I built a discourse today but get many new user registration spam.
Many are from the same IP and they don’t pass the email verification.
Due to the limited email I can send a day (a free plan), how to prevent this kind of spam?
For example, add a CAPTCHA when signing up? Thanks
I suggest adding qq.com to the setting email domains blacklist.
But the man change to @126.com and continue spam…
Yes, they may or may not. Until it happens it’s just a theoretical problem. Most of the time this is all automated spam, so it’s unlikely to happen unless another bot targets you.
You may also disable email signup and restrict to social logins (Twitter, Facebook, Google, Github, etc) which doesn’t send emails for new accounts.
Can we add CAPTCHA before sending email verification?
By the way, how to disable email signup and only allow new user from social login?
No better idea? I think it’s a basic issue of anti spam but no solution in discourse amazingly.
Can you provide more detail? Did you blacklist both of the problem email domains as requested?
@codinghorror Yes, after blocking this mail address, the spamer will change to another address like @126.com, @gmail.com, @icloud.com and continue signup new users with bot.
Seems these signups are coming from the same IP address ? Something would probably need to be done there. Block an IP address after x signups during a certain time frame ? Or forbid another signup from an identical IP address for some time ?
@Mevo But when I block and delete these IP, the spamer begin to use proxy to change his IP constantly and sign up new users.
Wow, seems they really want to create some accounts on your forum 
Are they using them ? Or keeping them to spam later ? What’s their goal here ? (just curious)
Then a CAPTCHA indeed seems what you need (I’m sorry, I cannot help you on that subject)
CAPTCHA or IP rate limited may solve them?
I have to abandon discourse finally.
Sorry, we don’t see this severe of a problem with signups / registrations across any of our hosting, or any self-installed sites I know of? Is there something wrong with your configuration?
Not configuration issue. It’s a kind of spam by someone I think.
Discourse needn’t CAPTCHA before sending the verification email in sign up process. So everyone can generate many fake email addresses to auto signup with program and disrupt the community.
Right but these accounts are never activated (no user clicks the link in the email sent to verify the email address), and Discourse deletes unactivated accounts after 7 days by default. So ultimately this does nothing for the “spammer”.
Right. But they will fill up the email server. For example, I have a limited email server plan and I can only send 200 mails per day. The spam made me exceed the limited yesterday, so I have to pay a lot money to the email server.
Maybe it’s your email service provider who is spamming you
