That suggests an approach around new users and hot topics. If the hotness can be defined for a program, a new user that posts in more than one or two hot areas and nothing else could perhaps be automatically flagged for more attention.
5 Likes
I still think browser fingerprinting, especially some of the new techniques that have been coming out, could be a very effective weapon against many of these trolls. Also, AS-level IP address aggregation (link all IPs from a single ISP together) can help to identify suspicious signups, when they come from another IP on the same ISP as a recently banned user.
4 Likes
Those are pretty hard, and Iâm not sure theyâd be more effective than âapprove all first n posts by new usersâ.
Granted thatâs a bit of work depending on how many new users you get, but you could also double up on it as âhey, let me go out of my way to welcome this great new user by liking their postâ etc.
1 Like
The browser fingerprinting stuff is big work, but itâs getting to the point now where you can uniquely identify a device across multiple different browsers⌠itâs creepy af.
Doing IP address aggregation at the AS level is quite straightforward; a plugin that looked up IP addresses from the MaxMind GeoLite ASN databases and aggregated users by AS wouldnât be a massive undertaking (anyone keen?).
As long as youâve got relatively dumb miscreants, I agree that moderating their first few posts should be very effective. The tricky part comes when theyâre capable of hiding their true colours until after theyâre out of the penalty box. I prefer to detect bad actors based on traits that are very difficult or expensive for them to change (like devices or ISPs), rather than data points that are more within their control (like their initial behaviour) or resources that are practically free to obtain (like e-mail addresses).
7 Likes
Itâs not a great solution but if you really have an issue, blocking access from TOR will usually make a significant dent in your troll traffic.
Yes but I have literally 8 different âdevicesâ in this house I could use. Thatâs not even counting the 3 or 4 different web browsers I could install on each deviceâŚ
The latest research in fingerprinting works cross-browser, so that solves the â3 or 4 different web browsersâ issue. With 8 different devices, that means you get 8 shots at being an annoying troll before you have to go out and drop real money on another device to continue your shenanigans. On the other hand, if youâre capable of keeping your inanity in check for a few initially moderated posts, you can then proceed to go hog-wild as many times as you like, because new accounts are essentially free.
Now, if you want to take my pie-in-the-sky device fingerprinting and turn it up to 11 (pie-in-the-asteroid-belt, perhaps?), how about a comprehensive ârisk scoreâ for each user, that takes into account the userâs innate characteristics (e-mail address, IP address, ASN, âusing a tor exit nodeâ, browser/device fingerprint, etc) as well as their behaviour (made an unflagged / approved post, got a like, gave a like, etc). The TL system is then augmented to require a risk score below a certain point in order to progress through the trust levels, in addition to all the other factors required for TL advancement.
The benefit of this is that you can put, say, TL0 on permapprove, and while âlow riskâ new users can progress in the usual fashion and not bother the mods too much, anyone âhigh riskâ gets some additional attention, but without requiring mods to do too much manual leg work to keep track of potential shenaniganisers (trust me, thatâs totally a word). Of course, someone who ticks all the ânaughtyâ boxes and gets a super-high risk score can get autobanned or be manually approved before doing anything, or whatever seems appropriate.
And you thought just implementing fingerprinting would be a big job. 
12 Likes
One somewhat simpler stepping stone would be to keep track of the last n IP addresses used for an account.
My previous experience tracking multiple human offenders has always led me to the raw logs to obtain activity for an IP addressâŚ
⌠previously I have seen a single user flip/flop between access via a VPN / TOR and their original IP.
For a single account keeping track of multiple IPâs accessing a single account would allow some relationship to be drawn between that account and others.
4 Likes
There is a log of past IP addresses kept, in the user_auth_token_logs table. Itâs intended for a different purpose than user correlation by IP, which may mean thereâs missing indexes or whatever to make it easy to do, but the data is there, if someone wanted to go rummaging.
8 Likes
Keep in mind the data Iâm talking about is not an âauthâ event as suchâŚ
⌠simply the user having the browser window open on a Discourse site with the heart beatâŚ
and the user switching connections.
Does this captured data cover this case?
1 Like
Yes, the auth token log captures the IP address whenever the auth token changes, which is (by default) 10 minutes, from memory. So it wonât capture every IP address a user has, if theyâre only on a given IP address for a small amount of time, but itâll get âmostâ of them.
6 Likes
It would be good to get these surfaced so they can be seen and searched via the user / IP address search there.
Also note that the table user_auth_token_logs is useless to me as itâs empty on external SSO sites.
(at least I assume this is the reason my table is empty).
EDIT:
It seems the âhiddenâ option verbose_auth_token_logging has to turned on for this table to be filled.
I believe that would come under the general banner of âPR welcomeâ. I doubt weâll be prioritising that ourselves any time soon.
A Discourse âbrowser fingerprinting pluginâ would be the first step here IMO.
5 Likes
I think you ppl. are over complicating things, even though an advanced browser based fingerprint would be a great/ultimate solution.
A simple cookie approach would already be of great help. If not for all users, at least for banned users when try to get back in. Most people would fall for that trick.
Also more available basic user agent data would help to detect duplicate accounts manually. Browser, OS, etc.
Software developers, overcomplicating things? NEVER!
13 Likes
I also thing âapprove all first n postsâ could be extended to work at scale. Not entirely sure what this would look like yet, but the gist of it would be:
- all TL2 users and up can âapproveâ a post
- a post needs 1 TL3 approval, or 3 TL2 approvals.
- if youâve approved a lot of users that got banned, you might get demoted to TL1.
Yes that is basically this
1 Like
Whilst on the subject of dealing with trolls, this is something we have discussed in our mod team -I can split this into a separate thread if requested. Once we suspend these users, we sometimes see them re-appear on the same IP address with a different account, presumably with the same browser session. On occasions, it may even be long-time users that just get bored and make a second account to troll.
If they post, their posts get flagged as theyâre sockpuppets, but some of these accounts are created and are then dormant for a period of time, sometimes spurring into life when the trolls decide to attack. Our mods can usually find these accounts by checking the âIP Infoâ window on other known accounts, but are there any thoughts on adding these sockpuppet users to something like a manual user approval queue before they post when their account is created?
Whilst there would be a few false-positives for those on a public network, it at least gives us another tool to work detect trolls in case we havenât blocked their IP or before they go down the VPN route.
3 Likes
A new hockey season has started and first flame wars have been fought. This brought me back to this topic, as I had a look at our GAnalytics.
- Up to 66% are mobile users
- Significant portion of home broadbands are actually 4G LTE based.
Like it or not, the world is mobile first. This leads to random IP addresses for a vast majority of users, rendering the IP logging useless.
I was wondering, if my proposal of cookie tagging users has any traction withing the Team or Community?