Potential spammer accounts being created

My pre-retirement cyber-security background may have made me overly suspicious, but a few recent user registrations have me wondering.

For background, I’ve been running my forum for over 20 years so I have a reasonable idea of my user demographics. It’s also mostly a software support forum, so many people ask questions, but far fewer provide answers because the ‘experts’ tend to be users who have lots of years of experience of using the products.

A few weeks ago I saw a question replied to which looked a bit odd. The response was kind of on-topic but a little bit non-specific. It also referred to a menu option which doesn’t exist in the software concerned but the message otherwise didn’t ring any alarm bells. I didn’t know the user who had replied so I took a look at their account and that’s when things looked a little stranger.

The user had registered, read just 4 messages then sent the reply, all within a few minutes. A new user could be an expert who had never logged in before, but that’s fairly unlikely. The username, name and email address also both suggested a female user. The hobby that the forum supports isn’t exclusively male, but female users are in the low single digit percentages. Then I looked at the IP address which was from Gujarat in India. Again, I’ve had some Indian users before, but very few. The email address was of the form Firstname 3 digit number Lastname@outlook.com, e.g. daisy324brown@outlook.com.

I watched the account, but it’s still only had the single visit and single response.

Then today I got another one. Same MO…registered, read 2 messages, posted a kind of on-topic but non-specific reply to a message. Female name, same format of email address @outlook.com and IP address from Gujarat.

Interest piqued I checked back and found another similar looking account. The only difference being that the registration IP was in the UK and the last login IP was unknown.

Is this a new form of spam account that’s being set up and left on the shelf for a while to be used at a later date? Or what else could it be? Is anyone else seeing similar account registrations/posts like this?

I know this may not be specific to Discourse, but I’m wondering whether there’s some way in Discourse to flag up accounts that act in this way? Maybe flag up accounts registering with outlook.com addresses, or that send replies very soon after registering. I don’t want to block such things, just to be aware so that I can watch and be prepared if things suddenly go awry.

We do get some auto-silencing for new users that create topics or replies too soon after account creation.

What is your current value for the site setting silence_new_user_sensitivity?

It’s set to High so I can’t increase it.

This is a type of spam we’ve seen from time to time. Often something vaguely related is posted (might actually be a copy and paste from a similar topic… though now AI might be easier). Then the account may come back later (sometimes after a very long time!) and edit their post with a spam link.

I don’t believe we have a way to filter for this kind of case… maybe we could identify when an inconsistently active account comes back and adds a link to a post? (If someone posts, disappears for a month+, and then returns to edit a link in?)

One option you can utilize in the meantime is locking their trust level to 0 or 1 (from the user admin page). This would prevent the account from coming back and adding links to posts (or making any edits) after 24 hours. The downside of this is that it can limit someone if it turns out that they’re not a spammer.

For these, we do have some protection with the edit window limits (more stringent for lower trust levels, but most sites keep the default 30 days for TL2+), but I think human spammers can be wise to a lot of the tools over time and more so as Discourse becomes more popular.

We had one here just the other day that the auto-tools didn’t catch who came back and edited a hyperlink into a full stop in their innocuous looking post. They can be real sneaky.

The most recent account did come back to add a spam link…unfortunately within 24 hours.