My pre-retirement cyber-security background may have made me overly suspicious, but a few recent user registrations have me wondering.
For background, I’ve been running my forum for over 20 years so I have a reasonable idea of my user demographics. It’s also mostly a software support forum, so many people ask questions, but far fewer provide answers because the ‘experts’ tend to be users who have lots of years of experience of using the products.
A few weeks ago I saw a question replied to which looked a bit odd. The response was kind of on-topic but a little bit non-specific. It also referred to a menu option which doesn’t exist in the software concerned but the message otherwise didn’t ring any alarm bells. I didn’t know the user who had replied so I took a look at their account and that’s when things looked a little stranger.
The user had registered, read just 4 messages then sent the reply, all within a few minutes. A new user could be an expert who had never logged in before, but that’s fairly unlikely. The username, name and email address also both suggested a female user. The hobby that the forum supports isn’t exclusively male, but female users are in the low single digit percentages. Then I looked at the IP address which was from Gujarat in India. Again, I’ve had some Indian users before, but very few. The email address was of the form Firstname 3 digit number Lastname@outlook.com, e.g. daisy324brown@outlook.com.
I watched the account, but it’s still only had the single visit and single response.
Then today I got another one. Same MO…registered, read 2 messages, posted a kind of on-topic but non-specific reply to a message. Female name, same format of email address @outlook.com and IP address from Gujarat.
Interest piqued I checked back and found another similar looking account. The only difference being that the registration IP was in the UK and the last login IP was unknown.
Is this a new form of spam account that’s being set up and left on the shelf for a while to be used at a later date? Or what else could it be? Is anyone else seeing similar account registrations/posts like this?
I know this may not be specific to Discourse, but I’m wondering whether there’s some way in Discourse to flag up accounts that act in this way? Maybe flag up accounts registering with outlook.com addresses, or that send replies very soon after registering. I don’t want to block such things, just to be aware so that I can watch and be prepared if things suddenly go awry.