What is the best way to deal with recurrent email-in spam?

nathank · August 13, 2025, 4:00am

On one of my sites, we’ve got persistent spam/phishing coming in from a single source which I’m struggling to prevent. It gets in via an email-in to a group inbox.

It uses a different email and IP address each time, but the content is almost identical each time. It claims to be from CommSec (a well known Australian company), and phishes for personal details. Each time the staged user is called ‘Commsec’.

No amount of blocking is working. I tried making ‘Commsec’ a not-allowed username, but Discourse still lets that through.

Any suggestions? Or do I need to rely on AI for this one?

nat · August 13, 2025, 9:25am

Email-in topics/posts go through a very similar path as regular post creation, so AI spam would most likely cover you.

Just confirming, did you go through the “reserved usernames” site setting?

The setting description shows “Usernames for which signup is not allowed. Wildcard symbol * can be used to match any character zero or more times.”, but without getting too pedantic with the definition of “signup”, this feels like a bug.

pfaffman · August 13, 2025, 9:50am

I think you need to rely on ai spam detection (or maybe try moving detection upstream to the mail receiver if you’re really clever).

I bet (but don’t really know) that the stuff that lets email in with staged users work bypasses some normal stuff.

Do you not have the ai spam detection set up?

nathank · August 13, 2025, 10:01am

Correct! I wasn’t exact with my description sorry.

Yes, a staged user is created with that reserved username. I’m not quite sure how. If that username is taken, it gets the username ‘Commsec1’ etc.

I agree it is a bug that a staged user can take a reserved username, but I haven’t tried to repo this.

No, not yet. This is a small, low budget site and I don’t want to add complexity without due reason. This could be it!!

NateDhaliwal · August 13, 2025, 10:03am

I’ve tried OpenRouter’s free Gemini model with AI spam detection and it went without a hitch.

Moin · August 13, 2025, 10:08am

Is the text they send always similar? Then the flag option of watched words could help. I think that one also works on messages.

There is also the Approve unless staged site setting, but I don’t remember if that works on PMs.

But I don’t think any of them are as effective and restrict regular users as little as AI.

Topic		Replies	Views
Are you experiencing AI based spam? Community ai	23	1723	January 19, 2025
Strategies for filtering spam / AI user accounts? Community spam	5	178	April 9, 2025
Tips for Preventing Spam Site Management moderation , explanation , spam	9	3871	January 18, 2025
Spam Reaching Groups via staged users and email Support	4	564	December 28, 2020
AI powered Spam detection Announcements ai , spam	11	807	January 11, 2025

What is the best way to deal with recurrent email-in spam?

Related topics