Thx, but I am sure, I was not alone. Especially since I was late.
All the existing flags helped to remove the posts and the users quickly
So thx for all users that started to flag the posts
IMO completely stopping new user accounts temporarily may have helped too
It seems every IP address created 3 new accounts and started to spam posts
3 accounts with one IP is a limit in the discourse settings
So this attack was driven from bots, with the API
If admins flag a post, there is a possibility in the UI, to remove all users and posts from the same IP at once
So every action seems to remove and block 3 users
While removing flagged posts, I did get some server errors. This usually means, that someone else did already remove the post.
Some posts where automatically “hidden” by the the “system” bot, which can detect bots.
Currently a new IP can only create 1 new user. The problem here is, that this may prevent users that have the same IP. Eg: 2 different users in 1 household, or users from the same company.
We should probably increase that limit again in the future.
So I wasn’t sure what the right approach was, flagging as spam or making the spam posts unlisted. I went for the latter as it seemed the fastest way to clean up the site for visitors, and marked a few dozen posts as unlisted. Did we catch those in the deletion and clean up?
Yes. Admins and moderators can see hidden posts in their overview list.
I did flag them and got a dialogue to delete the user. The dialogue said that it can delete 3 users + their posts, with one action.
I think / hope we did not delete existing valid users, since the system can only delete users, that have no other existing posts. So removing a single flagged post can also delete the post + the spammer.
The moderator options are … weird. It doesn’t explain that when you delete the user the messages will also be deleted. I try to check that the user is brand new (they usually are).
It’s strange that a system that is so opinionated doesn’t think there is a problem with a brand new user posting a long message jam-packed with phone numbers. Phone numbers seem to be the new URL. I always wonder who would respond to this sort of advertising.
is it possible to set a requirement of not being able to make a post unless you’ve been a member for a certain period of time without the assistance of an admin?
That could help mitigate it. I think reddit has a similar function of preventing new posts to a subreddit unless you have a certain amount of karma
Thank you, everyone for your vigilance! By the time I first looked, ~11:30 UTC, there was no sign of the problem except that the overview page told me there were 30+ new topics, which were gone by the time I visited the New page.
So great job turning back the attack. Maybe next time it will happen during my waking hour, and I can be one of the ones working on it. But here’s to it not happening at all!
I saw well over 100 SPAM messages as I happened to be here as it happened. @pmario and others did a great job keeping removing those posts so quickly few knew how extreme the alien post numbers were.
The biggest problem of this strategy is that it discourages new users from becoming regular members. New users often come looking for [quick] help and restrictions like these, even if they are justified technically, still look like bureaucratic measures to them. So they may never return. Which means the spammers have succeeded in disrupting the service.
Most emojis have no effect at all. They are pure cosmetics, except the “heart” , which counts as a like.
There are several thresholds for “trust levels”. One of them are likes which are very low. Eg: one threshold for TL3 is 20 likes received and 30 likes given.
Every user can flag a post that can hide posts and silence spammers. Moderators and admins are informed and they can then decide what to do on a per post / per user basis.
That’s exactly right. That’s why the default was to allow new users to sign up and post. – New users have TL0 trust level 0, which already has many restrictions.
At the moment new accounts have to be approved by “staff” but I intend to change that “back
to normal” soon.
There are 3 possibilities.
Crating an account will need staff approval - active at the moment
Creating account is open, but every post must be approved – Very labour intensive for staff
There is also the “Flag” button at the bottom of the thread - I assume it flags the whole topic rather than a single post (amounts to the same thing with a single post spam). It’s a bigger target and not hidden behind the extra click of the ... so much faster and easier to use (still took me half a dozen flagging of spam before I realised it myself!)
Is there a user trust level that allows posting to be pre-approved but no other privs granted? If so, that would could make a reasonable middle between where we are now, and were before. Anyone could make an account and post (though with the aforementioned delay depending on mod availability), and mods either approve their first post and elevate their privs, or deny as spam
, which counts as a like.