Well I owe you an apology here because I checked the new user admin page on a few popular sites we host and… this is a much bigger problem than I realized.
It’s quite bad and looks 100% human entered, so captchas won’t change a thing.
So hopefully by the end of this week, I’d like @zogstrip to work on the following:
-
a new site setting – maximum new user accounts per registration IP. Defaults to 3. If there are already (n) trust level 0 accounts from this IP, stop accepting new signups from that IP. If there are TL1 or above accounts, they will not be counted toward this limit. The user dialog should reject with the existing vague screened email/IP login dialog message copy. This part is urgent, do this first! -
improved admin IP lookup dialog – the “other accounts with this address” should show some basic stats in a scrollable div: total count of other accounts from this IP, and the username / read time / topics entered and trust level for each account. Right now it just shows the tiny avatar which isn’t enough to judge anything. -
one-click staff user delete button on the user profile page for TL0 users with 1 post or less. Something I gave @neil but @zogstrip, you should take it as part of this work. -
some way of batch deleting a number of accounts from the same IP address. Not sure exactly where this should go in the UI… but there’s some cleanup needed here. -
(for later consideration) a cleanup task that deletes old accounts that have no posts, no actions, no read time, and no subsequent visits after (n) days. We’ll have to watch out for SSO and other oddball “inactive” user scenarios here.
None of this is really hurting anything as the whole /users/ path has always been disallowed in robots.txt
for a long time, and TL0 users don’t have any user clickable links on their profile by design. But it’s still a lot of bogus accounts being created, which is annoying and messy.