Probation for new members

[cthree]

I'd like a way to restrict new signups to a limited number of posts per day. I'd actually like a way to restrict PPD for all accounts/groups/forums/etc as per Can email members from the board? group permission.

[Wolfie]

I'd like the ability to set a group as being moderated much like you can do each member, except that the moderation would be initially applied per new member. ie, if you set it to be a week of moderation, then all posts by that member are moderated for 1 week after signup. If they get promoted to another group, then whichever is long in moderation time (their remaining or that groups initial time) would be how long that member would be moderated. That would prevent a loophole of someone getting promoted and then suddenly can post without limit.

Why would you want to limit posts per day anyway?

[cthree]

I'd like the ability to set a group as being moderated much like you can do each member, except that the moderation would be initially applied per new member. ie, if you set it to be a week of moderation, then all posts by that member are moderated for 1 week after signup. If they get promoted to another group, then whichever is long in moderation time (their remaining or that groups initial time) would be how long that member would be moderated. That would prevent a loophole of someone getting promoted and then suddenly can post without limit.

Why would you want to limit posts per day anyway?

I have accounts that post an AVERAGE of 500+ posts per day. I also have spammers who signup and post HUNDREDS of spam messages. I'd like to have new accounts restricted to 3-5 PPD until they graduate (a week or two).

[Wolfie]

Which is where the moderation restriction would come in handy. What would be the point of spamming a forum base if each post has to be approved and it's already known that they wouldn't be? :)

That combined with a feature to delete all posts by a specific member (either to trash can or a complete deletion), it makes it a waste of time to try to spam :)

[cthree]

Which is where the moderation restriction would come in handy. What would be the point of spamming a forum base if each post has to be approved and it's already known that they wouldn't be? :)

That combined with a feature to delete all posts by a specific member (either to trash can or a complete deletion), it makes it a waste of time to try to spam :)

With 8000 new posts each day I can't manually intervene nor would I want to. Just because you don't need something doesn't mean that others wouldn't find it useful.

[Wolfie]

I didn't say it wouldn't be useful. I was mentioning an alternative concept that could be considered (or possibly both included in the future). After all, if you see that all someone has posted was spam (and their posts have to be approved), then you just click to nuke all of their messages and ban them. I find it doubtful that new legit people are going to post a total of 8,000 messages a day (even combined unless you have at least 4,000 new people every day, then you really should consider charging fees and raking in some serious $$). There is a benefit to having to approve messages from new people. They can't spam, not even a few messages. What you want will still allow them to spam, and all they have to do is create multiple new accounts to get around your limitation. Not too hard to do.

Every new member gets moderated, then none of the spam can be seen by the regular members. In a way, you way is like saying, "You're allowed to advertise a few messages a day until I catch you". Once someone realizes that you can (and WILL) take the extra steps to make it that much more difficult to spam, especially in the manner I described, they'll go elsewhere. Then you can just lift the restriction (if you so desire) until/unless the problem returns.

There is another benefit too. You could offer a premium service for new sign-ups that would permit them to get around the moderation restriction. Charging, say, $2.00, so that their posts can be seen immediately. If someone pays it and then starts spamming, you simply take the desired action (delete and ban). There's also a trail left of how you got the money, report it to the FTC and they can use the information to find and prosecute the offender. But for those who are legit and pay, they get instant acccess, and you don't have to approve the new posts.

:lol: My ideas have reasons to them.

[cojo]

I think cthree's suggestion is a good idea. Some forums either do not have the time to moderate every new person's posts, or it's just not appropriate. For example, some folks use IPB to support their business. If new and potential customers' posts are routed to a queue until an employee can screen them, these customers will develop a bad impression of the company. Another benefit of limiting posts is it can act as an incentive to help convert freebies into paying customers on paid forums.

[Wolfie]

Please look at where I said that I didn't say that it wouldn't be useful. ;)

Just both concepts would be useful in their own ways, for his needs though (his reason), the idea I mentioned would be better. I can see and even think of other benefits of being able to limit posts per day. As you said, bully people into being a paying member as an example. What about forums that want to encourage file contributions? Submit a few files, they get approved, you get promoted to be able to post without limit. Very useful for boards that offer download systems. Games too, play the games, get leveled up (RPG's) and be able to post more.

Heck, it could even be used as an alternative to banning someone, by restricting their posting ability as a discouragement for their postings (ie, being rude or something after warnings, still let them post but limited, and can continue to lower their posting ability until they either get the hint and behave or just can't post at all).

:)

[cthree]

Ok, so there is no disagreement :)

I don't like the option of moderating posts for a number of personal reasons including:

a) Manual intervention required. I can't not visit the site for a day or a week (like a vacation) because posts will queue up;

b) People can be dumb. They post a message, don't see it in the topic list and either get bent, repost and/or send support emails. Nobody reads messages so saying "An administrator needs to approve your post" may as well say "foo boo big pants and ice cream".

For me the best way to control posting is to contain them; to minimize the impact of unwanted posts without eliminating them altogether. It's called "acceptable risk". I'm willing to allow that 1 in 50 new accounts who is registering to spam the forums in so that I can let the other 49 in and have a good experience. All I want is a way to suppress abnormal activity and to contain it to a level which I can clean up. If someone can only post 5 messages per day and have no PM abilities for the first week then I can deal with the problem quickly and easily.

As it is I can either let nobody post without screening every post or I can let anybody post any number of messages they like. Writing a bot to spam a forum with hundreds or even thousands of posts is not difficult. The current flood control is setup to restrict 1 post per X seconds which is easy to work around. There is nothing wrong with someone posting 3 messages within one minute but posting more than 5 in a day is more than I'm willing to allow.

Once I get logged into a forum, registered and so forth, I can easily determine the flood control setting and then setup a bot to post around it. If you go away for the weekend, say 48 hours, and have a 15 second flood settings that is 172800 seconds and 11520 posts before you can get back and clean it up.

Perhaps all this would take is a change to the flood control option which changes it from 1 post every x seconds to n posts every x seconds/hours/days/etc. Having an anti-bot code on the posting page would be a real plus as well.

[Wolfie]

If you're getting 8,000 posts/day, I would presume that you have moderators other than just yourself, right?

Put them to work. They see a post needs to be moderated, they glance at it and decide. Is it spamming? Yes=move it to another forum(trash can?) for your review. No=check to see if there's anything else wrong with it. If nothing else, approve it. Doesn't matter who does it either, so long as it gets approved. Now, it would be nice if one could see their own posts (and a notice saying that it's pending approval).

There are other possibilities to try too (I'll spill if you're interested in them)

I would also presume that you have tried setting up the Word&Ban Filters to try to stop it?

[cthree]

Why are you arguing with me? I've been running my site for 5 years, it's my full time job and I know what I need and I know why I need it. I get more posts in a single day that you've had in total and yes the realities of managing that sort of volume are different.

Want an example? It takes me 36 hours with a Linux P4 server, doing nothing but, to regenerate the thumbnails in my gallery (all 10GB of them). I've got 250,000 images and have a whole server in my rack dedicated to doing nothing but image uploads and thumbnail generation.

A search for a 4 letter word in all forums using fulltext (and I have a whole server running as a MySQL slave just for search) returns about 10000 pages if it returns anything (most searches timeout because they take more than 300 seconds to complete).

It has nothing to do with the issue of probationary accounts but it illustrates that size matters in orders of magnitude and what sounds simple enough for a small site is not even thinkable on a big one. I have real issues I'm trying to address that make a significant operational impact and saying "why don't you get moderators to help" is not helpful. They are volunteers and they already spend all of the time they are willing to commit to what they are doing. They are the ones asking for this feature because they are overburdened by punk-ass punks who have nothing better to do than create hotmail accounts and post pointless, insulting, offensive and worthless posts all day.

I'd appreciate it if you would allow me to post my suggestions for features that I need running my site without posting about how I don't need it and all I need to do it such and such. This is important to me and I don't have a lot of time to spend chatting here as I have my own sites to run. I feel your rebuttals and interjections are diminishing and challenging the value in what I'm asking for.

Thanks

[Wolfie]

If that is how you choose to read into what I have said, that is how you will read them and I cannot control how you decide to take things.

However, if anyone is doing the diminishing and challenging, it's you. The "I get more posts in one day than you have total" is like trying to say that I have no concept of reality when I have more of a concept than you'd realize.

I'll tell you what will happen with your plan, presuming that your request gets filled (which I have never been against)...

Someone will realize the restriction of a few posts per day. Then they will start creating multiple new accounts to get around it. If they want to make 500 posts, then they will make 100 new accounts with 5/day.

If they have automated scripts to do the postings, what makes you think that they don't have methods of creating tons of new accounts?

Next you'll have to start deleting/banning 100's of accounts per day.

But what would I know, I'm just someone who has no clue about this stuff and how to get around it. (Please note the sarcasm).

So anyways, think about that. Your request has a loophole. What's next? Make it 1 post per day? Then you lose legit people. Meanwhile, 500 new accounts get made to spam. With the idea I offered, it would make it pointless to try. When the attempts are stopped, it gets turned off, and things are easier.

All I've been doing is offering you ideas and reasons for them. Now, with that loophole in your idea exposed, should I be expecting a bit of a nicer tone from you along with maybe a joint effort in coming up with a feature request that works best for you?

[cojo]

Then they will start creating multiple new accounts to get around it. If they want to make 500 posts, then they will make 100 new accounts with 5/day.

I visit four sites which have forums as active as cthree's. All use their own custom-built software. Two of them enforce posting limits on new registrants (~3 posts) and free members (~15 posts) while the other two do not. In six years, the former two have never had visitors who were under a posting limit sign up for hundreds of accounts. The amount of spam they deal with is significantly less than the two forums which offer unlimited posting.


cthree: A friend of mine has a site which was being repeatedly hit by spammers and trouble makers. After reviewing the IPs, I found they were using open proxies. On Tuesday, I made a mod to his CMS to check whether a new registrant's IP is on a couple RBLs. If it is, the script won't create an account for him. So far, it's kept out his bad guys. He hasn't received any complaints yet about it triggering on others. If your spammers are coming in through open proxies too, adding a check for this may help cut down your problem.

[Hibii]

How can I do something like that. Bear in mind I'm not that savvy with these things?

[Wolfie]

I visit four sites which have forums as active as cthree's. All use their own custom-built software. Two of them enforce posting limits on new registrants (~3 posts) and free members (~15 posts) while the other two do not. In six years, the former two have never had visitors who were under a posting limit sign up for hundreds of accounts. The amount of spam they deal with is significantly less than the two forums which offer unlimited posting.

The impression that I'm getting is that his problem is one of the more rare extremes, and having gained some experience with those who are intent on doing something, I've learned to look for the openings that may be used. Those two who have never had that problem are doing rather well if they haven't had someone use that method to get around the limitation, but on the other hand, they probably wouldn't have had the problem without the limitation. No way to tell really. Either way, the idea is to find a reliable way of preventing spam-attacks on his site (as well as others, of course) as simply as possible while not turning it into a 'military level of security' forum. :lol:

I still stand by the moderation per member group idea, because if someone is stuck in a group until they are 'approved' to another group, then the attacks would end quickly, as a spammer would realize that their efforts are wasted, and would move on. To be honest, using both ideas would work the best, because then it would prevent a flood of spam (though pending-approval). Once the attempts have dropped, then he could easily set it to allow all new members to not be moderated. The work load on his moderators would drop.
:)

cthree: A friend of mine has a site which was being repeatedly hit by spammers and trouble makers. After reviewing the IPs, I found they were using open proxies. On Tuesday, I made a mod to his CMS to check whether a new registrant's IP is on a couple RBLs. If it is, the script won't create an account for him. So far, it's kept out his bad guys. He hasn't received any complaints yet about it triggering on others. If your spammers are coming in through open proxies too, adding a check for this may help cut down your problem.

I would love to know how you managed to do this, just as a general learning experience. Is it comparing known addresses, or is it somehow pulling the information and being told if it's a proxy or not?

[cthree]

I'll tell you what will happen with your plan, presuming that your request gets filled (which I have never been against)...

Someone will realize the restriction of a few posts per day. Then they will start creating multiple new accounts to get around it. If they want to make 500 posts, then they will make 100 new accounts with 5/day.

If they have automated scripts to do the postings, what makes you think that they don't have methods of creating tons of new accounts?

I find this comment to be constructive! Thanks. You raise a good point and the need for some form of control or check for multiple account registration. This is a problem I also have from people who I've banned but won't take "go away" for an answer. They've registered dozens of accounts from a huge number of IPs and cause a lost of trouble for me and moderators. It's part of the reason for for this request. I need to slow these guys down so I can ban them before they make such a mess that I spend my whole day cleaning up after them. It's a for of online vandalism I'm finding difficult to control and hence my post in the first place.

I visit four sites which have forums as active as cthree's. All use their own custom-built software. Two of them enforce posting limits on new registrants (~3 posts) and free members (~15 posts) while the other two do not. In six years, the former two have never had visitors who were under a posting limit sign up for hundreds of accounts. The amount of spam they deal with is significantly less than the two forums which offer unlimited posting.

cthree: A friend of mine has a site which was being repeatedly hit by spammers and trouble makers. After reviewing the IPs, I found they were using open proxies. On Tuesday, I made a mod to his CMS to check whether a new registrant's IP is on a couple RBLs. If it is, the script won't create an account for him. So far, it's kept out his bad guys. He hasn't received any complaints yet about it triggering on others. If your spammers are coming in through open proxies too, adding a check for this may help cut down your problem.

You offer an excellent idea I hadn't considered! I already wrote a hack I use to try and monitor repeat offenders that have worked well for a few. It checks their registration info with that of accounts I've banned or suspended in the past and alerts me by email when there is a significant match (IPs, regex of the email address, repetitive use of the same password sort of stuff). I then set admin approval for the registration and send myself an email letting me know there may be a problem. I will certainly look into your suggestion as a tool to assist in filtering these PITA idiots.

How can I do something like that. Bear in mind I'm not that savvy with these things?

IPS can add it to the software for starters :)

Without programming in PHP you can't. If you do hack your software you can't upgrade anymore without overwriting the hacks you've made so you'll need to have a way to track your changes (diff? CVS? Subversion?) and then recode them after each upgrade. Or you end up like me, running v1.3...

Damn! 2.1 merges subsequent posts! That's f'ing cool :)

[Wolfie]

I find this comment to be constructive! Thanks. You raise a good point and the need for some form of control or check for multiple account registration.

I'm very good at raising points when given the chance. :)

This is a problem I also have from people who I've banned but won't take "go away" for an answer. They've registered dozens of accounts from a huge number of IPs and cause a lost of trouble for me and moderators. It's part of the reason for for this request. I need to slow these guys down so I can ban them before they make such a mess that I spend my whole day cleaning up after them. It's a for of online vandalism I'm finding difficult to control and hence my post in the first place.

Do reverse checks of the IP's. If any of them are AOL accounts (usually in the range of 172.128.0.0 to 172.216.255.255, but there are other IP's too), then you can forward the information to AOL: Date/time it happened (with your time zone so they can know the difference), along with copies of the activies. Either it'll be an AOL user who'll end up getting suspended or AOL will learn of a security breach of some sort and fix it. Either way, it'll help to create a trail of evidence. The same generally goes for most of the bigger ISP's, if you give them the information, then even if they don't act on it, they can at least keep a log of it in case it becomes a more serious issue. Of course, the drawbacks include time consumption for writing the emails and sending them (even with pre-written emails it takes up time), also not all IP's will resolve to ISP's as well as not all ISP's are respectable if you get what I mean. Therefore, I'd say to limit the emails to services such as AOL and even MSN, as they're more likely to act on it.


(recommendation): Take on a few more moderators.. "JR Moderators" actually. Their duty/job is to only hide(disapprove) posts that they believe are the work of spammers. All they can do is to either hide or unhide posts in a forum (or 2) and that's it. Nothing else. That way there's a greater chance of limiting the public viewing of the spams.

(in addition): If the idea I mentioned were to be used, then those JR mods could be instructed on what types of posts to *NOT* approve, therefore a greater likelihood of posts/topics getting approved quickly for new legit members.

(in addition): The idea you want (again that I have never been against, because there are benefits to it), it would show it's potential if used as an addition to the idea I mentioned. Once the spammer(s) realizes that there is a limit on the number of posts, and when checking they see that none of their posts can be seen anyway, they're likely to not bother doing it more when it'll be a waste of their time. They may try to venture back at some point, but in the meantime it'll cut down on the damage they cause and that damage wouldn't be visible to the public.

When you feel that the spammer(s) have moved on, at least for awhile, remove the queing restriction so regular posts don't have to be approved. Leave the posting restriction on if you want (*1) and just have it set so you can re-enable the queing restriction in a minute or less if you have to.

(*1) = While a determined spammer can and will bang up multiple accounts to get around restrictions, the time it takes for them to realize it's still there and to start making the other phony accounts will give a few minutes of reaction time.

In the validation emails that are sent out, you could include a couple of repeating lines that say something like "IMPORANT! PLEASE READ THIS" and right underneath, a comment saying that for security reasons, posts made by new members may not become available immediately, and not to panic if they post something but it doesn't show up. Have it next to the verification link, they'll see it. :thumbsup:

I hope something in here gives you some ideas that help, even without new features (at least not yet).

[cthree]

None of the IPs associated with banned accounts resolve to open proxies :/ No help there. These are mainly people who have been real accounts but won't go away like a bad rash or an ex-girlfriend.

[Wolfie]

None of the IPs associated with banned accounts resolve to open proxies :/ No help there. These are mainly people who have been real accounts but [b]won't go away like[/b] a bad rash or [b]an ex-girlfriend.[/b]

:lol:

Are any of them in the 172.* range? If so, keep them in mind. ;)

Of course, I think for AOL, their IP's have 2 different ranges. I'd have to read up on it though. It would be nice if there was some way of sending an electrical bolt through to their computers. Shock some decency into them... :devil: