Diagnosing spam attack of 100 topics


(AstonJ) #1

Discourse has been brilliant, much less spam than what we’ve got on other forums I admin. However last night we got hit by a big spam attack (over 100 threads).

What anti-spam measures are you using or have switched on? Which do you recommend?

I’ve just set it so TL0 users threads go into a moderation queue, not ideal, but better than letting our Twitter feed get flooded with spam…


(Sam Saffron) #2

Are there any patterns to this spam? Can you paste a few example screenshots ?


(Jeff Atwood) #3

Yeah we need a lot more info on this. Was it multiple users? There are so many rate limits in Discourse, I’m hard pressed to think how 100 topics could be created.

Unless you have changed the defaults, there are a lot of defaults you can change that can cause serious exposure to spam.


(AstonJ) #4

Here are a few of them Sam:

Full text:

They even uploaded an image and used tags:

Some of them are just plain daft:


So quite varied.

I can give you guys access if you want to take a look?


(Jeff Atwood) #5

Did you modify default trust levels at all? That is, do new users properly start at trust level 0? Can you take a look at the settings and check your “show only modified” and examine any modified settings you have that could have impacted this?

Also, make sure you run the Akismet plugin; it’s standard on all our hosting to deal with the huge numbers of 100% human spammers out there today.


(AstonJ) #6

I believe the only thing I modified was the number of links TL0 can post, but let me check…

Trust Levels > only overridden:


(Jeff Atwood) #7

I’d need to see all overridden settings to verify. Rate limiting in particular. The main thing to look at is, how many users posted these topics?


(AstonJ) #8

Is this a standard plugin? I thought I read (either you or Sam) say that there were too many false positives with it so I didn’t look any further into it. Is there a thread or info page about it here anywhere?

How can I tell? (Is it logged anywhere?) We tried to get rid of them as quick as we could (they were relentless!) however I did notice that the same user posted more than one as when I was dealing with flags (and banned one member and all their posts) on a few subsequent flags it would report as an error/not found (so I assume belonged to same user).

Haven’t changed any rate limits…

Here are overrides for applicable sections:

(note user spam threshold was higher - have just reverted it (tho no difference to this spam as they didn’t post links))


(AstonJ) #9

Thinking about it now, I am not 100% sure all of our mods were doing ‘Delete and ban IP and email address’ which may explain why they were able to post more than once. Also some were dealt with by TL4 members who I believe can’t ban accounts?

I’m going to check with the mods and see how they were dealing with it… and will report back.

Edit: Looks like I had disabled auto block fast typers on first post I have re-enabled for now (does anyone experience false positives with this?)


(Rafael dos Santos Silva) #10

Judging by the number of posts, this looks like human spammer that went around first to get TL1.

You should revert TL1 to default (you made it 1/3 of the default) and pay/configure/use Akismet.


(Sam Saffron) #11

Turning off the fast typer blocking is kind no of crazy

It blocks huge amounts of spam


What should I do for spam protection?
(AstonJ) #12

I think I made some of these changes because when we first started lots of genuine members posts were going into moderate/needs approval and I wanted to try and get people into it smoothly.

Ok @Falco I have reverted TL1 settings :slight_smile:

@sam I have reverted fast typer check too :slight_smile:

Huge thanks to you guys for taking this seriously - on most other platforms they would have just put it down to spam being a part of forum life! It’s good to see you are on top of the game :+1:

I will also look into Akismet - does it send all of our posts to them for checking? I am not sure I’d be comfortable doing that (especially with regards to our private sections).


(Jeff Atwood) #13

It sends all new user posts, yes. Akismet is quite valuable in a world of ever-increasing 100% human, manually entered spam…

We take spam VERY VERY seriously and want everyone to be safe by default. The lesson here is

  1. Use the Akismet plugin if you can, it helps immensely with human spammers. There can be some minor charges involved with Akismet, but it’s worth it.

  2. :warning: Do NOT change our trust / rate limit defaults unless you truly understand the risk you are incurring with each setting. Our defaults are finely honed to prevent 99.9% of spam, so when you loosen them, you are explicitly opening the door to more spam.


(cpradio) #14

I just wanted to address this, on our site, sure we get a false positive or two a week, where the user asked their question on one forum and then copied/pasted it on ours, thus was identified as a fast typer. Just realize those that do that will end up in the moderation queue and blocked form posting until it is cleared. For our site we have staff all over the globe, so that usually means worst case, an hour goes by before they are unblocked.


(AstonJ) #15

Is it just TL0 posts? If so that’d probably be ok :slight_smile:

We get quite a few copy and pastes so I’m not sure how this is going to pan out - happy to see how it goes though.


For us I am not as concerned about spam on the forum (as mods will see it sooner or later) it’s just when it automatically gets tweeted to our Twitter account. What would be cool is an integrated Twitter plug-in that only Tweets topics posted by TL1 + users without requiring approval, as well as detecting when a topic is deleted and then the tweet gets deleted too.


Heard back from two of our mods and they did the ‘delete and ban user’ option as well. I know that one TL4 members was unlisting and closing/archiving tho (as seen in the first couple of screen grabs above).


(Jeff Atwood) #16

Yes, TL0 posts is how it works.


(Joshua Rosenfeld) #17

You should still be able to delete the user as a spammer. Flag them yourself if you need to. Also, you can manually add IP and/or email addresses to the block list if you can’t delete the user as a spammer for some reason.


(Matt Palmer) #18

That sounds like it should be A Simple Matter Of Programming…


(AstonJ) #19

Just a quick question(/suggestion), is it possible to display the reason or what triggered the system to put a topic into the ‘needs approval’ queue at all?

This could help determine which settings are working (and maybe which ones are not really needed to be switched on).


(cpradio) #20

There is only one reason why it appears in Needs Approval. They typed it too fast. (or potentially, 1st post to moderation queue is enabled? all topics/posts for TLs below what is selected for approve new topics unless trust level and approve unless trust level)