Add Admin Validation Method for third-party login methods to prevent PM scammers

[AtariAge]

Greetings,

I'm having a large problem on my forum where someone signs up using a third-party login method (Google, Facebook, Twitter, Discord) and then sends a batch of private messages to members who have previously posted in the forum they are looking for some unique item (we have a "Wanted" marketplace forum, which is where most of these posts are located).  The scammer states that they have the item, and to send them a message at a specified email address.  It's bad enough that I have had to post a warning at the top of my Marketplace forum to educate people about this scam, and I've heard this is a common issue on many forums these days.

Here's an example from this evening:

Unfortunately, I cannot enable Admin Validation of new accounts if they are not created with the Standard login method.  Therefore, I have had to completely disable all third-party login methods.  I can usually spot scammer/spammer accounts by manual validating them, as they are usually using proxy/VPN servers, may show up in StopForumSpam.com (email address, username, and/or IP address), are attempting to login from a country known for scammers/spammers that I never get real validations from, or I get some interesting results in Google (for instance, signing up on a number of different forums within a 24 hour period). 

I could prevent new users from using the PM system, and then promote them to another user group after 'x' number of posts, but there are legitimate reasons to allow new members to send PMs, and I don't want to punish those people. 

Another thing that would be useful is to be notified if a new member sends a slew of PMs to different individuals in a short period of time after joining, especially if they've never made any posts on the forum.  I could then login as that member from the ACP and easily discern if that user is attempting to scam people, even without looking at the individual PMs (just seeing the message titles gives them away).  It would also be really helpful if there was a way to flag PMs based on certain keywords, at least in specific user groups (such as a "New Members" group) that contained certain words.  It's very common for these scammers to include an email address in their PMs (since they want to conduct business off site to avoid detection), so being able to flag on that would be helpful. 

I'm open to other suggestions as well to try and combat this behavior, as it would be nice to open up the Google, Facebook, and Discord logins again (Twitter can buzz off, no way in hell I'm paying the ransom to use their API). 

Thank you!

[DawPi]

57 minutes ago, AtariAge said:

It would also be really helpful if there was a way to flag PMs based on certain keywords, at least in specific user groups (such as a "New Members" group) that contained certain words.

My mod has it:

Quote

• Enable keyword monitoring
• Keywords to monitor
• Notification Groups: Members from selected groups will be notified when someone sends a private message that contaims a monitored keyword

 

[teraßyte]

Adding validation for 3rd party login methods is not possible. Unless I remember wrong, they specifically have rules in place that no further validation should be required.

[AtariAge]

2 minutes ago, teraßyte said:

Adding validation for 3rd party login methods is not possible. Unless I remember wrong, they specifically have rules in place that no further validation should be required.

If that's true, that's unfortunate.  No way in hell I'm re-enabling those methods without a solution to this ongoing issue.

[teraßyte]

A workaround could be to set up the Members group to not be able to send PMs unless they have at least a few posts. Once they make the required number of posts you can move them with an automatic group promotion rule to another group that can send PMs.

Edited May 7, 2023 by teraßyte

[AtariAge]

Just now, teraßyte said:

A workaround could be to set up the Members group to not be able to send PMs unless they have at least a few posts (with an automatic group promotion rule).

Yes, I mentioned this in my first post, but it's not a solution I'm crazy about.  There are legitimate reasons for people to send a PM when they first sign up.  For instance, we have a good deal of software and hardware development in our forum, and people often setup waiting lists or put games/hardware up for sale directly in the forum, asking people to PM them if they are interested.  Many people will sign up to the forum explicitly to send these people a message.  Restricting PMs for new members would cause many headaches in this department.

[teraßyte]

Oh, I missed that part of your post. I can indeed see why it would be a problem with your situation.

 

I can't really think of anything else right now. 🙄

[Nathan Explosion]

On 5/6/2023 at 7:00 AM, AtariAge said:

Unfortunately, I cannot enable Admin Validation of new accounts if they are not created with the Standard login method

I'm a little confused on this one, as the following is stated in the registration settings:

"These settings apply to all new accounts, both those created from the standard registration form and through other login methods."

So I've just tested out signing up using the Google authentication method and I get this as the user:

 

And there is the user awaiting admin approval in the ACP:

 

Is this functionality not working for you then? Maybe I'm missing something here?

Edited May 7, 2023 by Nathan Explosion

[My Sharona]

1 hour ago, Nathan Explosion said:

I'm a little confused on this one, as the following is stated in the registration settings:

"These settings apply to all new accounts, both those created from the standard registration form and through other login methods."

So I've just tested out signing up using the Google authentication method and I get this as the user:

 

And there is the user awaiting admin approval in the ACP:

 

Is this functionality not working for you then? Maybe I'm missing something here?

Slightly off-topic and apologies for using your post here but...

A few days ago, spammers found one of my sites and started up their shenanigans. As a way to mitigate the attack, I switched to, 'Administrator validation' for new registrations. This had a quirky side effect of not allowing moderators to see any new reported posts. Had me stumped as to what I may have done that made this happen. I tried switching it back to, 'Email validation', but that didn't make the reported posts show again. I became frustrated and left it alone for the rest of the day. Woke up the next day and what do you know, my moderators could see reported posts again.

I had tried clearing the site cache in the ACP the day before but that didn't work so maybe it was another task that had to run to free it up, dunno. Just glad it is working again.

[AtariAge]

1 hour ago, Nathan Explosion said:

I'm a little confused on this one, as the following is stated in the registration settings:

"These settings apply to all new accounts, both those created from the standard registration form and through other login methods."

So I've just tested out signing up using the Google authentication method and I get this as the user:

 

And there is the user awaiting admin approval in the ACP:

 

Is this functionality not working for you then? Maybe I'm missing something here?

I have the same setting enabled (of course), but users coming in through alternate registration methods are definitely able to bypass the Admin validation.  Looking at the details for the other login handlers, the text for the "Create an account" option explicitly states that if an email is provided, the account is automatically validated:

This would explain why new members are able to bypass the admin validation.

 ..Al

[Nathan Explosion]

Well, I read all that as being specific to the email validation element, and the information back on the registration section indicates that too:

"Email validation (but not administrator validation) is bypassed if the user signs in with a login handler which provides an allowed email address."

Here's my point - if you have the registration setting enabled to require admin validation and it's not working then I wouldn't be posting it here in feedback...I'd be raising it as a support issue if it's not working in the way my images indicate it does.

Edited May 7, 2023 by Nathan Explosion

[AtariAge]

8 minutes ago, Nathan Explosion said:

Here's my point - if you have the registration setting enabled to require admin validation and it's not working then I wouldn't be posting it here in feedback...I'd be raising it as a support issue if it's not working in the way my images indicate it does.

You're right, I do see that text.  That does seem to be not working correctly.  I'll bring this up with Invision and see what they say.  Thank you.

[AtariAge]

On 5/6/2023 at 1:59 AM, DawPi said:

My mod has it:

 

That looks to be a very nice mod, but I'm a quote leery about installing something that would allow me to easily read PMs.  The only time I go looking at PMs is if someone reports a PM (which then allows me to join a conversation), someone explicitly gives me permission to go look through their PMs (for instance, if someone is sending them a bunch of harassing PMs), or in a situation as I described above where someone has alerted me that they received a message they believe to be a scam (then I will login as that user from the ACP to check if they are sending obvious scam messages to a bunch of users).  I consider private conversations sacrosanct otherwise.

 

 

[Miss_B]

1 hour ago, AtariAge said:

That looks to be a very nice mod, but I'm a quote leery about installing something that would allow me to easily read PMs. 

You could use only the part for monitoring the keywords and don't read members pms.

On 5/6/2023 at 8:00 AM, AtariAge said:

Another thing that would be useful is to be notified if a new member sends a slew of PMs to different individuals in a short period of time after joining, especially if they've never made any posts on the forum. 

I agree, this is a very useful thing to have. I remember coding such an app for a member here who had the same issues that you described, but instead of spammer they were caused by their rivals.