I’d appreciate not putting words in my mouth by completely re-writing the title of my thread to be objectively inaccurate.
-
Yes, the spammers don’t just spam on day 1. It’s the oldest trick in the forum spam book to post introductions or other short, innocent appearing posts on day 1 to warm the account up for spamming later (usually to get around manual approvals). Or they simply have not been detected within the first 24hrs.
-
TL0 new users (24hrs after first post) are limited to 2880 posts and 720 topics per day by default, please enlighten me if I’m mistaken.
-
They use spinners to make each post unique to get around the ‘unique posts mins’ setting e.g. add random emojis, characters, numbers etc.
-
Watched words is easily bypassed by using different unicode character sets Watched Words Improvement -- similar looking unicode characters
-
auto silence fast typers on first post - easily bypassed and only for first posts.
-
It’s too easy for spammers to make bulk accounts using minimal resources using a large pool of proxies. Using the old gmail dot trick makes it completely impossible to block with a Standard Discourse instance (including if Akismet is used). You’re basically at the mercy of if someone is motivated enough to spam your forum. See: Gmail dot trick and Suggestion: Wildcard Block Email Address
Anyway, I’m sharing these insights from the spam trenches with the goal of helping Discourse become more bullet proof. The anti-spam features have really been getting stress tested here.
Spammers have two main options, create multiple accounts and spam a little on each one or make less accounts and spam a lot on each one. Become more strict with rate limits and they simply respond by making more accounts seeing it is so easy and not blockable to make them using the gmail dot trick.
They can also use a custom domain with catchall email to have unlimited email addresses for registration, but that is only until I blacklist their email domain which is an effective defense. Though it would be really useful to be able to delete all accounts that use a specific email domain to retroactively ban them afterwards quickly and easily. Even better if this would be possible with gmail (and all variations of the address).
What I’ve been talking about is being able to clean the mess more quickly and efficiently in the background. Deleting the spammers that get through the defenses. Also to work as intended, like the delete spammer option working for spammers with decent amounts of posts.