المستخدم المُعدّ لإنشاء حساب كامل ونشر رابط يتلقى العديد من علامات الإزعاج

سأقوم بتسجيل هذا كـ Contribute > Bug مؤقتًا، لكنه قد يكون Contribute > Feature.

يرسل مستخدم رسالة جماعية عبر البريد الإلكتروني ويتواصل بشكل متبادل عبر العديد من الرسائل على مدى فترة زمنية ممتدة. بعد شهرين من بدء الرسالة الجماعية، يسجل المستخدم في الموقع ويُلغي مرحلة التقييد، ليصبح مستخدمًا بمستوى TL0. ثم ينشر المستخدم موضوعًا يتضمن رابطًا كان قد استُخدم سابقًا في الرسالة الجماعية. يُصمت النظام المستخدم فورًا، ويرفع النظام العديد من الأعلام بسبب newuser spam host threshold. لا ينبغي أن يُعاقب النظام مستخدمًا لنشره موضوعًا طبيعيًا تمامًا لمجرد وجود رسالة جماعية بينما كان المستخدم في مرحلة التقييد.

Yes we have had this bug for a long time.

Probably we need to better consider the dates the user “joined” based on staging.

We were just hit by this again, 58 PMs to the moderator group created. We’ve got to fix this…

This happened again. Not a staged account this time, but a normal user getting support and including links. The spam trigger was correct this time (a new user posting links to the same domain), but we still ended up with 33 PMs in the moderator inbox. Consolodating those messages would be nice.

This happened again. Staged user signed up, received only 3 flags (not as bad as in the past), but caused a bit of confusion with the user.

Maybe @featheredtoast can have a look; we get bitten by this regularly so the code needs to be improved.

Probably we need to better consider the dates the user “joined” based on staging.

That sounds like a sane improvement; let me see what I can do here.

This is now merged: previously staged users will now be considered trusted users.

https://github.com/discourse/discourse/pull/6002

We’re confident this has no security holes, e.g. you can’t game the system by mailing in, then immediately sign up to gain TL1 “for free”?

The main focus here is ensuring that the spam link check is improved.

I get your point, I misunderstood what we wanted to do here sorry - that’s how it is right now (consider someone as a “trusted users” if they come through staged.)

I’ll improve this now - just to confirm, all we want is the spam host check to not trigger, but all other new user checks will still be in place, correct? (the other checks being: max links, max mentions, and max attachments)

It might be safe “enough” if you gate it by time. What I object to is someone emailing team@discourse.org and then IMMEDIATELY signing up with that same email to gain trust level 1. That’s a straight up exploit.

OK I’ve updated this - Now, they will still be considered tl0, but will not trigger the spam if the accounts were created more than 1 week ago to catch the “long email relationship” cases.

https://github.com/discourse/discourse/commit/68e4e6a5755db4dd974eaeed73d5cfc517449b75

Do we want ‘time until discourse recognizes a mature staged user’ be an additional site setting, or is this sufficient barrier lowering?

I would say one day is probably fine and safe enough; it’s pretty easy to get from TL0 to TL1 if you know what you are doing.

OK, done - this should be good now

https://github.com/discourse/discourse/commit/2ff226e5091f279ed2aa5b3e707a1acbd74f21fd