Spam Blocking Feature Idea: Alert when Same IP Address Answers Topic

(Lowell Heddings) #1

Here’s the scenario, which we’ve seen happen plenty of times over the years:

  1. User signs up, asks a question.
  2. Hours later, another user signs up, answers that question by suggesting software or a service and linking to it.
  3. Investigation finds that the IP address is the same for both users and the question was a setup.

Seems like an easy thing to check - if the post is from a new user and/or contains a link, check to make sure that the IP address isn’t the same as the first poster IP.

The actions could be either:

  • Automatically hide post and message the user.
  • Automatically just Flag the post to notify the moderators (preferable IMO)

It definitely would only stop a portion of the spam, but 99 times out of 100, when two new users have the same IP address in the same topic, something bad is going on. It would be nice as a moderator to know that two new users in a topic have the same IP address and are probably the same person.

Some Ideas for Spam Control
(Hrishikesh Thakre) #2

Just a question, people working in big companies behind the firewalls don’t all they have same external/public IP?

(F. Randall Farmer) #3

I agree. Don’t you mean both posts, not just the answer? Spam is spam.

An alternative is to auto-hide, and send “reason” message explaining what happened to the post(s) in question. True spammers won’t bother fixing it (they won’t even know as they usual use bogus emails). In the very, very cases that it is valid, there will be an appeal and reversal is trivial.

(Lowell Heddings) #4

Yeah, I think that either way would be a useful improvement.

And yes, many big companies use a single IP address for everybody, but
realistically on a small forum, you never end up with two people with the
same IP address on the same topic that just happen to answer the other with
a link to a product.

(Ronteras) #5

Yes and what about same household?

Well, kill spam, but at least make this feature optional.

(Lowell Heddings) #6

The chance of two people in the same house creating a topic and then the
other person later responding to the same topic with a link are pretty much

EDIT: Just testing to see if adding text with a link will push the topic up to the top again.

(Hrishikesh Thakre) #7

And what are the chances of a dynamic I/P getting associated to some one else in your apartment complex and answering question?

I agree New User1 + Question + New User 2 + Answer + Same I/P + Links in address, whole as a combination is rare situation and can be a spam.

(F. Randall Farmer) #8

I’ll tell you what, I’ll take odds on that. 100 against your 1, and I’ll clean up. I worked at Yahoo! 5 years, and the exceptions in cases like this are in the noise. Rounded to the nearest percent, it’s 100% spam.

(Kevin P. Fleming) #9

Users here at Bloomberg would be quite annoyed by this, if it tripped on their posts. We have thousands of developers that would likely hit the site in question from the same external IP address, and I would not be at all surprised to see a question posed by one developer answered by another. If this does get implemented, there should definitely be a way to disable it, if that’s not the default.

For that matter, this will annoy even an admin setting up a new Discourse instance and creating test categories/topics :smile:

(Jeff Atwood) #10

Pretty sure this would only apply to new users, not admins.

Also if the users in question were not new users (trust level zero) then they’d be completely immune to the check as well.

(Kevin P. Fleming) #11

Well, of course. That makes complete sense. I’ll go back into my cave now.

(Neil Lalonde) #12

I added support for this today. It’s basically as described in this discussion, but we don’t bother checking for links in the reply. We check to see if the topic starter and the user who is replying are both new (registered in the last 24 hours or are still at trust level zero) and are at the same IP address. If so, both their posts will be flagged as spam.

It can be disabled by unchecking the flag_sockpuppets site setting.

Does sockpuppet flag prevent notifications?
(Dan Porter) #13

Hi Neil. May I suggest that a whitelist IP list is added to this feature? I run a discourse for a hackerspace, and a lot of our members would access discourse on site. As discourse is hosted outside the space, many users would use the same IP.

An alternative to this would be enabling local access to discourse and referencing their LAN IP address, however this requires extra work. Other people may have reasons for whitelisting IP addresses, what do you think?

(Neil Lalonde) #14

Agreed. I’m adding IP blocking right now, so I’ll build in IP whitelisting too and integrate it with this flag_sockpupets feature.

(Kevin P. Fleming) #15

I’m curious, since pretty much everyone runs Discourse behind some sort of reverse proxy, how is Discourse able to see the IP address of the poster?

(Ben T) #16

In the location block for discourse (the nginx conf file), the real IP of the user is passed along in the headers.

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;

(Kevin P. Fleming) #17

OK, then anyone who is using a different configuration will need a suitable warning if their proxy is not providing this information.

@Neil: Can you enhance the admin page to warn the admin if they enable this feature but the required headers are not present in the session that the admin has open to Discourse? If they enable this feature but their configuration fails to provide the required address information, it will silently fail to do anything, and will likely be somewhat difficult to troubleshoot.

(Jeff Atwood) #18

In case you’re curious here’s what this looks like on a real live hit:

Note that this does respect the IP whitelist, so if you have a bunch of people hitting the site from the same IP, you can whitelist it. Or the setting can be turned off.

(Jeff Atwood) closed #19