It would be useful to require a user to have at least Trust Level 1 before being able to post a profile. At the moment, we are getting quite a few (possibly bot) accounts posting spammy profiles upon registration. Granted, they probably won’t be indexed, but it would be nice to thwart bots/spammers from registering just for this purpose.
Is this a possibility?
Interesting, I am not against a site setting here.
Profile spam is the #1 type of spam on our project’s wiki, and I’m sure they’ll eventually come to Discourse once we start hitting critical mass. So, yeah.
Remember that no urls are linked in user profiles for trust level 0 (new) users.
Also all user profiles are no index out of the box per robots.txt.
That fact has never stopped “Profile SPAMmers” from creating accounts just to drop links, urls, spiels, etc on a page that no member will see and bots will never index. And most never return again.
Think, xRumer et al. and SPAM mill “backlink services”.
What SEO “experts” lack in intelligence they make for with persistance.
Probably what makes sense here is a task that deletes old, inactive user accounts for users that signed up once and never came back over a period of say 6 months.
We do this for unactivated users but should probably extend it to barely activated one timers as well.
Please make sure this doesn’t happen for SSO-created accounts.
I could live with that as long as it isn’t based on “post count” but “last seen”.
There are some that join and never post - “lurkers”.
Not contributing to the forum true, but not really deserving to be deleted either.
If an account has no posts, a virtually non-existant read time and hasn’t been around for ages on the other hand, fair enough IMHO
Yes - Discourse presents significant reader advantages to having an account.
Perhaps something like, read timing entries on two different days could also be a never-remove condition?
For those that unsubscribed from digests, send one last email saying that the account was deleted?
[Discourse Meta] Account to be Deleted
You unsubscribed from digests to the Discourse Meta forum on 2014-09-15, are still a new user, have not made any posts, and have not returned to the site since.
If you do not respond to this email, your account will be deleted in 7 days. Click here to delete it now.
If you wish to keep the account, simply visit any topic.
Hmmm, feels a bit weird, but it’s a possibility.
I agree with that in principle, but I’d also prefer not to have spammy profiles in the first place, rather than have them hanging around for six months.
The user cleanup is more essential to all forums though. Restrictions on profiles is ripe plugin territory. I’d move this to extensions.
Regarding the user cleanup approach:
A number of our users are primarily email only… Also, lurkers may get the digest and visit the site to read without logging in.
Perhaps unintended consequences can be avoided with something like what @riking suggested, or maybe this needs to be a site setting.
@mcwumbly - good point, @codinghorror / @riking please don’t forget mailing-list-only users 
I’m beginning to have this problem on my site too - getting a handful (4-5) new spam user accounts a day. I am inclined to ignore them because of this…
… but on the other hand these spam user accounts are still cluttering our forum so I agree with this:
Another approach that would work would be if it were possible to select users that are obvious spammers from the user admin lists for mass deletion. In addition to being able to click to see the user card for users from that last directly as well this would work for me to get people like this that clearly have nothing to do with African civil society organizations trying to leverage tech in support of their valuable social justice mission:
I am also missing a “delete user” button directly on the user profile page which would help admins/moderators to cull these users as they come across them. Right next to the “Show” button would be nice.
Wow this spammer even put in location and a background image in their profile? Have not seen that before… of course TL0 profiles do not have active links, either…
We’ve seen a number of “failed” Spam accounts where the account has been activated and the profile set up, but the “About me” field has been left with the rather telltale text of
enter link description here
And large numbers of actual Spam profiles; I’ve dealt with around a dozen in the last 24 hours. (Vietnamese furniture stores seem particularly popular…)
OK @neil when you get to a stopping point with billing let’s add a delete button on user profiles for tl0 users with 1 post or less.
Would that permit us to block the IP and email address too (much like the one in the Admin Users page does)?
Doesn’t the “Delete User” button already cover that? And again, that’s a manual clean-up process. Preventing them posting Spam profiles in the first place is far preferable, IMO.
These things are not mutually exclusive, your problem is that these are clearly humans not bots/scripts entering these profiles. Much harder to stop without inconveniencing other human users.
