What do you do on your board to minimize spam accounts?

[4aapl]

In searching through plugins, I was surprised to not easily find ones related to minimizing spam accounts.

On our site we don't get too much spam.  We have a smaller user base with under 800 accounts, and these days often don't even get one new account a month.  But of the new accounts in the last 3 years, maybe 2/3rds have been spammers.

After missing our admin for years, during which time new user accounts couldn't be confirmed, we no longer require an admin to confirm an account.  We could set that up if needed, but the numbers have been low enough that it just isn't an issue.

It's actually a little interesting to see the spam process.  The past ones were from Thailand putting in links to a casino there, and had similarly constructed user ids.  But the more recent ones, from Hungary, did an interesting thing.  They made a post with something generic, the current one just saying "Thanks for this information!".  But then a few days to a week later, they come back and edit their post, putting in links to a small overseas software company.  My guess is the editing often gets it under the radar, and the link helps with google hits.  

It doesn't seem super nefarious or annoying, but is still something we'd like to minimize.  But if the quantity were to step up, we'd want to have a plan.

What do other admins do?

We don't want to sandbox all new accounts and require admin interaction, but one options would be to do it for the first 6/12/24 hours.  Another is to sandbox or require admin interaction if the IP isn't from North America, since that would mostly not affect our user base.

There is also the option seen on some forums of forcing an introduction in a special area before a moderator grants access to more areas, but even though we have a good group of moderators now, we'd prefer to keep required moderator tasks to a minimum.  Our site did daily well with self-moderation over the years with no Admin, so that mostly set our board culture that we still strive for.

Thanks in advance for any ideas and sharing what you do on your site.

(Since this is more of an idea request than a bug report, I felt this was the place for this)

[Kami]

So number one, the reason you don't see any plugins like this is for two reasons: a) forum registration is a separate system from the forum proper and plugins don't impact them, and b) plugins operate client-side (ie in your browser) and can be easily bypassed by disabling javascript so they offer virtually 0 security or reliability for these matters.

As to what I do... I generally run RP forums, so it likely won't help you haha. But since you don't want to increase moderator tasks (understandable!) you can use post ranks to determine how many posts one needs to access the category. Since these accounts rarely make more than a dozen posts before moving on, you could set a couple areas to be accessible to users with 12 posts or less, and the rest of the areas to 13 posts or greater.

Of course this isn't foolproof, but it can act as both a deterrent and a quarantine for these types of accounts.

[4aapl]

Aug 21, 2023 18:21:26 GMT -8 Kami said:

So number one, the reason you don't see any plugins like this is for two reasons: a) forum registration is a separate system from the forum proper and plugins don't impact them, and b) plugins operate client-side (ie in your browser) and can be easily bypassed by disabling javascript so they offer virtually 0 security or reliability for these matters.

As to what I do... I generally run RP forums, so it likely won't help you haha. But since you don't want to increase moderator tasks (understandable!) you can use post ranks to determine how many posts one needs to access the category. Since these accounts rarely make more than a dozen posts before moving on, you could set a couple areas to be accessible to users with 12 posts or less, and the rest of the areas to 13 posts or greater.

Of course this isn't foolproof, but it can act as both a deterrent and a quarantine for these types of accounts.

Thanks Kami

It doesn't look like we use Rank anywhere currently, but it seems like the easiest way to make it automatic would be to put a Rank level down at 1 post, and only let users below that level post to an "introduce yourself" board.  I see how to do that.

That's probably a lite enough step to not stop legitimate new users, while being just enough to slow a spammer down, since the spammers we have had so far seem to be non-automated and pretty low tech.

Our board (sorry, category) is aaplfinance.proboards.com , primarily about Apple, AAPL, investing and finances.  We've slowly shrunk over the years, partially due to not allowing new users for so many years during what would have been our growth streak.  Spammer accounts haven't been a huge issue, but I believe previously PB said v6 was going to have more features to prevent spam, so since that is on hold I wanted to see what other options people use out there.

Does anyone have a huge problem with spam or spammer accounts on PB?  Or is it like out category, where it is mostly a manageable, just enough to remind you that it can still happen?

Thanks

[4aapl]

Looks like we've been dealing with this for a while. Looking at my history, it turns out that just over 2 years ago I asked nearly the same thing, except with more of a focus on spammer IPs or similar naming:

support.proboards.com/thread/667896/filter-out-user-spam-accounts

Looking at our banned user list, there are only 27 since the one I called out in that message, so basically 1 a month. A few each time have similar IPs, sometimes with the first 2 octets matching, but I'd have to ban fairly wide swaths for what isn't currently a massive issue for us. And it might cause issues for legitimate new users or users that are traveling. Still, it's good to know that wider IP banning is an option there in admin/security/ban_members

But I guess it's like a dripping oil gasket. It's manageable, though possibly annoying, if it stays small. The important part is making sure it doesn't become a blow-out with major damage.

Looks like you helped me out back then too Kami. Thanks for all that you do!

[Kami]

The thing is, there is simply nothing that can be done as a whole about spammers. I don't mean to sound like a negative nelly, but it's simply a technology issue. There is no technology that exists today that can 100% guarantee to immediately identify and block spammer accounts.

From a broad level, the tools developers have are IP bans, preemptive blocking of IPs that are from proxy or VPN services, and hardware bans. For the first two, it's hit and miss; wildcard bans and preemptive blocking can sweep up legitimate users since many ISPs recycle addresses + there are perfectly valid uses for proxies and VPNs (eg: I often browse the internet at work, but I work on a VPN due to my job; it doesn't make me an illegitimate user). For the latter, websites would never be allowed by the general public to require you to download software that tracks your hardware information in order to be able to ban a physical machine. Some games or other competitive / information-sensitive applications may do this, but no one is going to accept doing so in order to conduct a google search or post on social media.

Which leaves us with very few options, in the end. We have nothing more powerful than IP and hardware bans at this time, so there's no real way to identify a spammer 100% until they post something spammy. This is especially true as spamming is moving out of automation and into real-people spammers to avoid being flagged at the captcha. We can create posting permissions but again, if the spammer is a person it's going to fail to catch them before they make spam. Even if v6 were still under development, it wouldn't introduce anything groundbreaking on the anti-spam front, though it may have shored up existing defences / extrapolated in previous ideas.

All we can do is stay vigilant, at the end of it.

[4aapl]

Aug 21, 2023 20:41:46 GMT -8 Kami said:

The thing is, there is simply nothing that can be done as a whole about spammers. I don't mean to sound like a negative nelly, but it's simply a technology issue. There is no technology that exists today that can 100% guarantee to immediately identify and block spammer accounts.

Each situation can be different, but in our case we could stop over 90% of the current spammer account registrations if we flagged any registration trying to use an IP outside of North America. I believe of our nearly 800 accounts, I've only seen a couple outside of this area.

Likewise, most spammer accounts have numbers in their account name and email address. With a smirk on my face I tell the other moderators that you have to watch out for those user names with a number in the account. They're a wiley bunch.

But the spammers have multiple numbers in their accounts and emails, not just one.

Like any automation, there are times that it can be tough to put into code what seems easy, when you start trying to put some logic behind it. But putting these two things together would stop almost all of the spam accounts, along with not having any false positives. A different site might need some other logic, as it could have a much more global user base. But for us, especially if narrowed to the IP only at account creation instead of at any time, we could really make a big dent, hitting nearly 100%. And if the numbers really made it a worthwhile pursuit, this is the way I would start.

Do you know how that ban_members section works when using IPs? I'd be most interested in just the IP used during account creation, but it doesn't really specify how it works. As an example, let's say I created an account at home using an allowed IP, but then took my laptop to a restaurant that had a banned IP. Would my account not work if I tried to log in from there, but then work again once I got home? It seems that is what the UI is suggesting, and that would make sense to me.

Of course it is a cat and mouse game, where spammers might up their game. OTOH, it's more likely to be like that of protecting a house, where a few small things can often reasonably protect it, but nothing is a completely unpenetrable fortress, with enough time and effort.

[Kami]

I think (but am not sure) you took away an entirely different meaning from my post than I intended. To rephrase just in case, what I am saying is that there is a limit to what we can do with the technology that currently exists. That is not to say you can't get as close to the results you want with what we have available, but rather that the number of options we have are finite and not entirely foolproof. Hopefully the tech will eventually evolve but as you noted it is a game of cat and mouse til then.

As far as banning by IP, you can input any IPs you'd like irrespective of whether or not you have seen that IP being a problem. I do know some people tend to do wide scale wildcard bans targeting entire regions if they see a lot of spam come from there. It works for their needs and it might work for yours.

And yes, in the situation you used as a hypothetical, you would be "banned" at that location. But IP bans are not account bans -- you would be banned only so long as you had the banned IP but if you changed locations or used a not-banned proxy or VPN, you'd regain access immediately because you aren't banned at the personal (account) level, just on the IP level.

It would probably be more effective if you banned accounts at the Global ID level than the IP level. Because PB used a global login system, it means 1 email address can be connected to multiple accounts on multiple forums (same and different). EG: the email account associated with my forum account here on support is also linked to a bunch of other forums, some of which I have multiple accounts for (due to roleplaying rules or theme testing needs). So, spammers who are registering on any given forum, will wind up creating a global account with the email they use to create their account; by banning the global ID, that means they cannot make any accounts on your forum with the global ID they used, and would be forced to create not just a new email, but a new global ID. 

[4aapl]

Aug 21, 2023 22:11:27 GMT -8 Kami said:

And yes, in the situation you used as a hypothetical, you would be "banned" at that location. But IP bans are not account bans -- you would be banned only so long as you had the banned IP but if you changed locations or used a not-banned proxy or VPN, you'd regain access immediately because you aren't banned at the personal (account) level, just on the IP level.

It would probably be more effective if you banned accounts at the Global ID level than the IP level. Because PB used a global login system, it means 1 email address can be connected to multiple accounts on multiple forums (same and different). EG: the email account associated with my forum account here on support is also linked to a bunch of other forums, some of which I have multiple accounts for (due to roleplaying rules or theme testing needs). So, spammers who are registering on any given forum, will wind up creating a global account with the email they use to create the forum; by banning the global ID, that means they cannot make any accounts on your forum with the global ID they used, and would be forced to create not just a new email, but a new global ID. 

I think I understand.  I was saying it was possible, logically, to block most of these spam accounts on our site.  But you are pointing out that it's not currently possibly to do it that way on ProBoards v5.

It's good to hear on the IPs, that it doesn't completely taint an account that tries to use an IP in a banned range.

I didn't remember the Global ID part of things, since it had been so long since I registered.  But in creating a test account, I now know the current process.  Looking at our list on admin/security/ban_members it turns out that we do normally ban via GlobalID.  It's hard to know how many that stops, though 2 years ago with various variants of Jessica Tran, the user must have just created new GlobalIDs.  It's not that many extra steps.

It looks like there is no way to easily see the user's GlobalID, if they used one that was different than the site's username.  Is it buried in a log somewhere, or available with a  plugin?  Or is this a PB privacy decision, similar to deleting an account getting rid of everything?

[Kami]

Aug 22, 2023 8:05:12 GMT -8 4aapl said:

Aug 21, 2023 22:11:27 GMT -8 Kami said:

And yes, in the situation you used as a hypothetical, you would be "banned" at that location. But IP bans are not account bans -- you would be banned only so long as you had the banned IP but if you changed locations or used a not-banned proxy or VPN, you'd regain access immediately because you aren't banned at the personal (account) level, just on the IP level.

It would probably be more effective if you banned accounts at the Global ID level than the IP level. Because PB used a global login system, it means 1 email address can be connected to multiple accounts on multiple forums (same and different). EG: the email account associated with my forum account here on support is also linked to a bunch of other forums, some of which I have multiple accounts for (due to roleplaying rules or theme testing needs). So, spammers who are registering on any given forum, will wind up creating a global account with the email they use to create the forum; by banning the global ID, that means they cannot make any accounts on your forum with the global ID they used, and would be forced to create not just a new email, but a new global ID. 

I think I understand.  I was saying it was possible, logically, to block most of these spam accounts on our site.  But you are pointing out that it's not currently possibly to do it that way on ProBoards v5.

It's good to hear on the IPs, that it doesn't completely taint an account that tries to use an IP in a banned range.

I didn't remember the Global ID part of things, since it had been so long since I registered.  But in creating a test account, I now know the current process.  Looking at our list on admin/security/ban_members it turns out that we do normally ban via GlobalID.  It's hard to know how many that stops, though 2 years ago with various variants of Jessica Tran, the user must have just created new GlobalIDs.  It's not that many extra steps.

It looks like there is no way to easily see the user's GlobalID, if they used one that was different than the site's username.  Is it buried in a log somewhere, or available with a  plugin?  Or is this a PB privacy decision, similar to deleting an account getting rid of everything?

Blocking Spam Accounts: Erm, no, that's not quite what I was saying. I'm saying that the tools we have available to use — not just on PB, but on "the internet" as a whole — to permanently get rid of problematic users are finite in number, finite in function, and mostly easily bypassed by anyone with technical know-how. The tools that PB offers are pretty standard across the entirety of the internet: banning people's accounts/emails and IP addresses. v6 may have improved these two tools in some aspects, but it wasn't going to ever be the silver bullet with 100% success rate because internet technology as a whole has not yet come up with something more surefire. If there were, bots on my favourite online game service would be gone instead of ruining games by automated scripting ;-;

Plugin Functionality: I think there may be a misunderstanding, as well, about "plugins". Plugins are just bits of javascript code that are packaged in a pretty user interface, and are optional. Plugins do not provide any functionality with regards to managing users on a service level. There physically cannot be any plugin that provides personal information about anyone that registers on the forum without having them opt in to that function, and plugins do not impact registration because registration is handled at a ProBoards level, not an individual forum level (the registration page is separate from your forum).

Global IDs: Global IDs are tied into a user's email address; users can change the email address associated with their global ID, but any staff on a forum with the power to see emails should be able to see if an email address associated with that user's global ID changes. If their global ID is banned from a particular forum, they cannot use that email address to register additional accounts on that forum. This is different from IP bans (banning anyone using a particular IP address, which is not account-specific), and account bans (banning a particular user that has registered on the forum from logging in to that specific account). When banning by IP, a change of IP will "unban" the user. When banning by account, creating a new account with "unban" the user. When banning by global ID, the email address is banned, so creating a new email address will "unban" the user.

Just for clarity, the reason I suggested that Global IDs may be more effective than banning by IP, the reason was that creating a new email address is an extra step that acts as a deterrent for most spammers. However, it sounds like you have a pretty persistent person, or group using the same name; in cases like these, there's really not much you can do other than continue banning all three portions (global ID, IP, and account). There's no way on an individual forum level to preemptively ban spammer accounts. There are some levers that PB may be able to pull on a service-wide level (eg: banning certain VPNs that are known to be used by spammers, banning "throwaway" email domains that are usually used by spammers), but they are not foolproof either.

[4aapl]

My plugin functionality limitation confusion is probably based on the IP listing plugin. While that is information that is really useful to me, both for hunting down spammers but also finding where people are from and searching for potential duplicate users, it is privileged information that would normally stop at the server. So really it's just a judgement call on what information PB wants to share. If they don't share it, which is perfectly fine and justified, then a plugin isn't going to have access to it either.

But you're right, I haven't used the plugins much and so don't yet know their limitations, and I'm apparently putting too much hope into them given the combination of application, client, and server automation I've used over the decades in other areas.

I do see some very simple logic that could be used to stop 90+% of our site's spammers over the past 2 years, just based on IP location and user name. But just like bears learning to open one type of "wildlife resistant" trashcan shed, I don't have any notions that it would stop everything forever. Instead it would be like a lock on a house, helping stop many low-tech issues, but still likely pickable, while other options like a window are available too.

And that's pretty much how the Global IDs are. It's one more step, or two if you include creating an email. It helps. And while it's hard to know exactly how much it helps, it's also not a magic bullet that stops all spammers while continuing to let in all legitimate users. That's tough to do, even if the current spammers to our site are fairly predictable.

FWIW, the user and posting that we thought was suspect did exactly as predicted. 11 hours later, the post was edited to be spam, with a well written though overly embellished blurb about how amazing a small software company is. We moved it into our spam folder, and I won't repost it here since I speculate the whole point is upping a ranking on search engines, but like some previous ones it was to ML _ S with Dev (sorry, that's my low skill approach to having it not help the search engine rankings).



Thanks for all of the information. It was really helpful. Hopefully if I come back in another 2 years with the same sort of question, I'll remember to search for this message first. And if it's not already, this would be great to put into a FAQ or 1-pager on dealing with spam accounts.

[Kami]

My plugin functionality limitation confusion is probably based on the IP listing plugin.  While that is information that is really useful to me, both for hunting down spammers but also finding where people are from and searching for potential duplicate users, it is privileged information that would normally stop at the server.  So really it's just a judgement call on what information PB wants to share.  If they don't share it, which is perfectly fine and justified, then a plugin isn't going to have access to it either.

So, that's not totally accurate in how the plugin works. Even without the plugin, any user that is part of a member group with the ability to view IP addresses is able to see them, and then copy/paste that IP into an IP lookup website. The plugin is not providing the functionality to see, the PB software is. The plugin simply removes the extra step of copy/pasting the IP into a lookup site and delivers the results of that query to you based on which site you selected. If someone does not have the ability to see IPs, the plugin won't be visible.

IPs aren't also inherently personally identifiable data (that's why banning an IP or IP range may snag legitimate users as well, depending on whether or not an IP address is being reassigned across multiple users), and IP lookup sites are fallible (eg: when I'm on my work VPN an IP lookup says my location is in California, but I actually live in Texas).

But you're right, I haven't used the plugins much and so don't yet know their limitations, and I'm apparently putting too much hope into them given the combination of application, client, and server automation I've used over the decades in other areas.

I don't know if it's too much hope per se, but maybe a misalignment on how plugins are created in the context of ProBoards? Other providers use the term "plugin" to indicate addons to their services (like a wordpress plugin), whereas plugins on ProBoards are simply pre-packaged javascript with a user interface for settings (and potentially some HTML and CSS for styling whatever the plugin does). PB plugins don't add service functionality, just user-end functionality, if that makes sense.

I do see some very simple logic that could be used to stop 90+% of our site's spammers over the past 2 years, just based on IP location and user name.  But just like bears learning to open one type of "wildlife resistant" trashcan shed, I don't have any notions that it would stop everything forever.  Instead it would be like a lock on a house, helping stop many low-tech issues, but still likely pickable, while other options like a window are available too.

And that's pretty much how the Global IDs are.  It's one more step, or two if you include creating an email.  It helps.  And while it's hard to know exactly how much it helps, it's also not a magic bullet that stops all spammers while continuing to let in all legitimate users.  That's tough to do, even if the current spammers to our site are fairly predictable.

Yeah, and this is the part I'm saying is just down to the broader "what can the internet do" thing. If ProBoards could perfect anti-spam protections to the point where they're infallible, we wouldn't be in a situation where v6 was on hiatus :P

FWIW, the user and posting that we thought was suspect did exactly as predicted.  11 hours later, the post was edited to be spam, with a well written though overly embellished blurb about how amazing a small software company is.  We moved it into our spam folder, and I won't repost it here since I speculate the whole point is upping a ranking on search engines, but like some previous ones it was to ML   _ S     with  Dev (sorry, that's my low skill approach to having it not help the search engine rankings).

There is a plugin you can use to try and discourage this however, like all plugins it comes with the caveat that anyone with javascript disabled (which many spammers use) or using the mobile app (which doesn't load plugins at all) will not be hindered by it (which is why I said "discourage" as opposed to "stop").

Thanks for all of the information.  It was really helpful.  Hopefully if I come back in another 2 years with the same sort of question, I'll remember to search for this message first.  And if it's not already, this would be great to put into a FAQ or 1-pager on dealing with spam accounts.

You can bookmark this thread and so when you log into your account in the future you can check your bookmarks to see what you've saved in the past.

As far as FAQ and whatnot, I'll check in with the PB team and see if there's something they'd be willing to add in :)

[Ken]

I woke up today, and three members joined only to post one thing, and it's an advertisement for a WordPress API. Nothing to worry about that much, as I archived the posts and sent a message about it. 

Are these spam accounts?

[Kami]

Aug 29, 2023 10:07:51 GMT -8 Ken said:

I woke up today, and three members joined only to post one thing, and it's an advertisement for a WordPress API. Nothing to worry about that much, as I archived the posts and sent a message about it. 

Are these spam accounts?

Likely. You can generally tell if whomever is posting is there for the sake of spamming because they won't ever engage correctly with the existing content. They'll either create new threads with their spam, or reply to existing threads with spam.

[Ken]

Aug 29, 2023 10:40:26 GMT -8 Kami said:

Aug 29, 2023 10:07:51 GMT -8 Ken said:

I woke up today, and three members joined only to post one thing, and it's an advertisement for a WordPress API. Nothing to worry about that much, as I archived the posts and sent a message about it. 

Are these spam accounts?

Likely. You can generally tell if whomever is posting is there for the sake of spamming because they won't ever engage correctly with the existing content. They'll either create new threads with their spam, or reply to existing threads with spam.

Should I ban or disable the accounts?

[Kami]

Aug 29, 2023 13:27:35 GMT -8 Ken said:

Aug 29, 2023 10:40:26 GMT -8 Kami said:

Likely. You can generally tell if whomever is posting is there for the sake of spamming because they won't ever engage correctly with the existing content. They'll either create new threads with their spam, or reply to existing threads with spam.

Should I ban or disable the accounts?

It doesn't matter either way, really. Whatever you prefer to do is what you should do. The only real thing that you should consider is that these types of accounts will never be productive members of the forum. Knowing that, enact a policy that serves your needs and wants for your community best.

EDIT: if they are actively spamming in a rapid-fire way and/or are disrupting the community (including if the spam they post is upsetting in some fashion, like we had a few spammers a couple of years back that for some reason liked to post gore photos??), versus just leaving a few posts before never coming back, then I'd go the ban route (global ID, account, and IP).