Lots of Spam New User Registrations?

Yes - it just screws up our understanding of how many users we have, what percent are active, etc…

https://www.evernote.com/l/AGpxoz0XNShIjphfH7q72aRIUhI8dFDG128B/image.png

I think a reasonable setting for your site (that we should add) is

• Don’t allow users to enter any profile info until they have at least 1 public post

This would force spammers to out themselves.

@codinghorror I actually think that is a sane default, it erases the issue of ghost accounts messing stuff up, also … why muck with your profile prior to posting something on the site seems pointless.

No, you want them to fill out their profile so you can definitively know they are spammers vs. new sign ups that just never come back for “unknown reasons”, this will haunt the minds of every metric obsessed manager and they will never let you delete these “users”.

Strongly opposed, also, this was covered at extreme length in existing topics…

I support Akismet profile checks and auto delete of users who never come back and never read anything.

I also would love to see this implemented at some point. I know we have a few staff members who watch the Suspect list and remove profile spam now, this would alleviate some of that work for them.

Some stats from Sitepoint.

In the past 7 days we’ve had 32 users with spam profiles. There were an additional 8 members who shared an IP address that were also dealt with, a few of those had spammy profiles too.

So you can say between 32 and 40 of our user registrations in the last 7 days were to create spammy profiles.

(or at least these are the ones we caught through manual processes)

Agreed.

I’ve seen quite a number of users return after a week, a month, six weeks, whatever and fill out their profile (usually Spammy) and still they haven’t read a post, far less made one. We even have members imported from vBulletin, with 0 posts there, who have popped up on Discourse at some stage, filled out their profile, and not read a single post.

Really? Do they not have even the slightest curiosity about how the new forum looks compared to the old? Apparently, they have no interest in the forum at all, beyond using it to promote their fiverr account.

I actually feel these accounts are worse than those who sign up, complete their profiles - and never return. Some of those, at least, may have had good intentions, but returning simply to Spam your profile whilst ignoring the actual forum is just cynical, IMHO.

This sounds reasonable.

Also - an FYI to the Discourse team - the “suspect users” list seems to be getting only about 30% to 50% of the spam user accounts that I’m getting every day. Whatever you’re doing right now is a start, but needs more work.

Thanks for all your efforts.

It seems like the dimensions of the avatar image might also be a clue that an account is spam. In the 30 per day that I’m getting right now - all the avatar imgs seem to be the same shape/size:

https://www.evernote.com/l/AGoxBlMG_jFDuIxXxLGjq-wBXy07DJTxUtUB/image.png

If you go to the Autobiographer Badge page do the avatars stand out?
(We don’t have that Badge enabled so I can’t see on our site)

Reminder, as you delete these users as spammers, the IP block ban widens. So the more you delete, the more you are blacklisting IPs and IP ranges.

Unless the attackers have a crazily large number of IPs at their disposal, this will slowly start to prevent them from signing up as the blacklists are merged and expanded.

This is all automatic based on deletion.

We had so many Spam/fake sign-ups from the same provider that we eventually took the step of manually blocking all their IP addresses that we could find. This slowed things down considerably, but occasionally one pops up that wasn’t on our list, and the same profile patterns now turn up on two other providers, although not many and not often.

This is helpful - but it would be even more helpful if it was easier to delete groups of new registrants at once - similar to how you can delete a large number of message in Gmail. Its very time consuming to sit and delete one registrant after another. Try doing it for 30 accounts - and it takes probably 15 minutes or more - every day. Its a pain and I’ve stopped doing it because its too time-consuming.

This topic is not closed and I am not trying to hijack it. It seems very relevant as I look at what is in place to prevent spammers from automatic or manual registration abuses.

I do like the thought that forum users who have not read any content should be suspected – just wondering how “auto delete of users who never come back and never read anything” could affect users who register with the main intention to interact via mailing list mode with e-mail-in and reply by mail features. I suspect you are mostly thinking forum, yet the mailing list features are a huge asset and I would like to keep this user from getting auto deleted, and perhaps consider ways to assure they are able to gain reputation, reference other users with @ user etc. Mailing list users may only come to the forum to create the account and access public content without logging in (unless we force private content so they must login to read it, or educate them on the value of logging in for personal messages, profile updates, etc.

Rather than try to punish the spammer after they log in, why not just prevent them from registering in the first place?

I have experienced automated registration and profile spamming on previous forums. There are characteristics that do stand out and most of them include adding URLs in the profile – perhaps that should be or already is denied for a TL0 user.

I found some solutions that worked with add-ins/plug-ins/mods to eliminate most spammers. Before that I was banning users, blocking IPs, and spending too much time policing and cleaning up after the mess.

Why not tap into the already existing databases of known spammers? I am definitely not a plug-in developer. I hope perhaps this might inspire someone to consider the possibilities of using something like these solutions:

1. www.projecthoneypot.org – seems to work very well to stop folks from accessing the forums if they are a known spammer.

2. StopForumSpam.com – ties in with the admin list of members and adds options to select users and check them against the database by e-mail address, IP address and username with a status returned (green=good, yellow=caution, red=blocked). The check can be automated at registration or run manually. If there are matches on at least two pieces of information, the user is allowed to register but is held in limbo until someone reviews the registration issue and decides their fate. There are some false positives occasionally. If a spammer slips through the cracks on registration, the solution also includes the ability to report them and update the database so they are blocked from all other subscriber sites.

Discourse might benefit from either or both of these resources as part of pre-registration.

As previously discussed, I think new user profile text should be sent to Akismet for vetting. You can search for prior testing we did with the services you mention, they are real spotty.

Is this happening now?

I just set up a personal forum and am allowing signup with approval required. Every day I get 5-10 spam accounts in the pending users list, which surprises me because I just set up this site and the user list is disabled. This did not seem to change when I enabled akismet.

Another question - if I delete pending users individually, I can choose to just delete or delete and add to IP blacklist. If I delete pending users in bulk via the pending user list, I don’t get that option. Does it blacklist them or not?

This does not currently happen, no.

このトピックについていくつかのスレッドを読みましたが、これほど古参のユーザーが復活していないスレッドは見つからなかったので、ここに投稿することにしました。

数年前から小さな Discourse フォーラムを運営しており、スパムプロフィールの登録活動はほとんどありませんでした。しかし、1 週間ほど前にアップデートしてから、これが大きな問題となっています。現在、1 日に 100 件以上の登録が寄せられています。

他のスパム対策機能は実際のスパム投稿を最小限に抑えていますが、これらの登録は（当然ながら）疑わしいものとしてフラグが立てられ、通知が溢れてしまっています。そのため、必要な投稿を見つけるために、すべての通知を精査し、一つずつ禁止・ブロックせざるを得ません。

そこで質問です。フォーラムソフトウェアに最近、デフォルト設定の変更など何か変更があり、以前の動作を取り戻すために設定をいじる必要があるのでしょうか？具体的には、スパム登録自体を防ぐか、あるいは通知に表示されないようにして、自動削除されるまで無視できるようにする設定です。

追記：「スタッフはすべての疑わしいアカウントを承認する必要がある」というチェックボックスがあるようですが、これを外し、「非アクティブユーザーを削除するまでの日数」の間隔を非常に短く（2 日に設定しています）調整しました。

これらは実際の登録アカウント（例えば、確認済みのメールアドレスを持つもの）でしょうか？1日100件は非常に多く、お客様のサイトではこれまで見たことがありません。スクリーンショットと追加の詳細を提供していただけますか？この件について詳しく知りたいです。

こんにちは、遅くなりすみません。上記のチェックボックスのチェックを外してから問題はありませんでしたが、データを収集するために再度チェックしました。

彼らは確かに確認済みですが、スパム的なリンクをプロフィールに持たせるためだけに存在しているため（よくオーストラリアの不動産会社に関連するものですが…）、信頼レベルが0を超えることはありません。

情報が得られ次第、この投稿を更新します。ありがとう

それは良い知らせですね！
スパマーが TL1 に到達する必要があることに気づいた場合が心配ですが、それには（読み込み時間、投稿したトピック数など）彼らにとって相当な追加作業が必要です。そのため、おそらく実行しないでしょう。