Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
Andy Millne Posted August 17, 2009 Posted August 17, 2009 Regarding the new spam service, it seems to have caught it's first spam account on my board and succesfully banned them which is brilliant! Why though does it take this action? I don't really want a load of banned spam accounts show up in my members list.
Management Charles Posted August 17, 2009 Management Posted August 17, 2009 The idea was that if the spam service overreacted and banned someone who was real you could just click to unban them.
Andy Millne Posted August 17, 2009 Author Posted August 17, 2009 [quote name='Charles' date='17 August 2009 - 10:05 PM' timestamp='1250543147' post='1845295'] The idea was that if the spam service overreacted and banned someone who was real you could just click to unban them. Is that not what the admin review option is for? ;)
Guest Posted August 17, 2009 Posted August 17, 2009 If the spam service bans an account, will it display a message that the account was banned for being a spam account or something, or does it just offer up the generic "You don't have permission to view this board" message? How would a real person who got caught by the spam service know that it happened, and how would they go about telling someone so they could get unbanned?
Management Charles Posted August 17, 2009 Management Posted August 17, 2009 Yes but what if the spam service gave an account a score of 4. That person would never be able to register - ever. This way they could contact you and you could click to unban their account. Of course we could always add an option: "Give spammer rude message and do not create account record"
Management Charles Posted August 17, 2009 Management Posted August 17, 2009 [quote name='Gärrett' date='17 August 2009 - 05:10 PM' timestamp='1250543400' post='1845299'] If the spam service bans an account, will it display a message that the account was banned for being a spam account or something, or does it just offer up the generic "You don't have permission to view this board" message? How would a real person who got caught by the spam service know that it happened, and how would they go about telling someone so they could get unbanned? They would use the link to contact the board admin on all the error pages in that case.
Andy Millne Posted August 17, 2009 Author Posted August 17, 2009 [quote name='Charles' date='17 August 2009 - 10:11 PM' timestamp='1250543499' post='1845301'] Of course we could always add an option: "Give spammer rude message and do not create account record" :) I think that would be better. Maybe some kind of error message to that affect suggesting they contact an administrator if it is a genuine registration. I'm not sure how it would be dealt with once they contacted an administrator, maybe by manually adding them via ACP? If that was the case it would also be useful if when adding a member manually from the admin panel we could choose to have a random password generated and emailed to the new member rather than setting it ourselves. I think that that would be a good suggestion in it's own right regardless of the spam issue.
bfarber Posted August 17, 2009 Posted August 17, 2009 When adding a member in the ACP you can already opt to have the password emailed to the user. Couldn't you just button-mash and check that option? It's the same thing in the end. The end-user doesn't really know if you are able to randomly generate a password or if you did it manually, so it's already on the honor-system that you aren't noting their password anyways. And they can always change it once they login for the first time.
ll4ever Posted August 17, 2009 Posted August 17, 2009 What if someone on site A registers, flagged as not a spam bot, then registers on site B, C, D etc.. since D would now know it's a spam bot, would any previous sites know this? I'm going to say no based on the fact it only checks at the time of registration. I think having a call back for known spam bots would be nice.
Andy Millne Posted August 17, 2009 Author Posted August 17, 2009 [quote name='Charles' date='17 August 2009 - 10:18 PM' timestamp='1250543914' post='1845305'] They would use the link to contact the board admin on all the error pages in that case. Yes but does the error message say why they don't have permission and they should contact the admin or again is it just an assumption that people will contact the admin similar to the Friendly error messages topic already posted here. Thanks for listening.
Andy Millne Posted August 17, 2009 Author Posted August 17, 2009 [quote name='bfarber' date='17 August 2009 - 10:28 PM' timestamp='1250544528' post='1845322'] When adding a member in the ACP you can already opt to have the password emailed to the user. Couldn't you just button-mash and check that option? So it does :) Thanks Brandon. Are we getting a "nasty message to spammer" option then?
Management Charles Posted August 17, 2009 Management Posted August 17, 2009 Reason: "We thought you were a spammer. If you are not: here is my email. If you are: please don't use the previously posted email to spam me."
Andy Millne Posted August 17, 2009 Author Posted August 17, 2009 Sounds good :D On a serious note though "Registration failed due to suspected abuse. Please contact us if you think you have received this message in error." Could work.
Management Charles Posted August 17, 2009 Management Posted August 17, 2009 That's close to what I said.
Andy Millne Posted August 17, 2009 Author Posted August 17, 2009 I can think of a few things that would be a little more... shall we say... abrupt :)
gamer phfreak Posted August 17, 2009 Posted August 17, 2009 HEHE this is the page spammers get when they get banned from my wordpress blog url removed.
AtariAge Posted August 17, 2009 Posted August 17, 2009 [quote name='ll4ever' date='17 August 2009 - 04:29 PM' timestamp='1250544555' post='1845323'] What if someone on site A registers, flagged as not a spam bot, then registers on site B, C, D etc.. since D would now know it's a spam bot, would any previous sites know this? I'm going to say no based on the fact it only checks at the time of registration. I think having a call back for known spam bots would be nice. This would be a nice future enhancement and make this system even more useful. ..Al
bfarber Posted August 17, 2009 Posted August 17, 2009 [quote name='AtariAge' date='17 August 2009 - 06:13 PM' timestamp='1250547186' post='1845351'] This would be a nice future enhancement and make this system even more useful. ..Al Perhaps, but I'm not sure $20/year would cover this. Can you even begin to imagine the overhead in having a system on our end contact tens of thousands of remote sites to try to notify them when it discovers a spammer?
Andy Millne Posted August 17, 2009 Author Posted August 17, 2009 I know why don't we charge say 0.01 pence for a "forum message stamp"? oh wait hang on... #fail :)
AtariAge Posted August 17, 2009 Posted August 17, 2009 [quote name='bfarber' date='17 August 2009 - 06:11 PM' timestamp='1250550714' post='1845391'] Perhaps, but I'm not sure $20/year would cover this. Can you even begin to imagine the overhead in having a system on our end contact tens of thousands of remote sites to try to notify them when it discovers a spammer? I would glady pay a reasonable, additional fee for this functionality. I can imagine the overhead, it's not trivial by any means. How about instead allowing forums to poll your servers periodically (say, every several hours, or even once a day) for the most recently flagged spammers? Just had a spammer get through today, first one since April. User looked innocuous enough, username/email/IP didn't register anything suspicious in Google. Spammer posted a bunch of pornographic pictures and a ton of links (in a single post). Fortunately I happened to be online and caught it within a few minutes. I'd contribute handsomely to a fund to launch spammers directly into the sun. ..Al
Wolfie Posted August 17, 2009 Posted August 17, 2009 Here's an idea. Set it up so that once a week, new registrations (that are 3 to 10 days old) are bundled sent to the spam server and if any 'new' hits are returned, then the proper action can be taken on an account. Otherwise that account marked as "clean" so it's not checked again. That marking could also be done by an Admin, so that the account doesn't get checked, which can be useful if the admin knows it might get flagged even though it's a legit person. The time interval could be adjusted to be daily or even hourly if necessary, for busy boards. Although it should only check on accounts that are over 3 days old (to give time to let spam reports build up first to prevent false negatives).
AtariAge Posted August 18, 2009 Posted August 18, 2009 [quote name='.Wolfie' date='17 August 2009 - 06:54 PM' timestamp='1250553286' post='1845413'] The time interval could be adjusted to be daily or even hourly if necessary, for busy boards. Although it should only check on accounts that are over 3 days old (to give time to let spam reports build up first to prevent false negatives). I'm not sure I agree about three days--I'd want new accounts to be checked more frequently so they are properly flagged as quickly as reasonably possible. A new spam account that's been validated for three days is probably one that's going to end up posting spam on my forum. I'd rather have false positives than spam accounts that are missed. If an account is improperly flagged and it's a legitimate user, they can write the admin to ask why their account is not active. I'd rather have this than spammers posting the garbage I saw earlier today on my forum. ..Al
bfarber Posted August 18, 2009 Posted August 18, 2009 And for sites that get 50 users a day? A check every 3 days would mean 150 users - that's a lot to process in one request from one server. Multiplied by tens of thousands, again..
Wolfie Posted August 18, 2009 Posted August 18, 2009 [quote name='AtariAge' date='17 August 2009 - 08:22 PM' timestamp='1250554959' post='1845423'] I'm not sure I agree about three days--I'd want new accounts to be checked more frequently so they are properly flagged as quickly as reasonably possible. A new spam account that's been validated for three days is probably one that's going to end up posting spam on my forum. I'd rather have false positives than spam accounts that are missed. If an account is improperly flagged and it's a legitimate user, they can write the admin to ask why their account is not active. I'd rather have this than spammers posting the garbage I saw earlier today on my forum. I said false negatives, not false positives. The idea of checking each account one additional time would be to limit the resources used. Can you imagine a very busy board that gets about 100 new registrations a day, checking say 300 accounts a day? One site alone, not a big deal. But add on multiple busy sites along with the tons of smaller sites and suddenly 300 accounts a day becomes a big drag on the resources. However, waiting a few days allows sites to report new spammers so that you can start getting accurate responses when you do a followup check on an account. If someone manages to get registered because they're not flagged yet, then aside from constantly checking every few minutes, you're going to have spammers who get in and spam before they are registered as hits on the service. What you want is unrealistic, as you want it to stop a spammer before they have gained a 'reputation' as being a spammer. How do you expect the service to work for you? The service relies on people reporting spammers so that when that spammer uses the same information to register on more sites, they are then known as a spammer and can be stopped from proceeding. Which falls back to the checking of accounts that are over 3 days old. If the spammer registered on your site and passed the check because they didn't gain a reputation yet, then if they have plans to hit your site but haven't yet, then by the time they do, their account might have already been banned/suspended because that re-check caught them. The service is a give and take. You gain the benefit of stopping spammers that others reported, just like they'll get that same benefit when you report spammers who hit your site.
AtariAge Posted August 18, 2009 Posted August 18, 2009 [quote name='.Wolfie' date='17 August 2009 - 07:39 PM' timestamp='1250555995' post='1845428'] However, waiting a few days allows sites to report new spammers so that you can start getting accurate responses when you do a followup check on an account. If someone manages to get registered because they're not flagged yet, then aside from constantly checking every few minutes, you're going to have spammers who get in and spam before they are registered as hits on the service. What you want is unrealistic, as you want it to stop a spammer before they have gained a 'reputation' as being a spammer. How do you expect the service to work for you? The service relies on people reporting spammers so that when that spammer uses the same information to register on more sites, they are then known as a spammer and can be stopped from proceeding. Bullocks, I never said anything about checking every few minutes, go read my posts above again, I said every few hours to once a day. Several thousand boards doing one of these checks a day is not going to overly tax a server, especially if the checks are done in a batch operation (send all accounts at once) as opposed to individually. You're passing a small amount of information about each account (I believe right now it's just IP address and email address), so even several hundred accounts is going to be a trivial amount of bandwidth, as will the server's response. The lookups on the server should also be very fast as you'd have indexes for the IP and email addresses. I understand quite well that the service requires spammers to be flagged before they are marked on the spam service server as a "spammer". Presumably this can happen in a much shorter period than three days, especially when efficient bots are involved (or even a human/bot combination--human registers, once account is validated, bot takes over). Having to wait 3+ days to re-check new accounts means that some spammers are going to get through to my board and I will still have to manually validate all new users to try and prevent that. Anything that can be done in a reasonable fashion to cut down on that time is a good thing. Now, I'm speculating here, but assuming there are "tens of thousands" of Invision boards out there, I would imagine that only a small portion of them are huge boards that get 100+ registrations a day. And of all those boards, not all of them are going to be running the Spam Service, which is off by default. While this problem would require careful engineering to ensure it's not a huge resource drain, I really don't think it's an insurmountable problem. ..Al
Recommended Posts
Archived
This topic is now archived and is closed to further replies.