Spam

Good luck the unfortunate that has to clean that mess up.

+1
Said the same elsewhere while I was shuffling a debate to Aldershot (maybe)

I repeat the call, once again, to limiting new users to, say, 10 posts per day until they are “authorised”; and blocking multiple accounts from the same IP in that period (cos spammers aren’t stupid).

+1
But 10 per day seems high. On average only the chattier people round here exceed that

I’ve just spoken to a Forum moderator who is on the case.

Re helpful remarks to try and stop this sort of thing happening again. I think the problem is that the only person with suitable access to change things hasn’t the time:-( I also suspect that there isn’t a simple ‘set new users to a maximum of x per day’ option or similar, otherwise it would have been done previously.

This bot is posting faster than I can delete.

This bot is posting faster than I can delete.

Can you kill the account for user ID 3122 ?

I did that some minutes ago. The snag is that the user remains logged in and therefore able to post.

If you can’t log a specific user off could you log everyone off?

Can you see and lock/block IP’s?
Anytimes I do something like this in our gp2x-forum with bots comes with new names from the same IP’s.

I’m not a proper sysadmin for this site – I only have limited extra powers over ordinary users. In this case we need a proper sysadmin to intervene. Anyone have contact details for one?

I’ve just emailed Andrew, Steve and Ben.

I just brought the whole site down and back up, hope that helps…

I just brought the whole site down and back up, hope that helps…

Worked for the kick off, just a couple of thousand posts to delete…

just a couple of thousand posts to delete…

I’ve deleted about 40% of them so far.

I’ve seen the thread count dropping. No bulk delete method?

Not that is available to me.

All gone now.

Thanks Dave!

I think you’ve earned yourself a break.

A break? Major understatement.

Community Support 2274 topics, 11747 posts during Daves kill session

Community Support 869 topics, 10342 posts

That’s at least 1400 spam posts Dave did manually. That’s lots of work

That’s at least 1400 spam posts Dave did manually. That’s lots of work

Thanks again Dave!

What he or (other volunteer admins) needs seems to be:

1. A way of stopping all posts temporarily – or logging everyone out temporarily.

2. A way of deleting all posts by a recalcitrant user in a single action (with an undo in case of finger trouble!).

3. And, of course, and which I imagine is already available, the power to cancel a user’s account.

Also useful would be an automatic limit on the number of posts a specific user can make in a 24 hour period.

I suspect that we might arrive at a concensus over this – say 10?

Please discuss!

I suspect that we might arrive at a concensus over this – say 10?

Too high. I’m on the chatty¹ side and even with today’s stream of, er, content this is the 21st. For a brand new user I’d say 5 or less.

¹ Not my first thought on the correct word, but it will do

The problem is that I’m in the New Zealand timezone so when I get an e-mail at midnight about a spam emergency I’m unfortunately asleep.

I’ll read through the forum and see if there are any light-touch mods that could be done to (at least on the forum) limit the damage to someone that manages to work around Google’s captcha, but if we block the forum they’ll just move to e.g. the Wiki or Tracker. It’s quite easy to database-wipe things on the forum side, but really tricky to do that for the Wiki and fiddly on the Tracker.

The most obvious glaring fault with the Hub SSO mechanism right now is that deleting the user doesn’t invalidate their signin cookies across the independent other applications. I’m not sure how they could achieve it but I’ll be looking back into that as it really ought to happen.

Steve:

That’s at least 1400 spam posts Dave did manually. That’s lots of work

After Ben brought the site down/up, there were just over 1900 topics/posts IIRC, plus I must have deleted over 100 first thing when I realised I was losing the race. So I reckon over 2000.

I could manage almost 20 deletes per minute peak, but I couldn’t keep it up for long – I had to take breaks.

John:

A way of stopping all posts temporarily – or logging everyone out temporarily.

That would be the simplest way to limit damage. The sysadmins might like to consider whether I could have that privilege. Now I’m retired, I am usually the least busy and most available person with higher powers than ordinary users. If I had been able to do that when I first logged in and deleted the account, there would only have been about half the damage.

I say simplest, but maybe not; see Andrew’s comments.

A way of deleting all posts by a recalcitrant user in a single action (with an undo in case of finger trouble!).

That would be so much less work than deleting each one manually. I believe the undo comes in the form of restoring from a database backup. I would value a confirmation stage. (There isn’t one when deleting a user’s account.)

And, of course, and which I imagine is already available, the power to cancel a user’s account.

I do have that, and it’s the first thing I use in this sort of case, but deleting the account doesn’t log the user out; he/she/it is still able to post until logged out.

The sysadmins might like to consider whether I could have that privilege.

Yes.
And if we happen to get kicked while in the middle of writing a message…well, gee, it isn’t as if the forum has ever done that before, now, is it? :-)

but deleting the account doesn’t log the user out; he/she/it is still able to post until logged out.

That ought to be the #1 priority because that’s just insane. It implies that there is a potentially large hole whereby a “session ID” of some sort is what gives the ability to post, apparently with no further checks once this session ID has been given.
Does this apply to your admin rights as well?

The fix could in fact be pretty simple. Somewhere in the code (I don’t grok Ruby), there will be the bit that posts the message. Maybe it can be made to look up the user ID and abort doing that if the ID is no longer valid?

It implies that there is a potentially large hole whereby a “session ID” of some sort is what gives the ability to post, apparently with no further checks once this session ID has been given.

I suspect it’s a security cookie. Certainly something weird where I can hibernate the laptop and come back hours later and the accidentally active login session still works.
Ruby on Rails does use session cookies and the behaviour I’ve seen suggests the cookies don’t expire or have a long expiry.

Quite what was the point of this – did anyone find out what the msg was?

Was it just to annoy!

did anyone find out what the msg was?

That the perpetrator was a tw**?