I’m not sure if this is a 
, or simply me being confused, so I’ve posted here for now.
We have this in our “screened IPs” log:
But yesterday we had around 10 Spammers sign up and post from addresses in that block - 61.249.128.161, 61.249.128.51, etc.
So who has the problem - me or the system?
Via SSO? Possibly, @eviltrout can you ensure no regressions here?
Also what version of the code are you on?
1.3.0.beta7 (which answers the question but isn’t 20 characters).
I tested that the blocking code is matching that IP:
ScreenedIpAddress.should_block?('61.249.128.161')
=> true
Also I blocked my own IP using the same range (/24) and was not allowed to create an account or sign up.
They have clearly found a way to create accounts that is not following the same flow. I’m still investigating.
I found all the users but it looks like none of them posted. Can you perhaps PM me the username of one of them who posted?
PM sent. (and more characters to meet the threshold)
Wow, that was tedious but I figured out what happened!
The good news is blocking is indeed working as expected. I checked the server logs for the users who created accounts and they just used the normal flow. I reviewed the code and tested it myself and the blocking is working.
So how did they get in?
Well that rule you found is actually an automatic roll up. Our server runs a background job that identifies many banned ips from the same subnet. If it reaches a threshold min_ban_entries_for_roll_up, it will automatically ban the subnet.
I found a log that this exact operation happened on May 25th. So Discourse was smart enough to ban them from coming back, but it wasn’t clear that the rule was a rolled up rule that was added after they signed up.