Handling trolls with multiple accounts over VPNs

(Matt Palmer) #28

The latest research in fingerprinting works cross-browser, so that solves the “3 or 4 different web browsers” issue. With 8 different devices, that means you get 8 shots at being an annoying troll before you have to go out and drop real money on another device to continue your shenanigans. On the other hand, if you’re capable of keeping your inanity in check for a few initially moderated posts, you can then proceed to go hog-wild as many times as you like, because new accounts are essentially free.

Now, if you want to take my pie-in-the-sky device fingerprinting and turn it up to 11 (pie-in-the-asteroid-belt, perhaps?), how about a comprehensive “risk score” for each user, that takes into account the user’s innate characteristics (e-mail address, IP address, ASN, “using a tor exit node”, browser/device fingerprint, etc) as well as their behaviour (made an unflagged / approved post, got a like, gave a like, etc). The TL system is then augmented to require a risk score below a certain point in order to progress through the trust levels, in addition to all the other factors required for TL advancement.

The benefit of this is that you can put, say, TL0 on permapprove, and while “low risk” new users can progress in the usual fashion and not bother the mods too much, anyone “high risk” gets some additional attention, but without requiring mods to do too much manual leg work to keep track of potential shenaniganisers (trust me, that’s totally a word). Of course, someone who ticks all the “naughty” boxes and gets a super-high risk score can get autobanned or be manually approved before doing anything, or whatever seems appropriate.

And you thought just implementing fingerprinting would be a big job. :troll:

(Dean Taylor) #29

One somewhat simpler stepping stone would be to keep track of the last n IP addresses used for an account.

My previous experience tracking multiple human offenders has always led me to the raw logs to obtain activity for an IP address…
… previously I have seen a single user flip/flop between access via a VPN / TOR and their original IP.

For a single account keeping track of multiple IP’s accessing a single account would allow some relationship to be drawn between that account and others.

(Matt Palmer) #30

There is a log of past IP addresses kept, in the user_auth_token_logs table. It’s intended for a different purpose than user correlation by IP, which may mean there’s missing indexes or whatever to make it easy to do, but the data is there, if someone wanted to go rummaging.

(Dean Taylor) #31

Keep in mind the data I’m talking about is not an “auth” event as such…
… simply the user having the browser window open on a Discourse site with the heart beat…
and the user switching connections.

Does this captured data cover this case?

(Matt Palmer) #32

Yes, the auth token log captures the IP address whenever the auth token changes, which is (by default) 10 minutes, from memory. So it won’t capture every IP address a user has, if they’re only on a given IP address for a small amount of time, but it’ll get “most” of them.

(Dean Taylor) #33

It would be good to get these surfaced so they can be seen and searched via the user / IP address search there.

Also note that the table user_auth_token_logs is useless to me as it’s empty on external SSO sites.
(at least I assume this is the reason my table is empty).

It seems the “hidden” option verbose_auth_token_logging has to turned on for this table to be filled.

(Matt Palmer) #34

I believe that would come under the general banner of “PR welcome”. I doubt we’ll be prioritising that ourselves any time soon.

(Jeff Atwood) #35

A Discourse “browser fingerprinting plugin” would be the first step here IMO.

(ljpp) #36

I think you ppl. are over complicating things, even though an advanced browser based fingerprint would be a great/ultimate solution.

A simple cookie approach would already be of great help. If not for all users, at least for banned users when try to get back in. Most people would fall for that trick.

Also more available basic user agent data would help to detect duplicate accounts manually. Browser, OS, etc.

(Matt Palmer) #37

Software developers, overcomplicating things? NEVER!

(Erlend Sogge Heggen) #38

I also thing “approve all first n posts” could be extended to work at scale. Not entirely sure what this would look like yet, but the gist of it would be:

  • all TL2 users and up can “approve” a post
  • a post needs 1 TL3 approval, or 3 TL2 approvals.
  • if you’ve approved a lot of users that got banned, you might get demoted to TL1.

(Jeff Atwood) #39

Yes that is basically this

(Cameron Carmichael Alonso) #40

Whilst on the subject of dealing with trolls, this is something we have discussed in our mod team -I can split this into a separate thread if requested. Once we suspend these users, we sometimes see them re-appear on the same IP address with a different account, presumably with the same browser session. On occasions, it may even be long-time users that just get bored and make a second account to troll.

If they post, their posts get flagged as they’re sockpuppets, but some of these accounts are created and are then dormant for a period of time, sometimes spurring into life when the trolls decide to attack. Our mods can usually find these accounts by checking the “IP Info” window on other known accounts, but are there any thoughts on adding these sockpuppet users to something like a manual user approval queue before they post when their account is created?

Whilst there would be a few false-positives for those on a public network, it at least gives us another tool to work detect trolls in case we haven’t blocked their IP or before they go down the VPN route.

(ljpp) #41

A new hockey season has started and first flame wars have been fought. This brought me back to this topic, as I had a look at our GAnalytics.

  • Up to 66% are mobile users
  • Significant portion of home broadbands are actually 4G LTE based.

Like it or not, the world is mobile first. This leads to random IP addresses for a vast majority of users, rendering the IP logging useless.

I was wondering, if my proposal of cookie tagging users has any traction withing the Team or Community?

(Jeff Atwood) #42

If you feel it’s so simple, feel free to propose it as a plugin in #marketplace with a budget.

(ljpp) #43

Could pull some estimate out of a hat, that how complex this kind of implementation would be? I am not even sure if cookie tagging is the right approach, there might something more clever, but it is a topic worth discussing as IP logs are nowadays white noise and disposable emails are available for free (for exp. Outlook.com offers email aliases).

Moderation is a very time consuming part of community management. Improving the available tools would actually be something of real value. Maybe we could crowd fund it as a community, if there is interest. As a non-profit our financial resources are very limited, but with allies we could pull something off.

(Jeff Atwood) #44

see Build a browser fingerprinting plugin

(Raymon Mens) #46

A neat feature would be to require SMS verification on registration. So one phone number per account. A new mobile phone number is way harder to get than another mailbox.

(Jay Pfaffman) #47

Not really. There once was a time that I created digital ocean and mailgun accounts for my clients and used some app to generate phone numbers to recieve a text. It was tedious, but neither difficult nor expensive.

(Matt Palmer) #48

Tedious would probably put some sort of a speedbump in front of your “bored asshole” types, at least. Can’t imagine phone number verification would ever go into core, though, too much variance in service provider, et al. Probably wouldn’t be hard to build a plugin for it, though, if anyone was feeling frisky.