I have a troll problem… or rather, one particular person who’s using TOR browsers and complex VPNs to register “burner email addresses” (he’s clearly an IT person) to our forum and we’re banning him maybe two to three times a day.
He’s so well-known in our community that he’s become sort of a bad meme… his first account was “Hans” and so people now say “Are you pulling a ‘hans’?” …!
Anyway, I suppose there’s really nothing we can do except wait for fatigue to set in and for him to self-select himself out and to stop trolling… but he’s one persistent… troll.
Thoughts? Or is my solution only to hope that he eventually gives up?
There was some discussion of browser fingerprinting and supercookies as a plugin, but it would definitely need to be a plugin. You could turn post approval on for all new users, but that path is a bit nuclear and labor intensive to boot.
Didn’t Verizon get hit with a pretty big fine a few years ago using supercookies by the FCC? I’m not even sure if you could use supercookies here in Europe (pretty strong privacy laws).
Not a supporter of “shadow banning” or “throttling” techniques.
An alternative would be is to limit a new user to only be able to post one new topic and post the first signup day, and gradually increase this amount/per day over a short period of time. You could have a user’s account be linked to a phone number (account verification required by sms), but there’s probably a way around that.
But the sad truth is, it’s very hard to contain somebody dedicated to trolling your forum.
So vBulletin has a few plugins like this. One slows down the site for the user so that they experience pain in using/posting. The other lets them post but no one can see what they post.
Having spent quite a long time at the troll fest which XDA tends to come down to at times, I know this. But you’re misunderstanding my point here. Reaching out to the offending user is not feeding the troll - because you don’t do it in public. You do it in private.
It has been my experience over the last 30+ years of forum communities, that more often than not they do this out of passion. Identifying, and redirecting, the passion often is your biggest step to seeing positive change.
And if they don’t respond - you know you’ve tried.
Yes, such limits already exist and are enforced. Look for “first day” and “new user” limits in site settings. But they would apply to all new users and all first day users.
Also @jaevanryssel you missed a critical point here about contacting in private versus in public. I can’t emphasize enough how different they are.
Turn on moderation for new users (great for picking out spam too - spam that might otherwise get missed).
Don’t allow TOR or other proxies if there isn’t a good reason for users to want to hide their identity - then when you encounter a suspicious account ban it and ask them to prove their identity by taking a photo of themselves next to a screen with your site. Apologise for the inconvenience etc.
Add common spammer email domains to the block list.
I’ve found these to be the best way to deal with ‘suspicious accounts’. The vB and XF plugins of other boards also help greatly - but only catch the inexperienced (who use the same browser without deleting cache/cookies).
You can also turn mandatory new account approval on, good point. Then every new user must provide some form of special info to you. I like the idea of taking a picture next to the front page of your site which you could validate as today’s data on screen, etc.
There have been some sites that have done that to great effect - something like a random code that is generated for each user which they have to write down on a piece of paper and take a photo with it. That particular photo is never publicly shown, but is used to check user’s photos so that there is a reasonable likeliness.
Way too much for most forums tho (and more about the community wanting to achieve 100% genuine users). For trolls and problematic members I would think what is in my previous post should work pretty well - we’ve had some stubborn trolls over the years and it’s worked well for us.
We’ve tried reasoning with the person, taking him aside and talking with him 1:1… but it’s been empty promises of good behavior.
He targets very specific community members and uses the foulest of language (I don’t need to give any examples here). His workflow is so consistent it’s easy to map out:
Realizes his existing account is permabanned.
Uses TOR / VPN to jump to another IP.
Creates random burner email address.
Signs up to our forum.
Goes back to the very same conversation thread that he was banned from and responds as if he wasn’t banned at all, attacking the same small group of specific users who have “made him mad”.
Rinse and repeat.
This is why I do not have a problem with calling him a troll and I want to be very clear… i’m not a fan of labels and I know they can be more harmful than helpful… but, this, I feel, is a classic case of trolling.
He’s now started to attack me and the other admins of the site, even though we didn’t provoke him or directly make him mad.
I’ve been there, we had a very similar person using TOR exit points making it impossible to ban him. In the end, we settled on quietly deleting his every attempt and not giving him the satisfaction of ever responding again. It took over a month, but he did give up in the end.
For how long has this been going on? Are the attacks becoming personal/threatening?
I see that your having a bad problem, did this troll pop in unexpectedly and disrespect your community for attention or did someone cause the user to start. Could it be possible to disable registrations for your community temporary to see if that will work.
A very interesting feature I would support in core is the ability to require new users to go through the moderation queue on specific topics, that seems to solve your problem case
After banning you would flip the switch on the topic.
Another option you could have working today is moving it to a category where you require TL1 to post and anon can read. This would make it enormously more annoying to troll.
Having been down this road many times, and even ones where you have to deal with “threats”, I think the best options are what was mentioned above, like requiring new account approval, etc.
