed any of your Groups “Who can message and @mention this group?” to be more liberal you should probably reconsider if the group has a lot of members so that the group can’t be bulk messaged.
Maybe the existing “similar to” that exists for posts could be tied into? But instead of an education modal put in a hold queue and notify moderators.
I believe we have settings for rate limit on PMs, perhaps adjust that.
After the initial violation they have not been doing more than a couple PMs per day so rate limiting would not work. Upping the trust level also doesn’t work too well since they are “playing the game” and putting in likes, followups, etc to bump themselves up. I think we will just keep doing what we are doing for now, we do check new user accounts in particular and anything abnormal and we mark it on our internal mods wiki for close monitoring.
Looking into proxy blacklists it looks like squidblacklist.org for $10/month gives you 44K proxy servers. That would be a worthwhile investment for me. It doesn’t really require Discourse support since I could just stuff it in .htaccess on my Apache server.
Curious what ended up happening here?
I think we just wore them down, they stopped coming back. Having some diligent mods was a big help.
Right after the last appearance someone launched a denial of service attack on our site, probably a last gasp. It was all from one IP though so it was easy to shut down.