Yes - it just screws up our understanding of how many users we have, what percent are active, etc…
https://www.evernote.com/l/AGpxoz0XNShIjphfH7q72aRIUhI8dFDG128B/image.png
I think a reasonable setting for your site (that we should add) is
- Don’t allow users to enter any profile info until they have at least 1 public post
This would force spammers to out themselves.
@codinghorror I actually think that is a sane default, it erases the issue of ghost accounts messing stuff up, also … why muck with your profile prior to posting something on the site seems pointless.
No, you want them to fill out their profile so you can definitively know they are spammers vs. new sign ups that just never come back for “unknown reasons”, this will haunt the minds of every metric obsessed manager and they will never let you delete these “users”.
Strongly opposed, also, this was covered at extreme length in existing topics…
I support Akismet profile checks and auto delete of users who never come back and never read anything.
I also would love to see this implemented at some point. I know we have a few staff members who watch the Suspect list and remove profile spam now, this would alleviate some of that work for them.
Some stats from Sitepoint.
In the past 7 days we’ve had 32 users with spam profiles. There were an additional 8 members who shared an IP address that were also dealt with, a few of those had spammy profiles too.
So you can say between 32 and 40 of our user registrations in the last 7 days were to create spammy profiles.
(or at least these are the ones we caught through manual processes)
Agreed.
I’ve seen quite a number of users return after a week, a month, six weeks, whatever and fill out their profile (usually Spammy) and still they haven’t read a post, far less made one. We even have members imported from vBulletin, with 0 posts there, who have popped up on Discourse at some stage, filled out their profile, and not read a single post.
Really? Do they not have even the slightest curiosity about how the new forum looks compared to the old? Apparently, they have no interest in the forum at all, beyond using it to promote their fiverr account.
I actually feel these accounts are worse than those who sign up, complete their profiles - and never return. Some of those, at least, may have had good intentions, but returning simply to Spam your profile whilst ignoring the actual forum is just cynical, IMHO.
This sounds reasonable.
Also - an FYI to the Discourse team - the “suspect users” list seems to be getting only about 30% to 50% of the spam user accounts that I’m getting every day. Whatever you’re doing right now is a start, but needs more work.
Thanks for all your efforts.
It seems like the dimensions of the avatar image might also be a clue that an account is spam. In the 30 per day that I’m getting right now - all the avatar imgs seem to be the same shape/size:
https://www.evernote.com/l/AGoxBlMG_jFDuIxXxLGjq-wBXy07DJTxUtUB/image.png
If you go to the Autobiographer Badge page do the avatars stand out?
(We don’t have that Badge enabled so I can’t see on our site)
Reminder, as you delete these users as spammers, the IP block ban widens. So the more you delete, the more you are blacklisting IPs and IP ranges.
Unless the attackers have a crazily large number of IPs at their disposal, this will slowly start to prevent them from signing up as the blacklists are merged and expanded.
This is all automatic based on deletion.
We had so many Spam/fake sign-ups from the same provider that we eventually took the step of manually blocking all their IP addresses that we could find. This slowed things down considerably, but occasionally one pops up that wasn’t on our list, and the same profile patterns now turn up on two other providers, although not many and not often.
This is helpful - but it would be even more helpful if it was easier to delete groups of new registrants at once - similar to how you can delete a large number of message in Gmail. Its very time consuming to sit and delete one registrant after another. Try doing it for 30 accounts - and it takes probably 15 minutes or more - every day. Its a pain and I’ve stopped doing it because its too time-consuming.
This topic is not closed and I am not trying to hijack it. It seems very relevant as I look at what is in place to prevent spammers from automatic or manual registration abuses.
I do like the thought that forum users who have not read any content should be suspected – just wondering how “auto delete of users who never come back and never read anything” could affect users who register with the main intention to interact via mailing list mode with e-mail-in and reply by mail features. I suspect you are mostly thinking forum, yet the mailing list features are a huge asset and I would like to keep this user from getting auto deleted, and perhaps consider ways to assure they are able to gain reputation, reference other users with @ user etc. Mailing list users may only come to the forum to create the account and access public content without logging in (unless we force private content so they must login to read it, or educate them on the value of logging in for personal messages, profile updates, etc.
Rather than try to punish the spammer after they log in, why not just prevent them from registering in the first place?
I have experienced automated registration and profile spamming on previous forums. There are characteristics that do stand out and most of them include adding URLs in the profile – perhaps that should be or already is denied for a TL0 user.
I found some solutions that worked with add-ins/plug-ins/mods to eliminate most spammers. Before that I was banning users, blocking IPs, and spending too much time policing and cleaning up after the mess.
Why not tap into the already existing databases of known spammers? I am definitely not a plug-in developer. I hope perhaps this might inspire someone to consider the possibilities of using something like these solutions:
-
www.projecthoneypot.org – seems to work very well to stop folks from accessing the forums if they are a known spammer.
-
StopForumSpam.com – ties in with the admin list of members and adds options to select users and check them against the database by e-mail address, IP address and username with a status returned (green=good, yellow=caution, red=blocked). The check can be automated at registration or run manually. If there are matches on at least two pieces of information, the user is allowed to register but is held in limbo until someone reviews the registration issue and decides their fate. There are some false positives occasionally. If a spammer slips through the cracks on registration, the solution also includes the ability to report them and update the database so they are blocked from all other subscriber sites.
Discourse might benefit from either or both of these resources as part of pre-registration.
As previously discussed, I think new user profile text should be sent to Akismet for vetting. You can search for prior testing we did with the services you mention, they are real spotty.
Is this happening now?
I just set up a personal forum and am allowing signup with approval required. Every day I get 5-10 spam accounts in the pending users list, which surprises me because I just set up this site and the user list is disabled. This did not seem to change when I enabled akismet.
Another question - if I delete pending users individually, I can choose to just delete or delete and add to IP blacklist. If I delete pending users in bulk via the pending user list, I don’t get that option. Does it blacklist them or not?
This does not currently happen, no.
لقد قرأت عدة نقاشات حول هذا الموضوع هنا، وهذا هو الأقل احتياجاً لإحياء النقاش القديم الذي استطعت العثور عليه، لذا فكرت في النشر هنا:
أدير منتدى صغيراً يعمل بنظام discourse منذ بضع سنوات، ولم يكن هناك نشاط ملحوظ لتسجيل حسابات مزيفة أو رسائل غير مرغوب فيها، لكن بعد التحديث قبل أسبوع تقريباً، أصبح الأمر مشكلة كبيرة؛ فأنا الآن أتلقى أكثر من 100 تسجيل يوميًا.
بينما تحافظ الوظائف الأخرى المضادة للرسائل غير المرغوب فيها على عدد منشورات السبام الفعلية في الحد الأدنى، فإن هذه التسجيلات تُعلَّم كمشبوهة (كما ينبغي)، مما يملأ إشعاراتي لدرجة أنني مضطرّ لتفحصها جميعًا، وحظر المستخدمين ومنعهم أثناء ذلك، للوصول إلى المنشورات الفعلية التي أحتاج إلى الموافقة عليها أو إدارتها.
إذًا، سؤالي هو: هل حدث تغيير في برنامج المنتدى مؤخرًا، مثل تغيير في إعداد افتراضي أو ما شابه، يتطلب مني التعديل عليه لاستعادة السلوك السابق، سواء كان ذلك بمنع تسجيلات السبام من الأساس أو ببساطة بعدم إظهارها في إشعاراتي حتى أتمكن من تجاهلها حتى يتم حذفها تلقائيًا بسبب عدم النشاط؟
تعديل: يبدو أن هناك مربع اختيار بعنوان “يجب على الطاقم الموافقة على جميع الحسابات المشبوهة”، وقد قمت بإلغاء تحديده، ثم قللت فترة “تنظيف المستخدمين غير النشطين بعد أيام” إلى فترة قصيرة جدًا (أحاول 2 يومًا).
هل هذه حسابات مسجلة فعلية، أي أنها تمتلك بريدًا إلكترونيًا مؤكدًا؟ 100 تسجيل يوميًا عدد كبير جدًا، أكثر مما رأيته في أي من مواقع عملائنا. هل يمكنك تقديم لقطة شاشة وبعض التفاصيل الإضافية؟ أنا مهتم بمعرفة حقيقة الأمر.
مرحبًا، آسف على التأخر في الرد. لم أواجه مشكلة منذ إلغاء تحديد المربع المذكور أعلاه، لكنني أعيدت تحديده للتو لجمع بعض البيانات لك.
أعتقد أنها مؤكدة بالفعل، لكنها لا تتجاوز مستوى الثقة 0 لأنها توجد فقط لوضع رابط غير مرغوب فيه في ملفها الشخصي (غالبًا لشركة عقارات أسترالية…).
سأقوم بتحديث هذا المنشور بمزيد من المعلومات بمجرد حصولي عليها. شكرًا 
حسنًا، هذه أخبار جيدة!
أشعر بالقلق عندما يكتشف المرسِلون غير المرغوب فيهم أنهم بحاجة للوصول إلى مستوى الثقة 1، لكن هذا يتطلب منهم أيضًا جهدًا إضافيًا كبيرًا (وقت القراءة، المواضيع التي دخلوها، وما إلى ذلك)، لذا من المحتمل ألا يفعلوا ذلك.