Need assistance with massive amounts of spam

This has been a headache to battle, here’s a bit of background information.

I run a community that has a tremendous amount of hype built around it. We have well over a million people tracking our project, and we’ve set up a Discourse Forum to aid the developers within our community. Essentially it’s a developer support forum for interacting with our project, we do not allow content to be posted outside of development related content.

About three days ago, a prominent Youtube/Twitter persona made the false claim that by registering for our support forum and making posts on it, it makes you eligible to receive rewards/goodies from our team. This is entirely false, and has resulted in 3 days of near-constant sign ups, and a great deal of spam posts and topics to be posted on the forum.

We’re talking anywhere between 2,500 and 7,500 sign ups a day right now, primarily from Asian and Middle Eastern countries (2 specific countries stand out as the major offenders).

The users signing up seem to be a mix of bots and real users. Almost all IP’s are unique (healthy mix of IPv4 and IPv6), and there don’t seem to be any prominent subnets to ban on the IPv4 side to take out chunks of them (IPv6 I’ve had a bit of luck banning /24 blocks, but it seems easily bypassable). Email addresses are all gmails, and a large amount of them appear to be throwaway/bot email addresses. The only indication that these are bot accounts is many of them will re-use the same banner image on their profile, as well as some generic “I am a student” biography text.

I’ve anonymized this list by changing characters/numbers, but to give you examples of the types of emails attached to these sign ups:

1. syedaleem435@gmail.com
2. kksam362@gmail.com
3. julik8641@gmail.com
4. eishanihal253@gmail.com
5. subir2426@gmail.com
6. meeagle38103@gmail.com

These users are signing up and then making new topics irrelevant to our community. Often these topics aren’t even words, it’s as if a toddler smashed the keyboard. The topics aren’t too hard to detect and delete, but what’s been worse is them spamming pre-existing topics with spam / low quality content. Many of our more popular topics have had anywhere between 500 and 1,500 new spam/low quality posts added to them.

As of right now I’ve completely disabled registrations, but I’m looking for help on the following:

1. Is there any way to mass purge members. Can I delete all TL0 users who have registered over the past 72 hours?
2. Is there a way to detect spam/throwaway emails and deny registration from them? At this point I’d be willing to block all emails that end in 3-5 numbers for the time being.
3. Would you suggest setting auto-silence to a value greater than 3000 milliseconds?
4. Can you give me any other tips or tricks to help combat massive volumes of spam? I feel like this has been a full time job over the last 2-3 days. I use Akismet but are there any additional plugins that may help me?

I would - at least temporarily - set create/reply for all categories to TL1 or maybe even TL2, or use Custom Wizard to have new users jump through some hoops (“I understand I will not get rewards” with 10 options, only one correct one) to get them added to a group which can post.

You might try using a custom user field with a required multiselect option on your signup page, with multiple answers, only one of which is acceptable. That’ll probably slow down the bots a little, or at least give you an easily filterable field to help delete bogus signups. (NOTE: After thinking about it, I suspect this won’t work because there’s nothing to require a specific answer. The method in an earlier response might work better.)

I find captcha-type traps ineffective these days, the bots can solve them faster than I can.

There should be a way to delete the new L0 users in rails, but be sure to do a backup first. If they’ve posted, you’ll have to delete those posts first.

Others have said that requiring two-factor IDs for signups pretty much eliminates the spammers. I haven’t had to resort to that yet.

I appreciate the replies so far.

With registrations disabled for a day we were able to get our heads above water again.

@RGJ I like your idea of hoops to jump through in order to get added to a group that has posting permissions, that’s something we’re going to explore.

Using the data explorer I’ve been able to identify about 5,000 additional bot accounts that have been flying under the radar so far.

@MikeNolan I’m unsure if I have access to the rails console yet. We’re hosting directly with discourse and I wasn’t a part of the purchasing / on-boarding process, so I’m running this question up the chain trying to determine what access we have.

I imagine I can perform deletions through the API as well? I see that I can easily generate myself API credentials.

Something along the lines of:

import csv
import requests
import time

api_key = 'api_key'
api_username = 'api_username'
base_url = 'https://mydomain.com'
headers = {
    'Api-Key': api_key,
    'Api-Username': api_username
}

def delete_user(user_id):
    delete_url = f'{base_url}/admin/users/{user_id}.json'
    response = requests.delete(delete_url, headers=headers)
    
    if response.status_code == 200:
        print(f'Successfully deleted user {user_id}')
    else:
        print(f'Failed to delete user {user_id}. Status code: {response.status_code}, Response: {response.text}')

with open('user_ids_to_delete.csv', 'r') as csvfile:
    reader = csv.reader(csvfile)
    for row in reader:
        user_id = row[0]
        try:
            delete_user(user_id)
        except Exception as e:
            print(f'Error occurred while deleting user {user_id}: {e}')
        
        time.sleep(1)  # Add a delay to avoid overwhelming the server with requests

Several years ago our old forums (phpbb3) were hit with a big wave of bogus registrations, many of the emails were similar to the gmail ones you listed, though we also got quite a few from .ru addresses, notably yandex.

At one point we were getting 1000 of them a day. By the time we got it under control, we had over 80,000 bogus records.

We solved the problem by requiring a valid current membership ID (our membership system was totally separate) which had not already been used to create a forum record. That way even if someone had access to our membership records (they’re online) they could only use an ID once. Bogus registrations fell to essentially zero.

I’ve not used the data explorer enough to know what its limitations are. I’ve been a postgresql DBA for over 20 years, so going directly into psql has not been an issue for me, but I’ve limited my activities there to read-only queries.

Is fingerprinting still a viable technique or have the browsers pretty much made it a toothless tool?

Right question would be is it ever been viable technique

(And just a reminder: it is unlegal in EU)

from rails (docker exec -it my_container rails c):

spammers = User.where(trust_level: 0).where("created_at > ?",  Date.today - 3)
puts "found #{spammers.length} spammers"

destroyer = UserDestroyer.new(Discourse.system_user)
spammers.each do |spammer|
  destroyer.destroy(spammer, delete_posts: true)
end

If it’s only used for spam prevention and not for user behavior tracking then it will be permitted by the GDPR as “legitimate interest”.

And how would someone use it without identification?

I’m not sure what you mean by ‘identification’.

If you are a user on my forum, and I’ve banned you, I can use the fingerprinting plugin to see that you created a new account under a different name, so I can ban that account as well. In that case I am merely using the fingerprinting to protect my own interest as a forum owner. I’m not selling you anything and I’m not unnecessarily invading your privacy. It works the same way as storing and comparing IP addresses, except for the fact that those can be easily changed by using a proxy or VPN.

The comments in the fingerprinting plugin tool topic may not fully agree with you regarding the legality of fingerprinting and the EU.

Thankfully I don’t currently have a site for which fingerprinting would seem a useful anti-spam measure.

Have you considered turning on New User Approval? You could also tell your community new members require an email link invite.

If the youtuber is still in part an issue flag the video and file a complaint with Youtube

Just to loop back and round this off - this was followed up and sorted via PM.

But for anyone in a similar position, you can indeed delete users using the API if you don’t have access to the rails console due to being on managed hosting.