Is anyone experiencing an odd spam user attack? Any way to block?

Support
1

Maybe spam attacks are so pervasive that what’s happening to us is just par for the course.

I believe we use SSO, but it’s limited just to our site. We don’t use any external authentications.

The pattern is very clear

  • they always fill our “Gender” field with a random string of uppper and lower case letters.
  • The username is almost always a “real” sounding first and last name followed by a string of numbers
  • The email used is always some custom domain, usually very unusual looking. Never a popular service

We haven’t adjusted anything with our spam filters. We might get three or four of these per day. Maybe 10 per week or more. So far I have just been deleting them so they haven’t had time to post.

Any ideas?

2

I’ll share this from a staff member giving advice on how to detect spam accounts

‘Classic “FirstLast1234” email address format’

just typical spam account tactics

maybe that one confuses the AI?

3

Maybe. In any case I’m glad it does. It’s hard to believe that an AI based bot wouldn’t know the next logical answer to a question about gender, though.

4

Yes, I had this too, and it stopped after I switched to manually approving posts for TL0 users.

I have a custom field that lets registering users select their operating system(s) (my community is for an app), and these bot accounts had random data in that field.

I used a custom Data Explorer query to list all users with an invalid operating system value, that is, a value not included in the predefined list of options for the custom user field.

SELECT 
  u.id, 
  u.username, 
  ucf.value AS user_field_1 
FROM 
  users AS u 
  LEFT JOIN user_custom_fields AS ucf ON u.id = ucf.user_id 
  AND ucf.name = 'user_field_1' 
WHERE 
  ucf.value IS NOT NULL 
  AND ucf.value NOT IN (
    SELECT 
      ufo.value 
    FROM 
      user_field_options AS ufo 
    WHERE 
      ufo.user_field_id = 1
  )
5

Did the new signups stop? Because that’s my “problem”. We actually already manually approve TL0 posts.

6

Yes, it stopped, but reading about your experiences now, that might have just been a coincidence.

I’ve also blocked every email and IP of those accounts.

7

Yes, I’ve also been blocking the IP and email as well. Only once were two accounts using the same IP, but honestly I stopped checking.

I’m slightly worried that I’m blocking so many IPs that it might start preventing real users. Maybe I’m not grasping how many possible IPs there are and the likelihood of a legit user getting blocked.

Should I always be checking to see if it is a shared IP before I block it?

8

Yeah a custom field on signup can often catch this sort of spam, that dataexplorer query is a good way to try and catch that now… but I think we should provide an automation of some kind that makes this easier.

We’ve been doing it on Meta for years and new account signup has been fairly steady throughout

9

I also provide an email address on my website for users of my app to contact me directly, so whenever a real user cannot register, I’d probably hear about it (but haven’t yet).

Not sure if you should, but I don’t do it :see_no_evil_monkey: