Tips for Preventing Spam

:bookmark: This documentation provides a comprehensive guide on preventing spam in Discourse forums, and includes information about various settings and tools designed to help maintain a spam-free community environment.

:person_raising_hand: Required user level: Administrator

On most forums spam is rare. However, if you’re having problems with spam on your site, Discourse comes with numerous tools to help you automatically prevent spam.

The following guide offers some recommendations on how you can help prevent spam, while still maintaining a positive and welcoming environment for your community.

Akismet Anti Spam Plugin

If you’re having trouble with spam on your site, the Discourse Akismet (Anti-Spam) plugin is a great place to start.

This plugin helps keep your site free of spam by automatically scanning all posts from new users. Scanned posts that Akismet flags as spam are immediately removed from the site and added to a queue for review.

Site staff can then review the posts to confirm spam, or restore if the posts are not spam. Akismet learns as staff confirm or restore spam posts, improving its spam detection and decreasing false positives.

:sparkles: On all Discourse hosted sites, this plugin is automatically included and pre-configured!

For self-hosted sites, follow our Install a Plugin howto guide to install Akismet, and then visit the Akismet Configuration Instructions to finish setting up this plugin.

:person_raising_hand: Can I alter the sensitivity of Akismet?

While Discourse doesn’t have a way to directly alter the sensitivity of Akismet, there are a few related site settings that you adjust can help prevent spam on your site. The following settings are accessible on your site’s .../admin/site_settings/category/plugins?filter=plugin%3Adiscourse-akismet page after installing Akismet:

Default Trust Levels

The default trust level for new users on your site can be adjusted on the .../admin/site_settings/category/trust page, however, we recommend keeping the default trust level set to 0.

If you’ve modified the value of this setting, we strongly recommend changing it back to 0: new user, as changing this setting can put your site at serious risk for spam, due to the way that trust levels interact with Discourse’s spam related settings.

Spam Related Site Settings

:warning: Unless you are specifically having trouble with spam, we recommend keeping the following settings at their default values.

Discourse has several spam related site settings that you can access on your site’s .../admin/site_settings/category/spam page.

These settings can be adjusted to increase or decrease the sensitivity of spam detection, and the strictness of the consequences associated with posting spam.

The following are some of the more commonly adjusted spam related settings that have a notable impact on how spam is handled on a site.

The default values for all settings are shown below.

Hiding Posts

The hide post sensitivity and cooldown minutes after hiding posts settings control the likelihood that a flagged post will be automatically hidden by Discourse, and how long a user must wait before they can edit a flagged and hidden post.

Silencing New Users

Discourse has a num users to silence site setting, which will automatically silence a new user if they receive a certain number of spam flags.

By default this is set to 3, so you may want to consider lowering this if you’re consistently having problems with spam coming from the same user(s).

Limiting Links

Discourse limits the number of posts a new user can make that contain links to an outside domain with the newuser spam host threshold setting. If new users on your site are frequently spamming links to the same domain, you may want to consider lowering the value of this setting.

Limiting IP Addresses

Discourse limits the number of new accounts a user can make from any given IP address. If you’re finding that problematic users on your site are repeatedly creating accounts to spam your site, you could consider lowering this from the default value.

There’s also a flag sockpuppets checkbox that you can enable to prevent users from creating multiple accounts and then commenting on the same topic:

Additionally, you can manually look up the IP addresses of problematic users on their admin page under the Last IP Address and Registration IP Address fields, and delete other accounts associated with the same IP address.

Or consider blocking IP addresses that spammers are using on the “Logs → Screened IPs” page (.../admin/logs/screened_ip_addresses):

Adjusting Flag Requirements

By default, a topic needs to be flagged by 5 unique users before Discourse will automatically suspending posting to that topic.

You can adjust the num flaggers to close topic site setting to raise or lower the number of flaggers required to suspend posting on a topic, and adjust the auto close topic sensitivity setting to change the likelihood that the topic in question will get automatically closed instead.

Watched Words

Watched Words are another great feature for helping block or limit posts that contain words, phrases, or URL links that spammers might be repeatedly using.

Considering adding some “Blocked” or “Silence” Words to your site if you’re finding that spammers are frequently using the same types of text in their posts.

For a more advanced use of Watched Words, you could also consider Using Regex with Watched Words.

Increase Trust Level Requirements

If you’re finding that spam is coming mainly from TL0 users, you may also want to adjust some of the trust level settings to make it harder to get to TL1:

Since Akismet will skip over posts from users trust level 1 and above by default, making it harder to get to higher trust levels can make it more difficult for users to bypass spam detection.

Triage Posts using AI

AI triage is one of the best Discourse features for automated spam blocking. Unlike other tools, it can automatically block users based on preconfigured rules. AI triage is available to Business and above plans with an LLM (Large Language Model) key, and on self-hosted sites.

Benefits of AI triage include:

  • Automation: No manual intervention is needed to block obvious spam.
  • Customizability: You can tailor it to your community’s unique requirements.
  • Scalability: Works well even when communities are under heavy spam attacks.
  • Broad compatibility: Budget-friendly LLMs like GPT-4, Claude 3.5, and Gemini Flash can handle spam detection effectively.

Setting up AI triage

:information_source: This feature requires both the discourse-automation and discourse-ai plugins to function.

  1. Enable AI triage in your Discourse settings. Go to the Automation section under Admin → Plugins, and create a new script to Triage posts using AI.

  2. Fill out the automation script’s When/What... and Script options settings.

  3. Use a System Prompt tailored to the spam patterns your community is facing.

  • For example, if you’re noticing a large number of spammers in a specific language, adjust the prompt to treat posts in that language more harshly.
  1. Test and refine the AI responses to align with your community guidelines.
Example tailored prompt

This feature replaces older reliance on extremely complex regex rules, offering greater flexibility and precision.

:information_source: With Discourse AI you can also use the creative AI bot to generate tailored prompts for AI triage that are specific to your site’s needs.

hCaptcha Plugin

The Discourse hCaptcha plugin aims to enhance security and bot protection by integrating hCaptcha into the local sign-up form.

:sparkles: On all Discourse hosted sites, this plugin is automatically included.

Additional Steps

It’s important to understand why users are spamming your site. Are they’re bored, malicious, or looking to promote themselves?

Suggestions for dealing with The Difficult User, along with a variety of other moderation topics can be found in our Discourse Moderation Guide, so you may want to read through this guide for some additional ideas regarding moderating your site.

Outside of the above, ramping up your moderation team for the short term, so that you have full coverage is another good approach to combatting spam. The key is to wear the problem users down so they get bored and move on.

If you’re continually having problems with spam after going through this guide, you could also consider placing all or some posts from new users into the review queue with the approve post count, approve unless trust level, or approve new topics unless trust level settings:

However, it’s important to make sure you have enough moderators at hand to handle this, as this can have the potential make it difficult for new users to start interacting with the site if posts go unapproved.

Last edited by @SaraDev 2024-11-27T22:16:59Z

Check documentPerform check on document:
13 Likes

I cant speak for all forums but I forum I used to be on as TL3 there was at least one spam post still up when I logged on for the first time for the day in my watched categories. And the one I’m currently a mod on we get an average of 2 or so spam posts a day. So I think it is some what common on a lot of forums based on that

4 Likes

One very useful regular expression is \d{3}-\d{4}|[\w+\-.]+@[a-z\d\-]+(\.[a-z\d\-]+)*\.[a-z]+ which blocks email addresses and phone numbers. Don’t forget to enable settings - posting - “watched words regular expressions”.

4 Likes

Hey :wave:

I’ve been making great use of these tips on my forum so…thank you! :heart:

Is there a setting that can be enabled that sends only new users signing up from say a gmail.com domain, to the review queue?

Currently, I have all new users sent to the queue for review but I’ve found the majority of the spam users are ones that are created using a gmail email. Sending only those to the review queue would reduce to load and the review time, for me at least :sweat_smile:

1 Like

@SaraDev Do you know if this is possible? I’ll love to know too as it would be very helpful to block not just IPs but specific domains!

1 Like

There is no core Discourse feature to send posts only from users on a specific domain (e.g., gmail.com) to the review queue.

The closest related feature is the auto approve email domains site setting, which allows certain email domains to bypass the manual user approval process by automatically approving users from those domains.

There are also settings for blocked email domains and allowed email domains that provide a way to restrict or control who can register on your site based on their email domains:

However, these settings would all require the must approve users setting to be enabled, and only impact users initially registering on a site, and not the interaction between creating posts and the review queue.

As a workaround, you could use Groups to accomplish a similar functionality though. For example, you could create a custom group and automatically add users who register with a specific email address to the group, and then add this group to the approve unless allowed groups and approve new topics unless allowed groups setting.

With this type of setup, you could effectively bypass the review queue for users with a specific domain, while still sending other posts to the review queue if desired.

2 Likes

Hi, I was wondering whether it is possible to force a captcha on topic and/or post creation?

I don’t know, but what it helps if a bot can bypass captcha when login? Then it can do same when publishing,

True, but there seems to be captcha support for registration, so I was wondering whether the same exists for topic/post creation.