Handling trolls with multiple accounts over VPNs

That suggests an approach around new users and hot topics. If the hotness can be defined for a program, a new user that posts in more than one or two hot areas and nothing else could perhaps be automatically flagged for more attention.

5 Likes

I still think browser fingerprinting, especially some of the new techniques that have been coming out, could be a very effective weapon against many of these trolls. Also, AS-level IP address aggregation (link all IPs from a single ISP together) can help to identify suspicious signups, when they come from another IP on the same ISP as a recently banned user.

4 Likes

Those are pretty hard, and I’m not sure they’d be more effective than “approve all first n posts by new users”.

Granted that’s a bit of work depending on how many new users you get, but you could also double up on it as “hey, let me go out of my way to welcome this great new user by liking their post” etc.

1 Like

The browser fingerprinting stuff is big work, but it’s getting to the point now where you can uniquely identify a device across multiple different browsers… it’s creepy af.

Doing IP address aggregation at the AS level is quite straightforward; a plugin that looked up IP addresses from the MaxMind GeoLite ASN databases and aggregated users by AS wouldn’t be a massive undertaking (anyone keen?).

As long as you’ve got relatively dumb miscreants, I agree that moderating their first few posts should be very effective. The tricky part comes when they’re capable of hiding their true colours until after they’re out of the penalty box. I prefer to detect bad actors based on traits that are very difficult or expensive for them to change (like devices or ISPs), rather than data points that are more within their control (like their initial behaviour) or resources that are practically free to obtain (like e-mail addresses).

7 Likes

It’s not a great solution but if you really have an issue, blocking access from TOR will usually make a significant dent in your troll traffic.

https://www.torproject.org/projects/tordnsel.html.en

Yes but I have literally 8 different “devices” in this house I could use. That’s not even counting the 3 or 4 different web browsers I could install on each device

The latest research in fingerprinting works cross-browser, so that solves the “3 or 4 different web browsers” issue. With 8 different devices, that means you get 8 shots at being an annoying troll before you have to go out and drop real money on another device to continue your shenanigans. On the other hand, if you’re capable of keeping your inanity in check for a few initially moderated posts, you can then proceed to go hog-wild as many times as you like, because new accounts are essentially free.

Now, if you want to take my pie-in-the-sky device fingerprinting and turn it up to 11 (pie-in-the-asteroid-belt, perhaps?), how about a comprehensive “risk score” for each user, that takes into account the user’s innate characteristics (e-mail address, IP address, ASN, “using a tor exit node”, browser/device fingerprint, etc) as well as their behaviour (made an unflagged / approved post, got a like, gave a like, etc). The TL system is then augmented to require a risk score below a certain point in order to progress through the trust levels, in addition to all the other factors required for TL advancement.

The benefit of this is that you can put, say, TL0 on permapprove, and while “low risk” new users can progress in the usual fashion and not bother the mods too much, anyone “high risk” gets some additional attention, but without requiring mods to do too much manual leg work to keep track of potential shenaniganisers (trust me, that’s totally a word). Of course, someone who ticks all the “naughty” boxes and gets a super-high risk score can get autobanned or be manually approved before doing anything, or whatever seems appropriate.

And you thought just implementing fingerprinting would be a big job. :troll:

12 Likes

One somewhat simpler stepping stone would be to keep track of the last n IP addresses used for an account.

My previous experience tracking multiple human offenders has always led me to the raw logs to obtain activity for an IP address…
… previously I have seen a single user flip/flop between access via a VPN / TOR and their original IP.

For a single account keeping track of multiple IP’s accessing a single account would allow some relationship to be drawn between that account and others.

4 Likes

There is a log of past IP addresses kept, in the user_auth_token_logs table. It’s intended for a different purpose than user correlation by IP, which may mean there’s missing indexes or whatever to make it easy to do, but the data is there, if someone wanted to go rummaging.

8 Likes

Keep in mind the data I’m talking about is not an “auth” event as such…
… simply the user having the browser window open on a Discourse site with the heart beat…
and the user switching connections.

Does this captured data cover this case?

1 Like

Yes, the auth token log captures the IP address whenever the auth token changes, which is (by default) 10 minutes, from memory. So it won’t capture every IP address a user has, if they’re only on a given IP address for a small amount of time, but it’ll get “most” of them.

6 Likes

It would be good to get these surfaced so they can be seen and searched via the user / IP address search there.

Also note that the table user_auth_token_logs is useless to me as it’s empty on external SSO sites.
(at least I assume this is the reason my table is empty).

EDIT:
It seems the “hidden” option verbose_auth_token_logging has to turned on for this table to be filled.

I believe that would come under the general banner of “PR welcome”. I doubt we’ll be prioritising that ourselves any time soon.

A Discourse “browser fingerprinting plugin” would be the first step here IMO.

5 Likes

I think you ppl. are over complicating things, even though an advanced browser based fingerprint would be a great/ultimate solution.

A simple cookie approach would already be of great help. If not for all users, at least for banned users when try to get back in. Most people would fall for that trick.

Also more available basic user agent data would help to detect duplicate accounts manually. Browser, OS, etc.

Software developers, overcomplicating things? NEVER!

13 Likes

I also thing “approve all first n posts” could be extended to work at scale. Not entirely sure what this would look like yet, but the gist of it would be:

  • all TL2 users and up can “approve” a post
  • a post needs 1 TL3 approval, or 3 TL2 approvals.
  • if you’ve approved a lot of users that got banned, you might get demoted to TL1.

Yes that is basically this

1 Like

Whilst on the subject of dealing with trolls, this is something we have discussed in our mod team -I can split this into a separate thread if requested. Once we suspend these users, we sometimes see them re-appear on the same IP address with a different account, presumably with the same browser session. On occasions, it may even be long-time users that just get bored and make a second account to troll.

If they post, their posts get flagged as they’re sockpuppets, but some of these accounts are created and are then dormant for a period of time, sometimes spurring into life when the trolls decide to attack. Our mods can usually find these accounts by checking the “IP Info” window on other known accounts, but are there any thoughts on adding these sockpuppet users to something like a manual user approval queue before they post when their account is created?

Whilst there would be a few false-positives for those on a public network, it at least gives us another tool to work detect trolls in case we haven’t blocked their IP or before they go down the VPN route.

3 Likes

A new hockey season has started and first flame wars have been fought. This brought me back to this topic, as I had a look at our GAnalytics.

  • Up to 66% are mobile users
  • Significant portion of home broadbands are actually 4G LTE based.

Like it or not, the world is mobile first. This leads to random IP addresses for a vast majority of users, rendering the IP logging useless.

I was wondering, if my proposal of cookie tagging users has any traction withing the Team or Community?