Dealing with unwanted (and probably spam) accounts via SSO?

wordpress
sso

(Molly) #1

I’m dealing with a lot Russian spam and instead of having to go to each individual profile to delete and block emails and IP addresses (despite having the domains blacklisted already), it would be much less time consuming for me to be able to just ‘select all’ or multi-select the ones that match my ‘.ru’ search criteria and delete them that way.

Even outside of managing spam, a bulk actions option would be helpful I think.


What are your experiences with wp-discourse plugin and SSO?
About the idea: IDENTITY = EMAIL
(Jeff Atwood) #2

You can just click the avatar (rather than the user name) to pop up the user card. If the user is very new, there will be a delete button on the user card, so you do not have to go into the user profile to delete a new user.

How many spam posts are you seeing per day? Did you change any of the defaults? If the defaults are changed it can (depending on the setting) make you quite vulnerable to spam.


(Zack) #3

Also be nice to mass move users into a group. Not required but a bit of a creature comfort.


(cpradio) #4

I don’t know about that. If we didn’t have the number of moderators that we have, I could see a smaller team needing to perform a multi-select delete/ban on a set of members. Otherwise, they’ll have 5-10 of them every couple of hours. Let it go for a few hours, that adds up quickly.


(Jeff Atwood) #5

I doubt the site in question has a decade of Page rank…


(Molly) #6

That’s true and that’s what I’m doing now but it refreshes the page so if I have a search for email domains that I know are spam, once I delete the account, the page is refreshed. Which, isn’t that big of a deal, really, but I’d just prefer that it didn’t.

We’re not getting any spam posts, just spam members joining fairly rapidly. I think our settings (which are still at default) are probably stopping them from posting. However, on the admin panel it says say that some of them have ‘private posts’?


(Mittineague) #7

Wouldn’t that be the Welcome PM?


(cpradio) #8

I don’t understand the relevance of that. Once you are on a spammers list, you are on the list. Doesn’t matter what your page rank is. They don’t care, they simply want to get their message out everywhere.

That’s probably correct.


(Jeff Atwood) #9

Incorrect, as previously noted, she’s referring to users who sign up and don’t post anything. Which we’ve covered before, this is profile spammers for the most part. And I quote:

So @cpradio I agree that large established sites have different challenges, this is not that. This is a small site. I’d appreciate it if you could stop adding noise to this topic.

Many of the small and midsized discourse sites I see on a daily basis get zero spam and zero “weird probably spammer who doesn’t post” signups. There’s just nothing of interest there for them. Discussing teams of moderators and sites with a decade of pagerank is completely irrelevant here.


(Tobias Eigen) #10

I’ve found on my small site that I get about 5 spam signups a day, and maybe a spam posting once every 2-3 days. Not from Russia - from India and (I think) Vietnam. Usually I am able to catch them pretty fast and as long as I keep up with it the task doesn’t get too onerous.

And because the spam users are barely visible to the outside world, their impact is neglible.

I love this! I was not aware of this but just tried it out and it really helps. Thanks!


(Molly) #11

That definitely makes sense.

I appreciate you trying to keep this on track. [EDIT: I realize now that you acknowledge them being spam so I deleted my original sentence here.]

Perhaps this should be in a different section now, but all of these domains are in my blacklist list. They’re also blacklisted on my wordpress site that is connected via SSO. Yet I’m still seeing emails with these domains. Because they’re not posting, it’s not a dire problem, but I just don’t like having lots of spam accounts on our forum. I’d rather have a better idea of how many users we have that are actually real people, you know?

But to go back to the desire of a multi-select option, I think it would be beneficial for other things like promotion or adding to groups or other things. But my dealings with spam accounts are the best example of its desire.


(Jeff Atwood) #12

OK @molly_cushing let’s change this to the “doesn’t post but is probably a spammer” user account topic instead.

By this we mean:

  • user never posts
  • user does not have spam information in their profile
  • user does not have a filled out profile (maybe just full name?)

But the user looks “unnatural” on the site, e.g. the site is all in English on some niche topic and 5 random Vietnamese users sign up. Is that correct?

Because I agree that’s a tough problem, though the volume is kind of low.


(Tobias Eigen) #13

Maybe the answer is to write to all of these borderline case people again with a follow-up welcome, and if they don’t reply to that after a reasonable time then you delete them.

Another tactic is to do an export of your userlist and see if you can get some insights that way. Spreadsheets can be a more flexible way to sort and categorize users for later handling in discourse, even if there are no bulk management tools available.


(Jeff Atwood) #14

But would you make it clear in the email that if they don’t reply, their account will be deleted?

I kind of lean toward having a setting to auto-delete any new accounts that have no measurable activity on the site, after a certain age. For example, every month (or 6 months, or whatever interval you like) check all accounts new in that interval, if they have zero total read time, no visits, no posts, etc just delete them outright. I mean total input, counting from the day the account joined as new.

You are dealing with “users” who give you…

  • no profile spam signal
  • no topic or reply spam post signal

They just… exist. And do nothing at all! Ironically that’s the only signal you have, that they do absolutely nothing. Like I said, it’s a tough problem.

Well, that’s not entirely true; you do have the glimmer of signal of the IP the user signed up from (and then, proceeded to do nothing at all for a year.) You could disallow all signups from certain countries by IP, assuming we can accurately geolocate IPs to that degree.

But philosophically, I don’t think you want users that sign up and do nothing forever. They are of zero value to anyone.

(The only edge case is users who sign up for a “mailing list” kind of interaction, but even then, wouldn’t they do something on the discussion website over a period of months?)


"Nice Post" threshold is too high for most sites, can we make it easier?
(Tobias Eigen) #15

I like this - could you create a tab under the admin user list to display inactive users, next to suspect? That way we’d be able to see who’s doing nothing and decide ourselves which ones to delete. The length of time to wait for activity could be an admin setting. I think 6 months is great, but others might like a 3 month length of time.


(cpradio) #16

Sorry, but we have this happen too and eventually these accounts do become active and actually create a spam post/profile. I’ve seen some sit inactive for a year, others a few months, and some a few weeks.

Spammers simply create it for “future use”. I can’t say for certain why but I can nearly guarentee that if you let them sit long enough, they will eventually produce spam of some sort.

Maybe they sell these accounts, maybe they wait to use them based on business needs, however I have seen this plenty of times. We actually got really good at manually identifying these on vB and could knock them out well before they became active. The fun was then watching them show up in the Who’s Online and seeing them get the permission denied message.

This isn’t new or unique.


(Mittineague) #17

True, the accounts could be innocents, but I imagine many are likely to be what I call “seed” accounts.

At vB there were a great many instances of Flood Registrations. After some time many of these accounts would make problem posts - from different IPs and different SPAM.

I have no way to know for certain, but my impression is that these were accounts “put on the market” and bought by those interested in throw-away accounts to SPAM with.

I haven’t seen any Flood Registrations now at Discourse, and most problem accounts (other than self-promo or trolling) reveal themselves to be problems within minutes of registering. So it’s hard to say what potential problems the “do nothing” accounts pose.

In any case, if they are doing nothing they aren’t an asset to the community and as long as their Reg info isn’t getting added to the Block filters I see no great harm in removing the accounts after an arbitrary amount of time with no activity.


(cpradio) #18

Just to be clear we do have users who are created and seem to do nothing (for a while). I’ve found several in our New Users Admin page already from this week.


(Mittineague) #19

Yes, but they are no where near being Flood Registrations. the most I’ve seen are under a half dozen or less.

  • At least the ones that were obvious to me and easily spotted with the limited no-scroll result set

(cpradio) #20

Right but there are reasons why it is hard to flood register Discourse (by design). :smile: I don’t feel my knowledge on these type of accounts should be dismissed purely because we are a greater target. We get these accounts too and my past experience is what leads my statements on the subject.

I’m fairly certain I know these accounts will be used for spam. They just aren’t being used yet.