"Suspect users" not behaving as expected?

So we’re currently running another competition, giving away keys for a game beta, and though that it would be a great idea to make our community the focal point. Abuse is expected, in the past it has been pretty easy to detect duplicate signups and the other lengths nefarious key resellers will go to. Beta keys sell for anything between $5-$25, so we make best effort to remove any obvious offenders. Our ability to do this and see high redemption rates impacts future key allocation from publishers.

Whilst reviewing entries overnight we’ve noticed lots of signups with corresponding entries from a handful of IPs. Single IP addresses show 30 or 40 users. In the past these kinds of user have appeared under ‘suspect users’, but today none of them are listed.

Has the definition of a Suspect User been changed? If not, how should we best approach this kind of signup abuse?

Might be relevant…

Someone please correctly me if I’m wrong, but I believe…

There are some checks to see if an “admin” IP address has been used to create an account.

If the new account is created by an IP address shared with an “admin” this is not flagged as “Suspect”.

Might have an higher impact if both admin and users are logging in from the same IP, e.g. a University internet connection

1 Like

Thanks Dean, in this case that’s not true for any of these users. 30 to 40 users on the same IP, all created today, thousands of miles from us.

Does that IP show up in the Screened IPs as Allowed?

It’s blocked since I added it, but wasn’t previously, no. 20+ accounts all on the same address. Each username is the same format of two dictionary words. Really unimaginative, just surprised it wasn’t caught.

Okay, last idea, did you recently change the following setting?
levenshtein distance spammer emails (default is 2)

These are users with a completed profile but zero or very near zero read time. That is all.

Signup of more than 2 new users at the same IP, who do not share IP with any staff users at @DeanMarkTaylor correctly noted, is blocked via a site setting. You can test this but you need a unique IP. It was working a week or so ago.

1 Like

Things they have in common:

  • Same IP
  • Same registration time
  • All ~2 minutes of reading time
  • All responded to the same thread, with a single post, an image of some text.

Blocking signups would just prompt people to use additional IPs, I need to be alerted to their existence, not present them with an error which will make detecting this behaviour even trickier.