I don’t think that the heavy load main problem caused by spammer.
Here is why:
Normal discourse usage (without API) can only work with modern browser because it heavily depend on javascript. Google Analytics use javascript too to collect various user informations (and doesn’t need modern javascript support to run the analytics code). If Google Analytics can’t detect user activity, then discourse should not be able to serve its content and features.
Here is bot capture when I use old headless browser library (phantomjs) to access discourse site :
And here is with more modern library (puppeteer)
- It’s just strange if someone able to post (without API) replies on discourse while google analytics can’t detect them.
- Usually, spammers use public proxy to do dirty things and I think your cloudflare is smart enough to stop “bad visitors” before really reach your app.
Did you see high queue jobs on sidekiq process?