Spam problem: 52 spam posts in one hour, can't Delete Spammer

(Lowell Heddings) #1

This user signed up and spammed 52 posts in about 30 minutes. Now I can’t use the Delete Spammer feature. I also can’t use the “Delete all posts” feature that normally shows up in the profile admin.

Lots of flags for being a spammer. The delete spammer features shouldn’t tap out.

They somehow managed to get their trust level up to 1… in an hour.

(Lowell Heddings) #2

I manually deleted all of their posts. Still, seems like a problem if the admin can’t remove all posts by a spammer with one click.

I went into the profile and tried to change their trust level down to 0. The page gave me an error, but the delete spammer features started working, weirdly.

(Lowell Heddings) #3

Just noticed this in my email:

The user was “blocked” but still managed to make a ton of extra posts. I don’t think this message means what I think it means.

(Adam Davis) #4

Chances are your email provider has flagged that email due to the included url reference. Would be nice if Discourse provided the same checking, actually. I see the netcraft publishes a list of phishing websites, but don’t see a similar list for spam…

Anyway, that’s off topic. I agree that it shouldn’t be that easy for a spammer to become trusted. I also agree that the spammer tools should still be available for users at all trust levels. Perhaps a notification, “This user is trusted/admin/awesome - are you sure you want to [specific list of actions that will be taken]?”

(Lowell Heddings) #5

My point is that the email says the user was blocked, but they weren’t.

(Jeff Atwood) #6

I suspect this has to do with the user being at trust level 1 but we will check.

Also once there are (n) posts the delete everything option is no longer available for safety.

(Neil Lalonde) #7

That’s a good point. If the url is a known phishing site, then including it in our own emails is going to look bad on us.

I’ll look into the problem with blocking.

(Neil Lalonde) #8

That message is very misleading. I had to look at the code to figure out what’s actually happening.

It’s trying to say that the newuser_spam_host_threshold site setting kicked in, which prevents a post from being posted if it contains a link to a host that the user has linked to too many times recently. It doesn’t block a user, it just blocks the one post. I’ll improve the wording of that message.

The user was trust level 1 by the time they got flagged, so the num_flags_to_block_new_user auto-blocking code couldn’t block them. I think users at trust level 1 should still be blocked from getting so many spam flags. It’s easy to get to trust level 1, especially if you know what the requirements are.

(Lowell Heddings) #9

The user was only around for an hour… and left a post on 49 separate

Definitely shouldn’t be able to do that. Some algorithm somewhere should
prevent that, especially when the user has been flagged for spam a few

(Jeff Atwood) #10

Agreed this is an oversight.

We have post rate limits for all users (which need to be quite generous) but we do not have post rate limits for new users. That’s the key deficiency.

We’ll be adding max_topics_in_first_day and max_replies_in_first_day and that will be based on account create time, not trust level. There is more we can do, but that should stop the immediate bleeding.

(Jeff Atwood) #11

Also, just edit the delete_all_posts_max to something > 10 if you need to delete a spammer who created more than 10 posts. But this should be much less possible with the above change.

You may also be interested in delete_user_max_age as well which prevents users older than a certain age from being deleted, for safety reasons, same as posts_max.

(Sam Saffron) #12

I just deployed 2 new settings:

  • max_topics_in_first_day (default 5)
  • max_replies_in_first_day (default 10)

These are hard limits, under no circumstances will new accounts be allowed to create more than that number of replies and topics in 1 day.

That means that the cheating of trust level 0 will have a much lesser effect and you should be able to delete the spammers.

(Jeff Atwood) #13

Also @geek feel free to lower those numbers from 5 new topics and 10 new replies to whatever you think makes sense for the first 24 hours of a new user.

We just had to pick something that was “safe” as a default for 99% of new Discourse instances.

(Sam Saffron) #14

Why not simply add another condition to trust level 1

  • At least 24 hours have elapsed since the first post.

This grants a huge amount of protection against spammers, I have seen spammers register many accounts in the past and then only start the damage weeks later.

(Jeff Atwood) #15

This would require you to post to achive TL 1 which is not a goal. That’d be bad.

I was thinking more of timeboxing it. You can’t achieve TL 1 for (x) hours, where x is something relatively small like 4 or even 2.

(Jeff Atwood) #16

The suggestion @sam and @geek had has been implemented.


(Jeff Atwood) #17