No internet connection
  1. Home
  2. Support

Banning spammers?

By Michael Lynch @michael
    2021-09-06 20:40:21.048Z

    Is there a way to ban accounts or IP addresses?

    It seems like the only options are to suspend accounts temporarily, but if a user posts spam, I'd like to force them to do a little more work and create a new account. If I just delete their messages, then it doesn't seem like anything stops them from posting more spam from the same account.

    I guess I could suspend them for a long duration, but I'd rather just ban by account and IP.

    • 20 replies

    There are 20 replies. Estimated reading time: 23 minutes

    1. KajMagnus @KajMagnus2021-09-07 08:38:52.364Z2021-09-07 08:59:02.637Z

      There's functionality for blocking anonymous blog commenters ("Guest" users) by IP.
      But currently not for blocking authenticated (verified email addr) users by IP.

      Shouldn't take long, to make this block-by-IP functionality work also for blocking normal authenticated accounts.

      Is this a theoretical question or did you notice a spammer / spammers? (Did the same spammer seem to have appeared more than once?)

      (B.t.w. there're spammers sometimes here at Ty .io, maybe once in a month. I notice any spammy post on the Moderation page, and then I delete it (without anyone else having seen it). At least in my case (Ty .io), apparently this has made them leave.)

      ***

      Where's a good place to have Ban & Block button?

      I'm thinking,at 4 places: 1) On the misbehaving user's profile page, and 2) on the moderation page (where new users' first posts appear), and 3) in the dropdown menu below each post, 4) in the about-user popup dialog (that opens if one clicks the post author name, in a discussion).

      (Currently, for Guset users, there's a Block or surveil button in the 4) popup dialog — if clicking it, one gets to choose between blocking the guest user (the IP addr) completely, or always reviewing comments from that IP before they are shown.)

      ***

      What if there are other user accounts at the same IP?

      In most cases, I suppose any such accounts are controlled by the same spammer.

      Still, maybe it'd be nice if the Ban & Block button opened a dialog that listed other users at that IP address. And in the list would be num-comments-posted, and num-likes-received, given, num-flags-received.

      And there could be a "Ban & Block" checkbox next to each user, default checked except for users at that IP who had received some Like votes, but no flags.

      The admin then clicked a confirmation button (to ban & block as shown in the dialog) — or s/he could click the users, look at their posting history, and maybe tick/un-tick some of the ban-&-block checkboxes.

      ***

      Maybe it'd be nice with first 1) a list with users recently active at the exact same IP address. And below that list, 2) another list with users in the same /28 bits subnet, then the same /24 subnets, maybe /22 and/or /20.
      Because if the spammer gets a dynamic IP (DHCP), it could be nice to block the relevant subnet. — And there'd be checkboxes next to each user listed as active in these subnets, so the mod/admin could choose to un-tick apparently well behaved users that just happened to live in the same subnet.

      ***

      There should also (I think) be a Ban & Block tab in the admin UI, where all blocked IP addresses, and user accounts that had been active from those addresses, were listed. And the mods could cancel the IP blocks, or expand an IP block to a larger subnet — and then also see what user accounts would get affected, and if those accounts had posted bad (flagged) comments already.

      Also, maybe an IP block should automatically expire after a while, maybe half a year. There could be a reminder for the forum staff to review IP blocks that were about to expire — then they could choose to prolong or not, those IP blocks.

      1. Michael Lynch @michael
          2021-09-07 22:00:27.741Z

          Thanks, @KajMagnus!

          Is this a theoretical question or did you notice a spammer / spammers? (Did the same spammer seem to have appeared more than once?)

          Actually, you're right. I haven't seen spammers reuse accounts after their first post, so maybe this doesn't need to be a priority. I've seen two spam posts in the last two month, and they were from separate accounts:

          I'm thinking,at 4 places: 1) On the misbehaving user's profile page, and 2) on the moderation page (where new users' first posts appear), and 3) in the dropdown menu below each post, 4) in the about-user popup dialog (that opens if one clicks the post author name, in a discussion).

          My preference would be to have it on the post itself. Like if I get a notification and I see it's spam, I'd just like to click the post, ban the user, and move on.

          Part of my motivation in requesting this feature is that I found myself regularly searching for the "right" way to handle a spammer. I typically look through menu options for the post, look at the user's profile, look through moderation tools, and then eventually just delete the post. If I found a "Ban user" option, I'd know that I found the right way of handling a spammer.

          It would be nice if in addition to a delete option, there was a "delete and ban user." Or maybe just when the admin views a user's profile, they see a "ban user" button. And then in the ban confirmation, there's an option to ban the user's IP address, too.

          What if there are other user accounts at the same IP?

          For my needs, the odds of this are pretty low. A spammer could share an IP address with another person, but it would be unlikely that they both want to access my site. I'm fine just blocking by IP forever and assuming no legitimate user will ever use that same IP address.

          Sophisticated selection and expiration of IP subnet blocks is way more advanced than I need.

          I don't even strictly need IP blocking. I'm fine if I can just ban a user's account. Maybe it would be helpful to surface the user's IP to me so that I can identify if spammers consistently visit from the same IP address or IP block. If I see that happening, it might be a good reason to prioritize more sophisticated IP blocking.

          1. In reply toKajMagnus:
            Michael Lynch @michael
              2021-09-09 07:36:40.900Z

              I actually just received a huge number of spam messages from the same user:

              https://comments-for-mtlynch-io.talkyard.net/-/users/branding123/activity/posts

              All of their posts were just URLs with no content. It seemed like the only way to get rid of them was to delete each post one-by-one. It would be good for an option to ban the user and hide all their posts. It might also be useful for there to be a setting that holds posts for moderation when they contain suspicious links.

              1. Check out this page: /-/admin/settings/moderation — the Require approval of new members' first posts and Max posts pending approval settings. For example, if you set them to 2 and 5, you wouldn't need to approve (or reject) more than 2 posts per new user. (And, whilst their first 2 posts are pending approval, they can continue posting 3 more, until they've posted 5 in total. Just in case they're well intended people — so they don't get prevented from replying to others, after just 2 replies. Whilst you, o.t.o.h, only need to review 2 (not all 5) posts.)

                Or, if you want new members' posts to be visible to others directly (before they've been reviewed), use the section below instead: Review after published (on the same page). If you set Max posts pending review to, say, 3, a new member cannot post more than 3 posts, until the first ones have gotten reviewed.

                ***

                I'll add a Ban Block Delete button — which bans the user, blocks the IP, and deletes all his/her posts? — I'm thinking it'd make sense to do this now directly? (rather than waiting until after the user flairs)

                1. Michael Lynch @michael
                    2021-09-09 17:39:47.228Z

                    Check out this page: /-/admin/settings/moderation — the Require approval of new members' first posts and Max posts pending approval settings.

                    Ah, I hadn't discovered that section.

                    I've set it to:

                    • Require approval of new members' first posts: 0
                    • Always require approval trust level: 1
                    • Max posts pending approval: 1

                    Is my understanding correct of how this will take effect:

                    • Unregistered users can post, but the post requires explicit approval before it appears
                    • Registered users can post one comment, and it appears immediately, but they can't post any more comments until their first is approved
                    • Registered users with at least one approved comment can post as many comments as they want

                    Is that right?

                    I'll add a Ban Block Delete button — which bans the user, blocks the IP, and deletes all his/her posts? — I'm thinking it'd make sense to do this now directly? (rather than waiting until after the user flairs)

                    Order is up to you. I'm personally more eager to have the flair since the moderation tools should let me keep spam manageable for the next few weeks.

                    1. M@Mr.Nobody
                        2021-09-09 18:30:12.105Z

                        Is my understanding correct of how this will take effect:
                        Unregistered users can post, but the post requires explicit approval before it appears

                        Yes, but since you are using [Always require approval trust level: 1], it will affect unregistered users (level 0) and also ALL registered "new" user (level 1) posts. Consider changing it to [Always require approval trust level: 0] so it only affects unregistered users.

                        Then, for newly registered users, use the [Require approval of new members' first posts] feature. I suggest changing it to 1-3, which will make the first 1-3 posts of newly registered users not appear to anyone before you accepted them.

                        I am new to the app, so maybe Kaj will correct something I said here, but this is how I understand the settings.

                        1. it will affect unregistered users (level 0) and also ALL registered "new" user (level 1) posts

                          Yes that's right. I think using 0 here is better (like you wrote). (There's going to be a dropdown with titles and short explanations, instead of typing a number 0 – 6, then it'd be more clear how it works :- ))

                        2. In reply tomichael:

                          To achieve that, then, set everything to 0 except for:

                          • Max posts pending approval: 1 (cannot be lower)

                          And, in the Review after published section:

                          • Review new members' posts afterwards: 1
                          • Max posts pending review: 1

                          I can explain in more detail later. (Hmm I think the help text on the settings page needs to get rewritten & made clearer)

                          1. In reply tomichael:

                            Order is up to you. I'm personally more eager to have the flair

                            Ok, flairs first

                        3. In reply tomichael:
                          CChristian Scheuer @chrscheuer
                            2021-09-09 22:04:20.531Z

                            Hi Michael.

                            Was just browsing this thread, went to your site, mostly to see how Talkyard works with blogs, and read about your exit from Google. Fascinating reading. Hope you'll have a lot of luck in your new career.

                            I also tried liking the post here: https://mtlynch.io/why-i-quit-google/

                            When I hit the Like (heart) icon, I was presented with this:

                            And if I hit Go to mtlynch.io, it just reloads the root of the website in that popup window.
                            Looks like some kind of SSO or user login system isn't configured, or maybe there's a bug in Talkyard there?

                            Just thought I would report it in case you weren't aware.

                            1. Michael Lynch @michael
                                2021-09-10 01:04:17.887Z

                                Oh, cool. Thanks for reading! I'm glad you enjoyed it.

                                The warning happens when you navigate from mtlynch.io to comments-for-mtlynch-io.talkyard.net, because Chrome thinks that TalkYard is trying to impersonate mtlynch.io with a similar domain name. I think it might happen if you don't have an account on mtlynch.io, you get redirected to TalkYard when you try to like the post. I'll let @KajMagnus chime in on whether that's something he's aware of.

                                1. Yes Michael & Christian @chrscheuer I think that's what's happening.

                                  you get redirected to TalkYard when you try to like the post

                                  Yes, the login popup has an address that looks partly like the blog post address (but it's in fact on a different domain).

                                  Michael you can rename comments-for-... to something else, by going to /-/admin/settings/site, clicking Change address ... and then typing a new & "very different" name for the blog comments site (it should end in .talkyard.net so the wildcard cert will work).

                                  And you'll also need to update the blog HTML template files so they'll point to the new address.

                                  ***

                                  There was someone else that ran into the same problem a while ago, and I was thinking I'll need to change how the comments-for-... hostnames are generated, sorry I didn't do that yet. Don't know if I thought that maybe it wasn't happening so often.

                                  1. CChristian Scheuer @chrscheuer
                                      2021-09-10 11:28:51.579Z

                                      Got it, that makes sense. As I see it, the issue is this hits new users so you'll likely not hear about the issue as often as it occurs (because new users tend to just navigate away) - and secondly, that clicking the Continue to mtlynch.io button actually doesn't allow you to create a new user but just shows the front page instead of the actual popup to create the new user.

                                      1. you'll likely not hear about the issue as often as it occurs (because new users tend to just navigate away)

                                        That's a good point

                                        Continue to mtlynch.io button actually doesn't allow you to create a new user

                                        Yes, that's not good. The "Ignore" button is the "right" button to click, but it's the secondary almost-hard-to-notice action.

                                        1. In reply tochrscheuer:

                                          I'm not sure what's a good domain name, for an embedded comments site, and that Chrome / Safari also won't think looks suspicious.

                                          I was thinking I'll change the auto generated names to: comments-for-blog-hostname-dot-com i.e. inserting a -dot-. Or maybe remove the TLD completely, from the generated hostname.
                                          But maybe this won't work, or works now and stops working later.
                                          Then, could take long before that gets reported.

                                          Instead, maybe a completely random name is better, like: site-1234abcd.talkyard.net.

                                          If people get to choose their own blog comments hostnames, then, sometimes someone would include [parts of their real website hostname] in their blog comments hostname, witout knowing that Chrome thinks it's suspicious.

                                        2. In reply toKajMagnus:
                                          Michael Lynch @michael
                                            2021-09-10 12:32:39.805Z

                                            Michael you can rename comments-for-... to something else, by going to /-/admin/settings/site, clicking Change address ... and then typing a new & "very different" name for the blog comments site (it should end in .talkyard.net so the wildcard cert will work).

                                            I don't seem to have that setting on my instance:

                                            1. Oh sorry, that's because some settings are hidden, to make the UI simpler for blog comment sites.

                                              But if you append this to the URL: #&showAll, then you'll see the Change address ... button.
                                              So the URL path is then: /-/admin/settings/site#&showAll

                                              (Or you can go to the Features tab, and tick the Enable discussion forum checkbox.)

                                              1. @michael & @chrscheuer, FYI seems Talkyard will use blog comment site addresses like site-11223344.talkyard.net now soon, for new sites, to work around this problem.

                                                For already existing sites:
                                                There'll be an admin notice, so blog comment admins find out about this, and how to change the address.
                                                And I'm thinking that I should send emails too, to blog comment admins, so they'll find out about this, also if they don't visit their site often and wouldn't see the admin notice.

                                                1. Michael Lynch @michael
                                                    2021-09-21 17:04:30.560Z

                                                    Thanks! I was considering adding a CNAME so that my URL is like comments.mydomain.com. Should I wait until after you make the change or does it not matter?

                                                    1. It's fine either way, and it's ok to do now. Personally I'm thinking comments.mydomain looks nicer in the login popup (in case anyone looks at the URL).

                                                      (B.t.w. now there's and admin notice for all comments sites with address comments-for ... .talkyard.net, which you should see if you visit the blog comments site as admin. But you can ignore that notice then, if you choose comments.mydomain instead. — Ping me once you've configured the CNAME so i can generate a HTTPS cert. (It's supposed to happen automatically but when trying out auto-HTTPS on Talkyard .io there was a problem, so auto HTTPS isn't at Ty .net yet.))