Filter out likely new user spam accounts

[4aapl]

Forum URL: aaplfinance.proboards.com

What's the best way to filter or limit new user spam accounts?

Over the past maybe 9+ months we occasionally have new accounts created that then post a spam message for a online casino in Thai.  An IP search has put them all in Taiwan, and the username generally follows the same format of a name followed by some numbers.  This is one from last September:  minguyen23797

At worst this was a once a week thing, and it's probably been 10-15 times in the last 9-12 months.  It's not terrible, but I'd like to have a grasp on my options, especially if it escalated.

We end up banning or deleting the user manually.

Ideally there would be a way to block a certain IP range, or a way on a new account to not let it immediately post unless a moderator approves it.  We don't want to make all new accounts need approval for good, since we had a multi-year stretch where the main account did not log in and so we had no new members.

Instead what I am thinking is a way to quarantine a new account for 1-7 days, such that a moderator could approve it, and if a moderator didn't get to that the new account would eventually be approved automatically.

Does there happen to be a way to do that?  If not, is there a good way to automatically deal with this small amount of spam that we get?

Thanks

[Michael]

There actually is a way to accomplish exactly what you're looking for, the Post Quarantine Plugin. However, it's important to remember that plugins currently only work on the desktop version of the forum (which is changing in version 6 of our software, see the Development Blog board for more information).

Another potential way to handle things is to restrict new members ( say, those with less than 10 posts) to a small selection of boards through rank via the board/category permissions. This way at the very least the potential spam is limited to a few areas instead of the whole forum.

With all of that said, we are in the process of rolling out a new anti-spam initiative with the express purpose of targeting the sort of spam you refer to in your post. Hopefully in the very near future these sorts of posts can be detected and automatically removed without forum admins needing to take any action at all.

[4aapl]

Thanks!

Since the amount of spam we get is pretty small right now, I'll wait for the new anti-spam initiative for now. That should work, though we can look at that area limitation for new users, which could go hand in hand with getting new users to post an intro if we wanted to go that route.

Thanks for your help

[Kami]

> Ideally there would be a way to block a certain IP range

You can! It's called a wildcard ban.

If you go with this option, I highly recommend you be as specific and granular as possible to reduce the risk of catching legitimate users in the ban net.

So as you know, IP addresses follow this overall format: 12.34.567.89

In order to wildcard ban, simply replace one of the numbers with an asterisk * and delete everything that comes after that number.

So for instance, if I used 12.34.567.8*

That would block users from 12.34.567.80 through 12.34.567.89.

If I blocked higher up, like so: 12.34.567.*

That would block users from 12.34.567.01 to 12.34.567.99

The higher your placement of the asterisk, the wider your net. It's generally advised to place the asterisk at the position you see numbers stop being similar — users from a particular area / network will tend to have the same first few numbers, with the last 1 or 2 digits varying.


If you notice a pattern with usernames, you can add that username to your reserved names list (admin > members > reserved names) following a similar principle. If all spammers sign up with the name SPAM followed by a random assortment of numbers, you can add SPAM to your reserved names and prevent anyone from registering with a name containing the word 'spam'.

Caveat: This will also catch other words like spamsalot or aspammer even though the reserved name is part of a different word.

Hopefully that helps!

[4aapl]

Jul 20, 2021 17:13:14 GMT -8 Kami said:

> Ideally there would be a way to block a certain IP range

You can! It's called a wildcard ban.

If you go with this option, I highly recommend you be as specific and granular as possible to reduce the risk of catching legitimate users in the ban net.

So as you know, IP addresses follow this overall format: 12.34.567.89

In order to wildcard ban, simply replace one of the numbers with an asterisk * and delete everything that comes after that number.

So for instance, if I used 12.34.567.8*

That would block users from 12.34.567.80 through 12.34.567.89.

If I blocked higher up, like so: 12.34.567.*

That would block users from 12.34.567.01 to 12.34.567.99

The higher your placement of the asterisk, the wider your net. It's generally advised to place the asterisk at the position you see numbers stop being similar — users from a particular area / network will tend to have the same first few numbers, with the last 1 or 2 digits varying.


If you notice a pattern with usernames, you can add that username to your reserved names list (admin > members > reserved names) following a similar principle. If all spammers sign up with the name SPAM followed by a random assortment of numbers, you can add SPAM to your reserved names and prevent anyone from registering with a name containing the word 'spam'.

Caveat: This will also catch other words like spamsalot or aspammer even though the reserved name is part of a different word.

Hopefully that helps!

That's great!

Thanks for the help.  Not to nitpick too much, but normal IPs only go to 255 or 256 (I forget) per an octet, with a common local subnet mask of 255.255.255.0.  So 567 wouldn't be valid.


...pretty sure it hasn't changed, and I'm not going to check.  But in various former jobs, entering those subnet masks again and again seems to have stuck.

Various nitpicky things stuck over the years, like daylight saving (no s), and now with a story yesterday it is the Sierra, not the Sierras.

That said, thanks again.  I appreciate it (while also understanding that I probably have plenty of things that I do and write that can be nitpicked away, and some users and fellow moderators do)

[Kami]

Jul 20, 2021 17:44:34 GMT -8 4aapl said:

Jul 20, 2021 17:13:14 GMT -8 Kami said:

> Ideally there would be a way to block a certain IP range

You can! It's called a wildcard ban.

If you go with this option, I highly recommend you be as specific and granular as possible to reduce the risk of catching legitimate users in the ban net.

So as you know, IP addresses follow this overall format: 12.34.567.89

In order to wildcard ban, simply replace one of the numbers with an asterisk * and delete everything that comes after that number.

So for instance, if I used 12.34.567.8*

That would block users from 12.34.567.80 through 12.34.567.89.

If I blocked higher up, like so: 12.34.567.*

That would block users from 12.34.567.01 to 12.34.567.99

The higher your placement of the asterisk, the wider your net. It's generally advised to place the asterisk at the position you see numbers stop being similar — users from a particular area / network will tend to have the same first few numbers, with the last 1 or 2 digits varying.


If you notice a pattern with usernames, you can add that username to your reserved names list (admin > members > reserved names) following a similar principle. If all spammers sign up with the name SPAM followed by a random assortment of numbers, you can add SPAM to your reserved names and prevent anyone from registering with a name containing the word 'spam'.

Caveat: This will also catch other words like spamsalot or aspammer even though the reserved name is part of a different word.

Hopefully that helps!

That's great!

Thanks for the help.  Not to nitpick too much, but normal IPs only go to 255 or 256 (I forget) per an octet, with a common local subnet mask of 255.255.255.0.  So 567 wouldn't be valid.


...pretty sure it hasn't changed, and I'm not going to check.  But in various former jobs, entering those subnet masks again and again seems to have stuck.

Various nitpicky things stuck over the years, like daylight saving (no s), and now with a story yesterday it is the Sierra, not the Sierras.

That said, thanks again.  I appreciate it (while also understanding that I probably have plenty of things that I do and write that can be nitpicked away, and some users and fellow moderators do)

It was just a sample literally going in numerical order (1234567890) on my keyboard because I didn't want to pull a real IP, which wasn't really relevant to the demonstration haha.

As long as you got the gist of the methods posted, I'm happy. I hope it serves you well!