Opened 5 weeks ago

Closed 5 days ago

#3334 closed task (fixed)

Discourse spam protection

Reported by: robe Owned by: sac-tickets@…
Priority: normal Milestone: Sysadmin Contract 2025-I (robe)
Component: SysAdmin/Discourse Keywords:
Cc:

Description (last modified by robe)

There seems to be someone spamming our osgeo forum and general for the past day or so.

I'm going to lock down the spam protections bit more to mitigate

For one

1) Not allowing anyone posting to osgeo feedback without moderation

2) newuser max links change from 6 back to the original 2

3) Change email time window from 2 minutes back to 5 minutes (default is 10)

4) Reset max image size back to default of 4MB (was 100 MB)

5) Min first post typing time -- was set to 600, reset it back to default of 3000 milliseconds (this just forces the post into needs approval queue

Change History (13)

comment:1 by robe, 5 weeks ago

Description: modified (diff)

comment:2 by robe, 4 weeks ago

Also put back to default:

  • min first post length - was set to 1 changed to 20
  • I thought I had set newuser max links back to 2 but maybe I was mistaken so set that back to 2

comment:3 by robe, 4 weeks ago

Okay haven't gotten any spam since I updated these rules, but we have been getting too many messages waiting for approval.

  • Most fall in because new users putting in more than 2 links, changing "newuser max links" to 4.
  • Descriptions that contained % with numbers and China were also being flagged, so I've removed China from watched words requiring approval and tightened the [0-9]+% rule.

There is another rule I did want to change but hadn't because many people need that feature. That is being able to post multiple topics with the same subject line, which gets abused by spammers. This by default is set to not allowed, but we had changed it, so that people could post to multiple categories at once.

comment:4 by robe, 4 weeks ago

P.S. Forgot to mention I also instituted clean up of accounts that have not been verified in past 30 days and have not posted anything. I also reduced the length of time email token is valid for.

  • email token valid hours: 24 (default is 48)
  • purge unactivated users grace period: 10 (default 14) - we had this really high before I think like 60
  • cleanup inactive users: 730 days, this is any 0 trust account that has no posts and no activity for past x days) I had this set to 30 -- I realize this was too low (we quickly went from 1200 accounts to 750 when I had made this change) so put it back at the default of 730 days.

The issue with being too lax with these settings, is spammers often try to accrue a bunch of accounts they have created in past, and then use them after. I suspect this is what happened. But if we have another spam attack, I will take a closer look at the account before deleting and banning the ip and email.

Last edited 4 weeks ago by robe (previous) (diff)

comment:5 by robe, 4 weeks ago

Okay spoke too soon just got spam.

comment:6 by robe, 4 weeks ago

Appears the spammer was a discourse register and account was created today. So wasn't an LDAP or a Github one. We might need to tighten the signup process, perhaps getting rid of the discourse registers, though I'd like to avoid that.

comment:7 by robe, 3 weeks ago

Okay no spam aside from my experimental info category.

Another option for controlling spam is to use Discourse AI plugin - https://meta.discourse.org/t/discourse-ai-spam-detection/343541

Which we'd only use to check trust level 0 users, which I think has been the case for all users posting spam. Of course this would be an added cost unless we host our own LLM.

comment:8 by robe, 13 days ago

Got another spam attack on general from feyexip which registered 3 hrs ago. Looks like a self-register.

comment:9 by robe, 13 days ago

I see there were others today and all to General category. I've enabled slow mode on general so at least 2 hrs must have past for the same person to post another topic.

comment:10 by robe, 13 days ago

I also set default composer category back to blank. Was set to General which I think just encourages people not to think about the category they need to post to.

comment:11 by robe, 13 days ago

I've also reduced - email token valid hours down to 2 hrs. At a glance there were a bunch of recently added accounts that have been sitting there for 7 hrs or more, I suspect these are all spam accounts as they had emailed addresses like abc... or 34566. Hopefully this will reduce the likeliness they can activate them in time to spam. Also added some more terms to the approval queue and completely blocked list.

comment:12 by robe, 11 days ago

Okay I just came across another setting -

approve post count: 0 The amount of posts from a new or basic user that must be approved

The default is currently 0. I wonder if it's better to set that to 1, and then revert back to not requiring approval on each category. I'm going to try that and see how that works.

comment:13 by robe, 5 days ago

Resolution: fixed
Status: newclosed

I'm going to close this out for now. I did set the:

change approve post count: 0 to approve post count: 1 for new and basic users. after I wrote the above message.

I think this is sufficient for now and with that I've been able to purge those fake accounts as they try to post crap the first time.

Our traffic is not high enough yet to be a concern, and I think if all moderators (especially if each category group has designated moderators) this shouldn't be too much work to block out rogue players.

So this means once a user is approved for their first post, regardless what category, they can do future posts without moderation, as long as it doesn't fall into our watched words traps and link count/image count etc traps.

Note: See TracTickets for help on using tickets.