I can't easily delete spammers due to my site configuration

So right now I have a bottleneck deleting spam users and their posts.

I need to manually delete all the posts of a user before deleting them, wait for that to process while the browser is open, then delete the user.

I can only process 2-3 at a time, even if the server has 16 modern xeon cpus, otherwise I’ll get an error. Each one takes several minutes. It’s a very tedious and slow process currently.

In my opinion, it’d be best if there was a ‘delete spammer/destroy user’ option that does not require you to delete all posts first. It would then queue and process the jobs in the background (delete all posts and delete the user). That way, moderation can be done quickly and the processing can be done in the background without overloading.

Another option would be, that we can simply delete the user before deleting their posts. Then have a cron that runs periodically searching for and deleting orphaned posts. I think this option could be more preferable as it solves any issues of orphan posts overall.

It’d also be really useful time saver if some of these options were available on the user card from inside threads, so we don’t need to go through the user profile and admin page to get these options (suspend, silence, delete/destroy).

3 Likes

Do these spammers use some particular word/phrase?
You can add that to watched words list and stop spam from getting published.

You can tweak the following settings temproarily to allow you to just delete the spammer accounts without much hassle: delete_user_max_post_age and delete_all_posts_max Just be sure to reset them to defaults once you’re done so that users can’t just spam & self-delete themselves.

4 Likes

Thanks for the suggestions @itsbhanusharma

Yes they do use particular phrases but they can easily get around this using unicode character sets (see: Watched Words Improvement -- similar looking unicode characters).

I’ve tweaked both of those settings already, the bottleneck is that it is taking a really long time to delete the user + posts.

1 Like

I wonder, Limiting signup options or Enforcing 2FA to users may be helpful in your case?

1 Like

There is something deeply and profoundly broken with your configuration, because new, trust level 0 users

  • can’t post that much as they are heavily rate limited for safety

  • aren’t protected from content deletion when flagged

Deleting a spammer is a one click operation with default Discourse settings. Always has been.

2 Likes

Respectfully, I don’t think there is anything wrong with my configuration in terms of rate limiting new users, it’s mostly default settings with some settings modified to be stricter than default.

The only rate limiting for new users (posting topics and replies only) that I’ve seen are:

  • max topics in first day - Default is 3 topics - Spammers just need to wait 24hrs after first post
  • max replies in first day - Default is 10 replies - Spammers just need to wait 24hrs after first post
  • rate limit new user create topic - Default is 120 seconds between posts / 720 topics per day / 30 per hour
  • rate limit new user create post - Default is 30 seconds between posts / 2880 posts per day / 120 per hour

Please let me know if I’m missing something, I hope I am. Specifics would be appreciated.

aren’t protected from content deletion when flagged

Didn’t have an issue with this due to modifying delete_user_max_post_age and delete_all_posts_max.

Deleting a spammer is a one click operation with default Discourse settings. Always has been.

Which delete option are you referring to? I’ve primarily been using the one on the user’s admin page, in which deleting all posts is required before deleting the user.

I refrained from using the akismet delete user option from the review queue, seeing it was confirmed by the team to not delete the user’s posts (Discourse Akismet Anti-Spam)

The delete button on the user profile page gives me this error after a long delay (if they have posts/content). ‘There was an error deleting that user. Make sure all posts are deleted before trying to delete the user.’

The flag > it’s spam > delete spammer gives me the same error: ‘There was an error deleting that user. Make sure all posts are deleted before trying to delete the user.’ It’s a bit irregular, it failed on a spammer with ~500 posts but worked on a spammer with ~150 posts (despite still giving me the error message). Works fine on accounts with only a few posts.

How in the world can a spammer get to 500 posts?! This implies you have heavily modified the Discourse defaults, because a new user is post rate limited as TL0, and has a first day post limit on top of that.

I’m going to need to hear a lot more specifics, with dates and times. It sounds to me like these are users who signed up and participated more or less normally and you decided they were spammers weeks after the fact? Can you provide 10 sample posts by these users to look at?

3 Likes

@codinghorror

I’d appreciate not putting words in my mouth by completely re-writing the title of my thread to be objectively inaccurate.

  1. Yes, the spammers don’t just spam on day 1. It’s the oldest trick in the forum spam book to post introductions or other short, innocent appearing posts on day 1 to warm the account up for spamming later (usually to get around manual approvals). Or they simply have not been detected within the first 24hrs.

  2. TL0 new users (24hrs after first post) are limited to 2880 posts and 720 topics per day by default, please enlighten me if I’m mistaken.

  3. They use spinners to make each post unique to get around the ‘unique posts mins’ setting e.g. add random emojis, characters, numbers etc.

  4. Watched words is easily bypassed by using different unicode character sets Watched Words Improvement -- similar looking unicode characters

  5. auto silence fast typers on first post - easily bypassed and only for first posts.

  6. It’s too easy for spammers to make bulk accounts using minimal resources using a large pool of proxies. Using the old gmail dot trick makes it completely impossible to block with a Standard Discourse instance (including if Akismet is used). You’re basically at the mercy of if someone is motivated enough to spam your forum. See: Gmail dot trick and Suggestion: Wildcard Block Email Address

Anyway, I’m sharing these insights from the spam trenches with the goal of helping Discourse become more bullet proof. The anti-spam features have really been getting stress tested here.

Spammers have two main options, create multiple accounts and spam a little on each one or make less accounts and spam a lot on each one. Become more strict with rate limits and they simply respond by making more accounts seeing it is so easy and not blockable to make them using the gmail dot trick.

They can also use a custom domain with catchall email to have unlimited email addresses for registration, but that is only until I blacklist their email domain which is an effective defense. Though it would be really useful to be able to delete all accounts that use a specific email domain to retroactively ban them afterwards quickly and easily. Even better if this would be possible with gmail (and all variations of the address).

What I’ve been talking about is being able to clean the mess more quickly and efficiently in the background. Deleting the spammers that get through the defenses. Also to work as intended, like the delete spammer option working for spammers with decent amounts of posts.

Honestly your site sounds pathological. There’s just no way I’ve ever seen an actual spammer get to 500 posts on Discourse, much less 150… across thousands of hosted sites in the last 5 years, including several I run and manage myself. The only thing that comes to mind is the bamwar spam which you can search for, if you’re curious.

Can you please share specifics as mentioned earlier? Otherwise I’m not sure anyone here can help you:

I mean, do you run a blackhat site for spammers? :thinking:

3 Likes

I saw this topic a while ago. It sounds like a pretty severe problem that’s still ongoing, and stressful. I don’t know if this would help (might help with posts but not registrations), but have you tried these?

admin/site_settings/category/posting?filter=Approve

  • approve post count (The amount of posts from a new or basic user that must be approved)

  • approve unless trust level (Posts for users below this trust level must be approved)

  • approve new topics unless trust level (New topics for users below this trust level must be approved)

4 Likes