What once was a quiet hamlet became pages and pages of spam. We now have discourse-akismet installed, the good news is it properly detects incoming new spam whenever it runs. With great effort, we deleted all of the older posts that already gone through.
The bad news is that the spam traffic continues, while reading this post we had 20 more. Akismet is run every 10 minutes, is there something that could be done before that happens?
For example, what if there was a way to detect āprobable spamā, keeping a post hidden for 10 minutes or so, so there is time for it to be run against Akismet? If it is not spam, it could be shown and new post notifications could go out, no real harm is done.
@sam - is there any way to adjust the settings on Akismet to be more effective against this kind of spam? Weāve had a number of bamwar ācampaignsā hit our forums over the years and they are a real pain to clean up after.
Iād like to know this too - Our existing xenForo install gets a fair amount of spam signups/threads every day and Iād like to have that problem go away when we move to Discourse at the end of August.
Akismet has helped tremendously to fight the āwake up to tons of spam on the forumsā problem
You see in the image that @strager took that within the 10 minute window (before the āCheckForSpamā job is run) it continues to pile up. We have temporarily disabled new user registrations ā certainly not a good long-term solution ā until (hopefully?) this quiets down
We did start a poll to vote for our favorite spammer:
Instead of disabling new user signups, try using the āapprove post countā setting. Set it to 1 so you have to review the first post from every new user before it appears.
Have you manipulated trust defaults or other Discourse new user settings? New users are strictly rate limited so once you add Akismet to check for human spammers (which these are) you should not have a problem.
Also trust level 0 users are required to pass through Akismet before posting. We also recently added topic title as a check for Akismet so make sure you are on the latest version of our official Akismet plugin!
I strongly suspect you may have changed these defaults? If so I strongly recommend you revert them to default.
And thatāsā¦ about it, really, pretty good variety of IPs here. I havenāt geolocated them yet but that might assist as well. As you can see they have a lot of users and they mostly come from different IPs and unique email addresses on a legit provider which makes this more challenging. (The ultimate challenge is when they all come from Tor, but this is not that.)
I went ahead and bumped up two Discourse site setting defaults to assist in blocking this kind of human spam in the future:
rate_limit_new_user_create_topic: 120 (was 60, this is in seconds)
max_topics_in_first_day: 3 (was 5)
These should only affect TL0 users, but we do prevent first day new topics in total for the first 24 hour life of the account.
Hmm, maybe someone found a way to bot Google account signups, sold a batch of ācleanā accounts to the spammers, and the spammers were using the Google OAuth to sign in without going through the email confirmation.
I just checked, and these are almost all IP ranges from South Korea. So thatād be another way to slow these guys down, if we had a geolocate IP at the time of signup check, and you could block certain countries from registering, thatād be a cool plugin!
Note that they do have a handful of other country IPs mixed in there like the one from Italy, and another from NY, so I think they have a few tricks up their sleeve if they keep getting blocked based on geolocation of IPs.
Or, not quite as drastically, you could have a TL-1 tier, that āsuspicious IPsā were automatically started out on. TL-1 users would face even higher rate limits, fewer max topics and require post approval.
Well, we want to make more use of āblockedā user state (right now, only used in one specific spam instance, posting lots of duplicate URLs) and also the approval queue, soā¦
No, we want to look at mitigation before it even gets to Akismet in this case. This kind of spam should be stopped in a variety of different ways, ādefense in depthā, etc etc etc etc
We had tried Trust Level 0 (we use Trust Level 1 by default) but had not seen improvements. Seeing that Akismet is triggered in this way (should it be first number of posts instead?) is helpful
I like Trust Level 1 better because it has been common for legitimate users to sign up for the first time just to share screenshots and links for a new game they have developed. Otherwise, these end up being āI donāt know why, but I canāt post imagesā type posts
Iāve asked this question before @codinghorror kindly pointed me toward the newuser max images setting allowing you to change the maximum images a TL0 user can upload per post. For me I set it to 2 no complains since.
As @deanmarktaylor noted, just edit the setting to allow 1 image per new user. if you make TL1 the default without some kind of external vetting (paid accounts, or SSO) you will be in a world of hurt and suffering pretty quickly.
Ok phase 1 of improvements here are going out. I want to be coy about the specifics because spammers but you can read commit logs for today and yesterday to get more detail.
We should be much more resistant to casual 100% human spamming now, as well as any potential browser scripted spam.
(But from what we saw, and the data we gathered, bamwar is unquestionably human spam. Very, very persistent and annoying human spam with lots of IP addresses and valid emails at their disposal.)