Staged user creating a full account and posting a link receives numerous spam flags

(Joshua Rosenfeld) #1

Filing this as a #bug for now, but it may be a #feature.

A user emails a group message and communicates back and forth for many messages over an extended period of time. 2 months after starting the group message the user registers on the site and unstages, becoming a TL0 user. This user then posts a topic which includes a link used previously in the group message. The user is promptly silenced by the system, and numerous flags are raised by the system due to the newuser spam host threshold. A user should not be “penalized” by the system for posting a perfectly normal topic due to the existence of a group message while they were a staged user.

(Jeff Atwood) #3

Yes we have had this bug for a long time.

Probably we need to better consider the dates the user “joined” based on staging.

(Joshua Rosenfeld) #4

We were just hit by this again, 58 PMs to the moderator group created. We’ve got to fix this…

(Joshua Rosenfeld) #6

This happened again. Not a staged account this time, but a normal user getting support and including links. The spam trigger was correct this time (a new user posting links to the same domain), but we still ended up with 33 PMs in the moderator inbox. Consolodating those messages would be nice.

(Joshua Rosenfeld) #7

This happened again. Staged user signed up, received only 3 flags (not as bad as in the past), but caused a bit of confusion with the user.

(Jeff Atwood) #8

Maybe @featheredtoast can have a look; we get bitten by this regularly so the code needs to be improved.

Probably we need to better consider the dates the user “joined” based on staging.

(Jeff Wong) #9

That sounds like a sane improvement; let me see what I can do here.

(Jeff Wong) #11

This is now merged: previously staged users will now be considered trusted users. :pear:

(Jeff Atwood) #12

We’re confident this has no security holes, e.g. you can’t game the system by mailing in, then immediately sign up to gain TL1 “for free”?

The main focus here is ensuring that the spam link check is improved.

(Jeff Wong) #13

I get your point, I misunderstood what we wanted to do here sorry - that’s how it is right now (consider someone as a “trusted users” if they come through staged.)

I’ll improve this now - just to confirm, all we want is the spam host check to not trigger, but all other new user checks will still be in place, correct? (the other checks being: max links, max mentions, and max attachments)

(Jeff Atwood) #15

It might be safe “enough” if you gate it by time. What I object to is someone emailing and then IMMEDIATELY signing up with that same email to gain trust level 1. That’s a straight up exploit.

(Jeff Wong) #16

OK I’ve updated this - Now, they will still be considered tl0, but will not trigger the spam if the accounts were created more than 1 week ago to catch the “long email relationship” cases. :banana:

Do we want ‘time until discourse recognizes a mature staged user’ be an additional site setting, or is this sufficient barrier lowering?

(Jeff Atwood) #17

I would say one day is probably fine and safe enough; it’s pretty easy to get from TL0 to TL1 if you know what you are doing.

(Jeff Wong) #18

OK, done - this should be good now :fish_cake:

(Jeff Atwood) closed #19