I have a Discourse installation and am super happy with it. Recently spammers have found ways to workaround the built in spam-protection. The problem is, they post images in their posts and then immediately embed these images in spam e-mails they send to thousands of people. Even if I delete the posts, these images seem to stay available for at least quite some time.
This has lead to some spam abuse complaints from my hoster.
Currently I have disabled uploading images for new users, but as it’s a support forum this is not a very nice solution. People often need to add some screenshots etc. to their first posts.
Has anybody found a workable solution to this problem?
I have already tried to uncomment the valid_referers command for ^/uploads, but it does not seem to do anything. The images can still be embedded:
location ~ ^/uploads/ {
# NOTE: it is really annoying that we can't just define headers
# at the top level and inherit.
#
# proxy_set_header DOES NOT inherit, by design, we must repeat it,
# otherwise headers are not set correctly
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Request-Start "t=${msec}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $thescheme;
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
proxy_set_header X-Accel-Mapping $public/=/downloads/;
expires 1y;
add_header Cache-Control public,immutable;
## optional upload anti-hotlinking rules
valid_referers folivora.ai *.folivora.ai *.llo.ai;
if ($invalid_referer) { return 403; }
# custom CSS
location ~ /stylesheet-cache/ {
add_header Access-Control-Allow-Origin *;
try_files $uri =404;
}
# this allows us to bypass rails
location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|ico||avif)$ {
add_header Access-Control-Allow-Origin *;
try_files $uri =404;
}
# SVG needs an extra header attached
location ~* \.(svg)$ {
}
# thumbnails & optimized images
location ~ /_?optimized/ {
add_header Access-Control-Allow-Origin *;
try_files $uri =404;
}
proxy_pass http://discourse;
break;
}
I think if you edit the post to remove the image so it’s not included in the latest version of a post (deleted or otherwise), and also set clean orphan uploads grace period hours to the minimum of 1 hour that may speed up the removal.
It’s not an ideal solution for this though, either for ease of use or immediacy.
I have already set it to one hour, but they are really quick to send out their spam e-mails…
Do you know whether using S3 instead of my own server for uploads would resolve the issue? Is there maybe some way to only allow viewing of uploaded images to logged in users?
I think it deletes the posts and the uploads are taken care of in a similar way to the method above using clean orphan uploads grace period hours.
There’s also an inbuilt delay of 5 minutes between soft deleting and permanently deleting by the same admin (though a second admin would not face the same wait).
I think something’s wrong with your NGINX configuration. When I try to open an image from your forum in a new tab, it loads just fine even though it shouldn’t since I haven’t passed any referer
If you get it to work, it will solve most of your spam issues as they won’t be able to hotlink to any of your forum’s images.