A forum I help with has been experiencing a tidal wave spam account registrations in recent months. These are almost for sure AI bots, as they seem to be able to fill out some registration form (basically, box checking), solve an hCaptcha, and deal with the verification email, even user profile information. We can usually guess which registrations are fake based on a few factors (e.g. zero article read time, some subtle things about names/email addresses, obviously fake user info), but it’s not easy (e.g. they are often legit gmail addresses). This process is unsustainable, though - we’ve sometimes had 10 fakes a day, and it’s far too easy to make a mistake given our limited capacity to triage these.
Adding captchas decreased the number of fake registrations, but we still have a big backlog of users that need to be approved, which means it often takes a week or two for new users to be able to join. We considered text based questionnaires for new users, but the reality is that we don’t have the capacity to read a bunch of questions and guess whether they are AI generated or not (and: this problem will only get harder).
One option is to simple allow these users to join, and then flag them if they post something obviously spammy? I think we’re hesitant to open the gate on this, as it simply displaces the process from one place (registration) to another (flagged posts) and the cat can’t be put back in the bag on this: a hundred latent ai users that all slowly start posting over a few months could easily ruin the forum completely.
Anyone have strategies to help dealing with this? We’re relatively small so i can’t imagine we’re the only ones experiencing it…
Regarding AI user accounts, can you expand on what “damage” it causes if the users never posts?
We made a change a month ago where we suppress profiles from low trust and anonymous users till a user actually posts, so the spam is hidden.
One interesting approach imo if the volume is really high would be to junk accounts after 30 days if they don’t post, they need to reveal themselves or they will be junked.
AI spam detection has been spectacularly successful on all the forums we enabled it, you can use it on your forum with some free models like gemini free tier. We give our customers access to our model, but this is not widely available to self hosters.
A bit issue I see with Discourse.. is the ignoring of the ability to use CloudFlare Turnstile in it natively. It is honestly one of the better solutions for Captcha I have found, and I run a paid forum script that uses it and gets very little spam in on it, even thought I get a lot of new user sign ups. Most of the junk ones are caught by Turnstile.
I really don’t see why Discourse, after all this time, has not enabled the offerings that are out there into the core yet.
When we were being flooded, the AI accounts outnumbered real new user accounts 10 to 1, which made some board administration stuff very impractical. There was a meta-level fear on the part of moderators that having a forum where a huge percentage or majority of the users were ai / spambots could have the potential for real future damage, even if they were only lurking for the moment. E.g., if a year from now hundreds of fake users all started to make plausible but useless posts, we imagined it could easily overwhelm our ability to keep up and would render the entire board pretty useless
It’s a bit better now re new joiners, but I think it’s everyone’s preference to not have this lurker problem if we can avoid it. Our board has already been aggressively scraped for AI training (it’s a niche area, so at least in older GPT versions it was possible to have GPT repeat near-direct quotations from forum posts if you asked the right question), so everyone is a little salty about it.
