Lots of Spam New User Registrations?

Yes - it just screws up our understanding of how many users we have, what percent are active, etc…

https://www.evernote.com/l/AGpxoz0XNShIjphfH7q72aRIUhI8dFDG128B/image.png

I think a reasonable setting for your site (that we should add) is

• Don’t allow users to enter any profile info until they have at least 1 public post

This would force spammers to out themselves.

@codinghorror I actually think that is a sane default, it erases the issue of ghost accounts messing stuff up, also … why muck with your profile prior to posting something on the site seems pointless.

No, you want them to fill out their profile so you can definitively know they are spammers vs. new sign ups that just never come back for “unknown reasons”, this will haunt the minds of every metric obsessed manager and they will never let you delete these “users”.

Strongly opposed, also, this was covered at extreme length in existing topics…

I support Akismet profile checks and auto delete of users who never come back and never read anything.

I also would love to see this implemented at some point. I know we have a few staff members who watch the Suspect list and remove profile spam now, this would alleviate some of that work for them.

Some stats from Sitepoint.

In the past 7 days we’ve had 32 users with spam profiles. There were an additional 8 members who shared an IP address that were also dealt with, a few of those had spammy profiles too.

So you can say between 32 and 40 of our user registrations in the last 7 days were to create spammy profiles.

(or at least these are the ones we caught through manual processes)

Agreed.

I’ve seen quite a number of users return after a week, a month, six weeks, whatever and fill out their profile (usually Spammy) and still they haven’t read a post, far less made one. We even have members imported from vBulletin, with 0 posts there, who have popped up on Discourse at some stage, filled out their profile, and not read a single post.

Really? Do they not have even the slightest curiosity about how the new forum looks compared to the old? Apparently, they have no interest in the forum at all, beyond using it to promote their fiverr account.

I actually feel these accounts are worse than those who sign up, complete their profiles - and never return. Some of those, at least, may have had good intentions, but returning simply to Spam your profile whilst ignoring the actual forum is just cynical, IMHO.

This sounds reasonable.

Also - an FYI to the Discourse team - the “suspect users” list seems to be getting only about 30% to 50% of the spam user accounts that I’m getting every day. Whatever you’re doing right now is a start, but needs more work.

Thanks for all your efforts.

It seems like the dimensions of the avatar image might also be a clue that an account is spam. In the 30 per day that I’m getting right now - all the avatar imgs seem to be the same shape/size:

https://www.evernote.com/l/AGoxBlMG_jFDuIxXxLGjq-wBXy07DJTxUtUB/image.png

If you go to the Autobiographer Badge page do the avatars stand out?
(We don’t have that Badge enabled so I can’t see on our site)

Reminder, as you delete these users as spammers, the IP block ban widens. So the more you delete, the more you are blacklisting IPs and IP ranges.

Unless the attackers have a crazily large number of IPs at their disposal, this will slowly start to prevent them from signing up as the blacklists are merged and expanded.

This is all automatic based on deletion.

We had so many Spam/fake sign-ups from the same provider that we eventually took the step of manually blocking all their IP addresses that we could find. This slowed things down considerably, but occasionally one pops up that wasn’t on our list, and the same profile patterns now turn up on two other providers, although not many and not often.

This is helpful - but it would be even more helpful if it was easier to delete groups of new registrants at once - similar to how you can delete a large number of message in Gmail. Its very time consuming to sit and delete one registrant after another. Try doing it for 30 accounts - and it takes probably 15 minutes or more - every day. Its a pain and I’ve stopped doing it because its too time-consuming.

This topic is not closed and I am not trying to hijack it. It seems very relevant as I look at what is in place to prevent spammers from automatic or manual registration abuses.

I do like the thought that forum users who have not read any content should be suspected – just wondering how “auto delete of users who never come back and never read anything” could affect users who register with the main intention to interact via mailing list mode with e-mail-in and reply by mail features. I suspect you are mostly thinking forum, yet the mailing list features are a huge asset and I would like to keep this user from getting auto deleted, and perhaps consider ways to assure they are able to gain reputation, reference other users with @ user etc. Mailing list users may only come to the forum to create the account and access public content without logging in (unless we force private content so they must login to read it, or educate them on the value of logging in for personal messages, profile updates, etc.

Rather than try to punish the spammer after they log in, why not just prevent them from registering in the first place?

I have experienced automated registration and profile spamming on previous forums. There are characteristics that do stand out and most of them include adding URLs in the profile – perhaps that should be or already is denied for a TL0 user.

I found some solutions that worked with add-ins/plug-ins/mods to eliminate most spammers. Before that I was banning users, blocking IPs, and spending too much time policing and cleaning up after the mess.

Why not tap into the already existing databases of known spammers? I am definitely not a plug-in developer. I hope perhaps this might inspire someone to consider the possibilities of using something like these solutions:

1. www.projecthoneypot.org – seems to work very well to stop folks from accessing the forums if they are a known spammer.

2. StopForumSpam.com – ties in with the admin list of members and adds options to select users and check them against the database by e-mail address, IP address and username with a status returned (green=good, yellow=caution, red=blocked). The check can be automated at registration or run manually. If there are matches on at least two pieces of information, the user is allowed to register but is held in limbo until someone reviews the registration issue and decides their fate. There are some false positives occasionally. If a spammer slips through the cracks on registration, the solution also includes the ability to report them and update the database so they are blocked from all other subscriber sites.

Discourse might benefit from either or both of these resources as part of pre-registration.

As previously discussed, I think new user profile text should be sent to Akismet for vetting. You can search for prior testing we did with the services you mention, they are real spotty.

Is this happening now?

I just set up a personal forum and am allowing signup with approval required. Every day I get 5-10 spam accounts in the pending users list, which surprises me because I just set up this site and the user list is disabled. This did not seem to change when I enabled akismet.

Another question - if I delete pending users individually, I can choose to just delete or delete and add to IP blacklist. If I delete pending users in bulk via the pending user list, I don’t get that option. Does it blacklist them or not?

This does not currently happen, no.

I’ve read through a couple of threads on this topic here and this is the least necro one I could find, so I figured I’d post here:

I’ve been running a small discourse forum for a few years with very little spam-profile-registration activity but after updating a week or so ago, it’s become a significant problem; I get >100 registrations per day now.

While the other anti-spam functions keep the actual spam posts to a minimum, these registrations are getting flagged as suspicious (as they rightly should) and it’s filling up my notifications such that I have to sift through all of them, ban-and-blocking as I go, to find the actual posts I need to approve/moderate.

So, my question is: did something change with the forum software recently, such as a change in a default setting, etc. that I need to mess with to get the previous behavior back, whether that’s preventing the spam registrations in the first place or just not putting them in my notifications so I can ignore them until they’re auto-deleted for inactivity?

EDIT: it looks like there’s a checkbox for “Staff must approve all suspect accounts”, which I’ve now unchecked and then reduced the “clean up inactive users after days” interval to be very short (I’m trying 2 days).

Are these actual registered accounts, e.g. they have a confirmed email? 100 per day is a ton, more than I’ve seen on any of our customer sites? Can you provide a screenshot and some additional detail? I’m interested in getting to the bottom of this.

Hey, sorry for the late reply. I haven’t had a problem since I unchecked the aforementioned box, but I just rechecked it to collect some data for you.

I believe they are indeed confirmed, but they never rise above trust level 0 because they only exist to have a spammy link in their profile (often for some Australian real estate company…).

I’ll update this post with more info as I get it. Thanks

Well, that’s good news!

I worry when spammers figure out they need to get to TL1, but that is also significant additional work for them (read time, topics entered, etcetera) so they probably won’t do it.