Community user policy

A wave of spam hit the community site tonight that forced me to close new registrations. I tried reopening after cleaning up the new spam but the deluge began again so I've left it closed. We'll be trying to figure this out and come up with better spam-fighting techniques ASAP.

My personal opinion (not as a core dev) is that the community site should not host accounts that represent companies, but rather only individuals (and profile pics would ideally not be company/org logos). I believe if we dig back through users we'll find hundreds/thousands of accounts that were created as ads for companies/services and never used to interact with the community. I think these are a waste of resources and should be ruthlessly deleted.

Besides the blatant spammy profiles I see a lot of accounts that seem borderline spam with similar characteristics (weird profile pic, username unrelated to display name, no activity). I think it's dangerous to leave spammy accounts around because of the potential of them later being used to flood more spam. I'm almost tempted to say if user accounts do not post anything and don't login for N months, we just delete them.

An argument made for allowing company accounts is that they're popular on FB/G+, but I fail to see why Elgg should be responsible for hosting an ad for a payday loan company, e.g. It's just too difficult to tell between an obviously spam company and a company that legitimately has some ties to Elgg in some way.

What does the community want?

  • E.g. dig around here and you'll see what I mean. I'd love to know how Gail and Ronaldy are using Elgg... I'm not against users mentioning their employer/orgs they're associated with, but I think the current state of the community would not inspire trust from real users/potential members. "Am I going to get spammed if I register here?"

  • We'll be trying to figure this out and come up with better spam-fighting techniques ASAP.

    I checked yesterday during the spam wave and no captcha was being used. Why not? I think best would be a text captcha with some simple questions like "What is the background color of this this page's header section?".

    the community site should not host accounts that represent companies, but rather only individuals

    I agree

    I'm almost tempted to say if user accounts do not post anything and don't login for N months, we just delete them.

    Perhaps first send emails that warn about an expiring user account. If user hadn't logged in after e.g. three emails sent every second month, the account would be deleted automatically. Deleting inactive user accounts would also help get rid of plugins which haven't had a maintainer in a long time.

  • Perhaps first send emails that warn about an expiring user account. If user hadn't logged in after e.g. three emails sent every second month, the account would be deleted automatically. Deleting inactive user accounts would also help get rid of plugins which haven't had a maintainer in a long time.

    I agree with that. May be send those old plugins to a 'legacy' site?

    Such accounts with a brand name should be removed. I think if for example a web dev company wants to release plugins under their company name, there should be some sort of approval by the core team and add a small 'Verified Account' banner for such accounts.

     

  • I don't know if a captcha at registering would stop the spamming. But I always wondered if any anti-spam plugins available here in the plugin repo are used for the community site itself. Maybe the admins won't discuss about this in public for safety reasons, but I think if they are not used yet it might help to install for example the spam-filter, spam-throttle and honeypot plugins. If they are already in use, has the spam-filter plugin been upgraded to the most recent version? I think it fixes the check with the Stop Forum Spam website (Matt should know more about it).

    I don't know if it would be fair to delete any accounts that seem unused. You could say that if someone adds a suspicious website on the profile page the intention is kind of spamming. But if someone does not post spam elsewhere it might not bother too much. If someone does not post at all this alone seems not a valid proof that someone intends to spam:

    • is all content of the site public?
    • plugin authors could set the access level for their plugins to logged-in and
    • you don't know before registering an account if you see or not see more when you have an account. Some people might only register to find out if they see more content when logged in.

    If deleting an account that has not been used for a certain time (regardless if this person might have been active in the past), all discussions contributions of this person will be lost. So, the site will lose content that might still be valuable.

    Regarding old plugins: maybe at least a legacy section would be nice. Though this might only make sense when the native Elgg site search will be used again (if ever) instead of the Google search. Then it would be easier to avoid getting results for outdated Elgg versions. Additionally, while I'm rather doubtful regarding cleaning up the user accounts it might be worth cleaning up the plugin repository at least. I've come across quite a few plugin pages that are missing the corresponding plugin to be downloadable. Maybe the developer removed the plugin or there might be some issues with the site that affects only some older plugins.

  • I succesfully use uservalidationbyemail and the spam login filter plugin, with only email address checked (Use SFS and not Fassim since it is far more accurate). Don't use IP check, since that is silly with dynamic ip and proxies used around the world you will get lots of false positives. I filter out 95% of all spam with it, for the rest I use spam throttle where you can detect spammers based on behaviour, but still one or two come through daily :-(  I've noticed that they use the Elgg community mostly for bookmarking, so that can be a good trigger for spam throttle.

    Deleting inactive accounts will clean up of course, but is quite tricky. Plugins might be deleted from developers who left te site, and legit discussions or questions will be removed and you will get strange results (Comments or answers on questions that have been removed in a thread).

    Company profiles are suspicious on Elgg since you are right, there is no use for it here. Anyway, it is important to pick up on it.  

    One addition on patters. Spammers hardly create good profiles, they use senseless combination of letters or repeat content. Better input check also greatly helps.

    Captcha has not really been helpfull to me, since it only stops the automated spammers which are already easy to detect.

  • there are pros and cons for most/all of the suggested methods. (one that wasn't mentioned is to use cloudflare's bot repellents - however i dislike that due to their not being open-source and you are essentially handing the door keys to your community to a 3rd party who does not necessarily have any loyalty to you and is potentially open to corruption).

    so far i have not had any complaints from running spam login filter with stopforumspam.com (not fassim) active.. i think that the use of that with spam-throttle on this community would be healthy since that would inspire the evolution of those two plugins and that would help everyone who uses elgg.

    captchas can be useful yet can also be circumvented in a variety of ways. (n.b. adding a captcha to the password reset process would make brute force attacks more difficult).

    the spam filter plugin has a metadata field now, so you could make use of that to prevent some types of profiles being created.. but the ones that use almost random words would not be stopped that way (i think sometimes these accounts are created as tests to sense the anti-spam systems being used).

    ultimately IP addresses can change, domain names can change.. so tracking those is not the ultimate solution. i agree that steve's idea of community policies may help. ideally such policies would be automatable and would not require human interaction (e.g. admins authorising every new profile).

    you could extend the anti spam plugins by creating a community widget that allows the community to vote on profiles that are identified as possibly being spam.. (only to direct admins to them - not to auto-delete them).

    as for the user policy specifics.. expiring the user accounts and sending notifications would be a helpful approach for my site too.. that way the site is trimmed and spring cleaned too. (though you are left with the issue of what to do with the content that was created by those profiles.. if they are deleted then comments will go missing from threads.. and if they are not deleted then some who you delete would want to re-join and reclaim them).. so maybe just deactivating the account is appropriate.. and requiring a re-activation to involve the full signup security process that is active at the time.

  • @Steve Clay, deleting user account after N months is not a good idea! sometimes due to many personal problems we cant use internet.

    I hope you understand what i mean.

    Regards
    Liang Lee
    Ubuntu

  • I would also be wary of deleting inactive users as those are, perhaps by definition, not the ones that are likely to be producing spam, though I accept that there may occasionally be 'sleepers'. Deactivation is a possible option that would not remove any content they have posted but would reduce clogging, as long as it is not made too difficult to reactivate them if needed.

    We don't allow self-registration on our site but we do allow anonymous commenting using Matt's speak_freely and moderated_comments plugins. When (despite no spam ever being made visible thanks to moderation) spammers started annoyingly making the moderation effort excessive, I found that a simple call to stopForumSpam got rid of over 99% over the problem, now down to about one a month rather than a dozen or more a day on my posts alone.

    Jon

  • How about restricting the creation of new threads to new users to only 3 per day for 2 weeks?

    Rodolfo Hernandez

    Arvixe/Elgg Community Liaison

  • Use the "Report This" functionality so community members can report bad users or content, you can then review the content.

    Or adjust it that if some trusted users report the users/content, it will be automatically deleted. That way, it has a self cleaning mechanism.

Feedback and Planning

Feedback and Planning

Discussions about the past, present, and future of Elgg and this community site.