Yes - it just screws up our understanding of how many users we have, what percent are active, etc…
https://www.evernote.com/l/AGpxoz0XNShIjphfH7q72aRIUhI8dFDG128B/image.png
I think a reasonable setting for your site (that we should add) is
- Don’t allow users to enter any profile info until they have at least 1 public post
This would force spammers to out themselves.
@codinghorror I actually think that is a sane default, it erases the issue of ghost accounts messing stuff up, also … why muck with your profile prior to posting something on the site seems pointless.
No, you want them to fill out their profile so you can definitively know they are spammers vs. new sign ups that just never come back for “unknown reasons”, this will haunt the minds of every metric obsessed manager and they will never let you delete these “users”.
Strongly opposed, also, this was covered at extreme length in existing topics…
I support Akismet profile checks and auto delete of users who never come back and never read anything.
I also would love to see this implemented at some point. I know we have a few staff members who watch the Suspect list and remove profile spam now, this would alleviate some of that work for them.
Some stats from Sitepoint.
In the past 7 days we’ve had 32 users with spam profiles. There were an additional 8 members who shared an IP address that were also dealt with, a few of those had spammy profiles too.
So you can say between 32 and 40 of our user registrations in the last 7 days were to create spammy profiles.
(or at least these are the ones we caught through manual processes)
Agreed.
I’ve seen quite a number of users return after a week, a month, six weeks, whatever and fill out their profile (usually Spammy) and still they haven’t read a post, far less made one. We even have members imported from vBulletin, with 0 posts there, who have popped up on Discourse at some stage, filled out their profile, and not read a single post.
Really? Do they not have even the slightest curiosity about how the new forum looks compared to the old? Apparently, they have no interest in the forum at all, beyond using it to promote their fiverr account.
I actually feel these accounts are worse than those who sign up, complete their profiles - and never return. Some of those, at least, may have had good intentions, but returning simply to Spam your profile whilst ignoring the actual forum is just cynical, IMHO.
This sounds reasonable.
Also - an FYI to the Discourse team - the “suspect users” list seems to be getting only about 30% to 50% of the spam user accounts that I’m getting every day. Whatever you’re doing right now is a start, but needs more work.
Thanks for all your efforts.
It seems like the dimensions of the avatar image might also be a clue that an account is spam. In the 30 per day that I’m getting right now - all the avatar imgs seem to be the same shape/size:
https://www.evernote.com/l/AGoxBlMG_jFDuIxXxLGjq-wBXy07DJTxUtUB/image.png
If you go to the Autobiographer Badge page do the avatars stand out?
(We don’t have that Badge enabled so I can’t see on our site)
Reminder, as you delete these users as spammers, the IP block ban widens. So the more you delete, the more you are blacklisting IPs and IP ranges.
Unless the attackers have a crazily large number of IPs at their disposal, this will slowly start to prevent them from signing up as the blacklists are merged and expanded.
This is all automatic based on deletion.
We had so many Spam/fake sign-ups from the same provider that we eventually took the step of manually blocking all their IP addresses that we could find. This slowed things down considerably, but occasionally one pops up that wasn’t on our list, and the same profile patterns now turn up on two other providers, although not many and not often.
This is helpful - but it would be even more helpful if it was easier to delete groups of new registrants at once - similar to how you can delete a large number of message in Gmail. Its very time consuming to sit and delete one registrant after another. Try doing it for 30 accounts - and it takes probably 15 minutes or more - every day. Its a pain and I’ve stopped doing it because its too time-consuming.
This topic is not closed and I am not trying to hijack it. It seems very relevant as I look at what is in place to prevent spammers from automatic or manual registration abuses.
I do like the thought that forum users who have not read any content should be suspected – just wondering how “auto delete of users who never come back and never read anything” could affect users who register with the main intention to interact via mailing list mode with e-mail-in and reply by mail features. I suspect you are mostly thinking forum, yet the mailing list features are a huge asset and I would like to keep this user from getting auto deleted, and perhaps consider ways to assure they are able to gain reputation, reference other users with @ user etc. Mailing list users may only come to the forum to create the account and access public content without logging in (unless we force private content so they must login to read it, or educate them on the value of logging in for personal messages, profile updates, etc.
Rather than try to punish the spammer after they log in, why not just prevent them from registering in the first place?
I have experienced automated registration and profile spamming on previous forums. There are characteristics that do stand out and most of them include adding URLs in the profile – perhaps that should be or already is denied for a TL0 user.
I found some solutions that worked with add-ins/plug-ins/mods to eliminate most spammers. Before that I was banning users, blocking IPs, and spending too much time policing and cleaning up after the mess.
Why not tap into the already existing databases of known spammers? I am definitely not a plug-in developer. I hope perhaps this might inspire someone to consider the possibilities of using something like these solutions:
-
www.projecthoneypot.org – seems to work very well to stop folks from accessing the forums if they are a known spammer.
-
StopForumSpam.com – ties in with the admin list of members and adds options to select users and check them against the database by e-mail address, IP address and username with a status returned (green=good, yellow=caution, red=blocked). The check can be automated at registration or run manually. If there are matches on at least two pieces of information, the user is allowed to register but is held in limbo until someone reviews the registration issue and decides their fate. There are some false positives occasionally. If a spammer slips through the cracks on registration, the solution also includes the ability to report them and update the database so they are blocked from all other subscriber sites.
Discourse might benefit from either or both of these resources as part of pre-registration.
As previously discussed, I think new user profile text should be sent to Akismet for vetting. You can search for prior testing we did with the services you mention, they are real spotty.
Is this happening now?
I just set up a personal forum and am allowing signup with approval required. Every day I get 5-10 spam accounts in the pending users list, which surprises me because I just set up this site and the user list is disabled. This did not seem to change when I enabled akismet.
Another question - if I delete pending users individually, I can choose to just delete or delete and add to IP blacklist. If I delete pending users in bulk via the pending user list, I don’t get that option. Does it blacklist them or not?
This does not currently happen, no.
J’ai parcouru quelques discussions sur ce sujet ici, et c’est la moins « nécrosée » que j’ai trouvée, alors j’ai pensé poster ici :
Je fais tourner un petit forum Discourse depuis quelques années avec très peu d’inscriptions de profils spam, mais après une mise à jour il y a une semaine environ, cela est devenu un problème majeur ; je reçois maintenant plus de 100 inscriptions par jour.
Bien que les autres fonctions anti-spam maintiennent les publications spam au minimum, ces inscriptions sont signalées comme suspectes (à juste titre) et cela remplit mes notifications au point que je dois les trier toutes, bannir et bloquer au fur et à mesure, pour trouver les vraies publications que je dois approuver ou modérer.
Donc, ma question est : quelque chose a-t-il changé récemment dans le logiciel du forum, comme un changement de paramètre par défaut, etc., que je dois modifier pour retrouver le comportement précédent, que ce soit pour empêcher les inscriptions spam dès le départ ou simplement pour ne pas les mettre dans mes notifications afin que je puisse les ignorer jusqu’à leur suppression automatique pour inactivité ?
EDIT : il semble qu’il y ait une case à cocher pour « Le personnel doit approuver tous les comptes suspects », que j’ai maintenant décochée, puis j’ai réduit l’intervalle « Nettoyer les utilisateurs inactifs après X jours » à une durée très courte (j’essaie 2 jours).
Il s’agit-il de comptes réellement enregistrés, par exemple avec une adresse e-mail confirmée ? 100 par jour, c’est énorme, plus que ce que j’ai vu sur l’un de nos sites clients. Pouvez-vous fournir une capture d’écran et quelques détails supplémentaires ? Je suis intéressé à élucider cette affaire.
Salut, désolé pour ma réponse tardive. Je n’ai eu aucun problème depuis que j’ai décoché la case mentionnée, mais je l’ai à nouveau cochée pour collecter quelques données pour toi.
Je pense qu’elles sont en effet confirmées, mais elles ne dépassent jamais le niveau de confiance 0 car elles n’existent que pour avoir un lien spammy dans leur profil (souvent pour une société immobilière australienne…).
Je mettrai à jour ce post avec plus d’informations dès que j’en aurai. Merci 
Eh bien, c’est une bonne nouvelle !
Je m’inquiète quand les spammeurs comprennent qu’ils doivent atteindre le niveau de confiance 1, mais cela représente aussi un travail supplémentaire significatif pour eux (temps de lecture, sujets consultés, etc.), donc ils ne le feront probablement pas.