暂时将此问题标记为 Contribute > Bug,但也可能属于 #contribute:feature。
一名用户通过电子邮件发起群聊,并在较长时间内进行了多轮往来沟通。在群聊开始两个月后,该用户在网站上注册并解除暂存状态,成为 TL0 用户。随后,该用户发布了一个主题帖,其中包含此前在群聊中使用过的链接。系统随即对该用户执行了禁言操作,并因“新用户垃圾邮件主机阈值”触发了大量标记。用户不应因在暂存状态期间存在群聊记录,而在发布完全正常的主题帖时受到系统的“惩罚”。
4 个赞
Yes we have had this bug for a long time.
Probably we need to better consider the dates the user “joined” based on staging.
3 个赞
We were just hit by this again, 58 PMs to the moderator group created. We’ve got to fix this…
5 个赞
This happened again. Not a staged account this time, but a normal user getting support and including links. The spam trigger was correct this time (a new user posting links to the same domain), but we still ended up with 33 PMs in the moderator inbox. Consolodating those messages would be nice.
3 个赞
This happened again. Staged user signed up, received only 3 flags (not as bad as in the past), but caused a bit of confusion with the user.
1 个赞
Maybe @featheredtoast can have a look; we get bitten by this regularly so the code needs to be improved.
Probably we need to better consider the dates the user “joined” based on staging.
5 个赞
That sounds like a sane improvement; let me see what I can do here.
6 个赞
This is now merged: previously staged users will now be considered trusted users. 
7 个赞
We’re confident this has no security holes, e.g. you can’t game the system by mailing in, then immediately sign up to gain TL1 “for free”?
The main focus here is ensuring that the spam link check is improved.
2 个赞
I get your point, I misunderstood what we wanted to do here sorry - that’s how it is right now (consider someone as a “trusted users” if they come through staged.)
I’ll improve this now - just to confirm, all we want is the spam host check to not trigger, but all other new user checks will still be in place, correct? (the other checks being: max links, max mentions, and max attachments)
1 个赞
It might be safe “enough” if you gate it by time. What I object to is someone emailing team@discourse.org and then IMMEDIATELY signing up with that same email to gain trust level 1. That’s a straight up exploit.
OK I’ve updated this - Now, they will still be considered tl0, but will not trigger the spam if the accounts were created more than 1 week ago to catch the “long email relationship” cases. 
https://github.com/discourse/discourse/commit/68e4e6a5755db4dd974eaeed73d5cfc517449b75
Do we want ‘time until discourse recognizes a mature staged user’ be an additional site setting, or is this sufficient barrier lowering?
6 个赞
I would say one day is probably fine and safe enough; it’s pretty easy to get from TL0 to TL1 if you know what you are doing.
5 个赞
OK, done - this should be good now 
https://github.com/discourse/discourse/commit/2ff226e5091f279ed2aa5b3e707a1acbd74f21fd
6 个赞