I agree. Left as is I also believe they will eventually prove to be problem accounts.
From personal experience, years ago, I registered to the moz forum to get help with an XUL extension I was working on. Time passed and when I went back with another problem I got “Invalid”. After contacting them I learned that it was because “time passed” my account had been pruned.
I understood the reasoning and wasn’t upset so hopefully any innocents that likewise got their Discourse account pruned would be as understanding.
IMHO the benefits of pruning far outweigh any possible negative effect.
@molly_cushing That looks a lot like those automated accounts bots make on Drupal when you don’t have a Captcha up… darned things will find your site no matter where you try to hide it…
Also, just for further possibilities, I know that the way our SSO is set up, new users have to register through our WordPress site. So I have this WordPless plugin with every domain from the list above blacklisted as well.
I’ve tried to cover all my bases but it seems something is falling through the cracks.
Discourse is assuming that your Wordpress site is performing full vetting of all the accounts before allowing them to sign on to the forum.
So all of the Discourse spam protections - blacklisted email domains, IPs, per-IP ratelimits, javascript-required two-click account activation, “per-IP user limit until one of them comes back on 15 different days” - are effectively turned off.
Since you are SSOing (is that a word?) through WP, you might want to add a Captcha to your login. It is really effective against that kind of automated bot (if it is an automated spam bot) I’d try the new one by Google (https://www.google.com/recaptcha/intro/index.html) first as it only requires a code if it thinks you may be a bot.
Sounds like your Wordpress domain blacklist is a little bit broken.
These accounts are clearly doing mass signups on your WP site then doing lots of SSO signups to Discourse (which is all performed with redirects and cookies).
Thanks for this suggestion! I just implemented it on our WordPress site with this plugin (just in case anyone else is interested).
Here’s our login page (which we use Custom Login to make it look a littler cleaner) that people who register on the forum are directed to if you’d like to see how it’s implemented or see if there’s anything else that may be causing a problem… or god forbid if you just want to talk about indie games haha.
I’ll try to find a better domain blacklist plugin as well. If anyone has any suggestions let me know. Hopefully, that recaptcha thing helps.
There’s a good word press plugin that spots spam bots behaviour.
It would make a helpful feature for discourse.
This plugin adds a stylesheet or image to your blog’s html source code. When a browser loads that stylesheet or image a cookie is dropped. If that user then leaves a comment the cookie is checked. If it doesn’t exist the comment is marked as spam. The plugin can also check how long it took a user to enter a comment. If it’s too fast it’s probably a spam bot. How fast can a legitimate user enter their name, email, web address and enter a well thought out comment?
For the adventurous, add these lines to your .htaccess and it will block spam attempts before they ever get to WordPress. Replace the Xs with the cookie that was set in your browser after viewing your blog. You can also find the cookie value by examining the page source code and looking for “css.php?k=XXXXXXXXXXXXXXXXXXX”. Make sure the lines go above the standard WordPress rules.
Because I guess all spam bots paste the whole email address and password
in instantly into the text fields which, would be faster than normal user behaviour
If a login could detect the speed of which user sign up or how many characters a user enters in the text field at once. this feature might reduce spam
So far so good, I’m getting less user registration emails with suspect email domains so it seems to be all god thus far. Fingers crossed it stays that way!
I use a Gravity Form for registration and have gotten nearly no spam. It has honeypot protection which I think helps and also I have a yes/no question that has to be asked before the form will submit which might be contributing too.
As a coda to this, for various reasons, we ended up changing Discourse so that we do enforce some of our core spam rules (primarily around blocked IPs and blocked emails, visible in Admin, Logs) even for SSO.
The domain signup blacklist is not currently enforced for SSO, though.
