Disable non-upload/traffic spam TL0 autoflags for PMs to automated accounts

Drew_Warwick · December 17, 2018, 12:42am

Limits placed on TL0 accounts can broadly be categorized as either:

Prevent malicious/noob actors from impacting the day-to-day reading of other useres
Prevent malicious actors from overloading the forum by spamming it with traffic, mass uploading content, etc

On our forum, we’ve had a number of (noob) users autoflagged / silenced for PMs to discobot or other automated accounts like system for category #1. This not only negatively impacts users by preventing them from posting (silenced) or makes them feel unwelcome (post hidden), but forum moderators have to go through and manually unslience these users / continually clear the flag queue. We especially want to keep category #2 active since it’s easier for bad actors to misbehave where no one can see, but it would be nice to disable category #1 when PMing automated accounts.

A related issue with a separate solution is the iconic discobot ending up in the flag queue frequently.

codinghorror · December 17, 2018, 12:47am

Sorry this is quite unclear. What is the specific problem? New users are often copy pasting content into their first posts?

Drew_Warwick · December 17, 2018, 1:12am

Case 1:

User posted a link to a forum thread in one reply to automated account
User posted a link to another forum thread in another reply to automated account
Flagged as spam to same domain

Potential improvement in general is to whitelist forum domain, but even then discobot and similar are playgrounds. It would suck if I posted a random google link in one reply, and then posted it again just to mess around, and my post was hidden.

Case 2 (most common):

User goes to respond to new user tutorial
User replies with a short message like “Hi discobot!”
User is silenced because they didn’t spend long enough typing their post

There may be more, but those are the only ones we’ve had happen recently.

codinghorror · December 17, 2018, 3:43am

That doesn’t really make sense, as the forum itself is a whitelisted domain, obviously, since it is … the forum? You could post infinite links to meta here on meta as a new user and it will never be considered spam. The entire parent domain is always whitelisted, in fact, in that example *.discourse.org

Hmm @tgxworld I wonder how that could happen, we never saw it in our testing. One thing we could do is make that check not care about PMs (or even PMs to system accounts, to be specific) since trust level 0 users can’t PM anyway.

tgxworld · December 26, 2018, 6:33am

Are you able to reproduce this on your site? I tried reproducing it locally but I discovered that we’ll actually never hit the fast typer check since we don’t do it for private messages as per the code path below.

github.com

discourse/discourse/blob/2ab02d6642739c925035f4e9105a349b9e389286/lib/new_post_manager.rb#L166-L168


if args[:topic_id] && Topic.where(id: args[:topic_id], archetype: Archetype.private_message).exists?
  return perform_create_post
end

Drew_Warwick · February 24, 2019, 9:19pm

devforum.roblox.com is our forum.

roblox.com is the parent domain, but was hit as well.

Contexts:

Post 1 is a flag the user submitted on discobot’s post that it told the user to flag. The link to the post flagged that is automatically submitted when the user selects “Something Else” was picked up as spam.
Post 2 is when discobot asked the user to share a link with them from a predefined list, but the user provided a link to something on the parent site instead

System has a 100% disagree rating because everything it flags is in discobot PMs when the user is playing around with the site. Even if the above two are patched, we don’t want users being flagged for posting an imgur link or something multiple times when they’re playing around with discobot – that’s a bad first time user experience. It’d be great if autoflagging could be disabled on PMs to system accounts and flags.