Hi,
I would like to open a general ticket for user accounts that have been deleted in Discourse (discussion.fedoraproject.org) by moderators because of spam, AI or other such violations that make a deletion of the account necessary: these user accounts need to be deleted in FAS as well.
We currently discuss how to decrease the overhead for moderators in the process of such deletions: As a first step, I would open this as a general ticket for reporting accounts that a mod has already deleted in discourse, so that you can then delete them in FAS as well. A post here saves a lot of time compared to opening a new ticket each time - I assume this is fine for the infra team as well?
Also, I would like to ask if you are fine with reporting users by email to admin@fedoraproject.org rather than by a ticket here? This would be comparably easy to a shared ticket like this one. I would like to ask if you have a preference about that (maybe also with the possibility in mind that some of this process can be automated at some time).
DELETED rory586 REASON spam
We already have one ticket like this created by @mattdm, but I'm OK with this to make it official. Just don't forget to reopen the ticket each time, so we notice it.
The e-mail is OK as we can search the user by e-mail as well.
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, low-trouble, ops
The user is now disabled in FAS
Metadata Update from @zlopez: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
If you delete the user.. then what happens when someone else creates a new rory586 account? Would they get seen as a spammer even if they aren't. There are a lot of rory586 out there from people whose initial account was named that.
rory586
In the past we just disabled accounts because of this.
Sorry, my comment was unclear. I meant if it makes a difference for you if we report by a ticket/post here or by writing an email to you to admin@fedoraproject.org. So not report the user by their email address, but report their username through an email from the moderator to you.
Metadata Update from @py0xc3: - Issue status updated to: Open (was: Closed)
then what happens when someone else creates a new rory586 account?
The goal is to block the email address and potentially their IP permanently. I guess this is the highest we can do to force spammers/attackers to invest as much efforts as possible before repeating their actions. The user account name itself is not really the problem in such cases, not sure if it makes sense to block the account name. There are many other potential account names they can use anyway ;) At the same time, an abused account name can still be a name that someone else might use for appropriate reasons later. Otherwise spammers / attackers could achieve a denial of service of user names as they can intentionally achieve that useful usernames are blocked. If someone else later uses the account name with a different email address, I see no reason to generally not allow it.
I am not 100% sure how it works in discourse, but based on the messages I get from the Discourse system, the username remains allowed but the IP and the email address get blocked.
All of the spam-waves I have dealt with since 2016 rarely come from the same IP address longer than 10 minutes. These days they rent fleets of 'compromised' systems (aka someone installed a dodgy VPN software not realizing they are now also an endpoint for that VPN) to do work. They also pay one set of people to open up accounts in various systems which may be either inactive or 'valid-looking' for weeks before being turned into a spam account. The teams use scripts which will take common user names, and use email addresses from various 'One-Minute-Email' services and other free Email systems to get past any initial requirements for a unique email.
At one point it was easier to track because user foobar100 would be linked to email fizban101@gmail.com and foobar101 would be linked with fizban102 etc. However they dropped that when various email providers started looking for such patterns and blocking. Instead they moved to various 'privacy' email services which give 'ten-minute-email-accounts' and such with a thousand or more domains making it hard to 'block' all of them.
Sorry for not having an easy solution to this.
There is none. But all we can do is blocking address and email. This at least creates a little effort the undesired party has to do, and this disables accounts, which otherwise keep spamming. It is not a satisfactory mitigation, and of course new spam accounts come up, but it is at least a type of mitigation: accounts that start to spam keep doing it, and once we deleted them, we have a pause (and they to conduct the effort).
There is not much more we can do, but ignoring these accounts and allowing them to proceed is hardly an alternative. So let's keep on-topic ;)
The e-mail is OK as we can search the user by e-mail as well. Sorry, my comment was unclear. I meant if it makes a difference for you if we report by a ticket/post here or by writing an email to you to admin@fedoraproject.org. So not report the user by their email address, but report their username through an email from the moderator to you.
The ticket is always better.
Yes, tickets are much better than emails. We could just re-use one ticket for this as long as it's open when it needs actions.
Note that we don't delete these users. We disable them. They can then never be able to login or interact with their account, but the account is still there and the email address is still associated with it, so no one could make a new account with the same name (because the disabled one is still there). Also no one could just make a new account with the same email (because the email is still associated with the disabled account), so they would have to use a all new account name and all new email address.
I'll start using this ticket from now on, too.
FWIW, this current attack seems to all use a particular email provider, and the generated email addresses tend to follow a pattern. Plus, they're all from the same region of the same country. Maybe we can do something at the FAS level to make things more difficult for them?
We can reject/forbid new accounts using a particular email domain. If this domain is something that isn't super big/popular thats an option.
It is, unfortunately, outlook.com.
Anyway, here's a new one, not part of that group. Good old fashioned link spam for a change.
spotsurv
Disabled.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Another one, also a spam user: sandipmetiermedia
Another spammer: davidsmith012
Sorry, just a question. In order to request a user suspension we are supposed to use this thread instead of filing a ticket for each request?
In order to request a user suspension we are supposed to use this thread instead of filing a ticket for each request?
Yes. The idea is to save time because you now just need one post, but ensure that you do not just click "comment" but "Comment & reopen" (unless it is already open) to ensure people get a message and see that something new came up: the ticket will be re-closed once all current cases have been processed, so that we can then re-open it once new cases came up.
This thread also gives us some overview of the current situation.
Another spam account: veloba1340
User disabled.
New spam user: robertsmith88
New spam user: rilake
Yes. The idea is to save time because you now just need one post, but ensure that you do not just click "comment" but "Comment & reopen"
Mh. @py0xc3 is it possible that only the user that opened the ticket can reopen it in case it was closed? Because I can only "comment" here, I haven't the option to reopen the ticket.
<img alt="Screenshot_from_2024-08-23_08-34-34.png" src="/fedora-infrastructure/issue/raw/files/820fade3fc5e582a5163d96283e09cf8db8c284dcadd8e443ee105dd0f7c0815-Screenshot_from_2024-08-23_08-34-34.png" />
Yeah, it seems that only repo owner/developer/admin and those who opened the ticket are able to re-open this. I now reopened it.
Question to the repo owners: can this issue be somehow mitigated? So that all moderators of Discourse can re-open this ticket?
I don't think so. I think the easiest way would be for a new ticket each time (or at least each person have a ticket that they reopen if there is a new spammer)
On Fri, Aug 23, 2024 at 1:12=E2=80=AFPM XXXXXX <pagure@pagure.io=
wrote: py0xc3 added a new comment to an issue you are following: `` Yeah, it seems that only repo owner/developer/admin and those who opened the ticket are able to re-open this. I now reopened it. Question to the repo owners: can this issue be somehow mitigated? So that all moderators of Discourse can re-open this ticket? `` To reply, visit the link below or just reply to this email https://pagure.io/fedora-infrastructure/issue/12091
wrote:
py0xc3 added a new comment to an issue you are following: `` Yeah, it seems that only repo owner/developer/admin and those who opened the ticket are able to re-open this. I now reopened it.
Question to the repo owners: can this issue be somehow mitigated? So that all moderators of Discourse can re-open this ticket? ``
To reply, visit the link below or just reply to this email https://pagure.io/fedora-infrastructure/issue/12091
Just FYI, I get every comment here. If you are 'watching' this project you get all the comments from the tickets (permissions permitting) if they are open or not.
So, while it makes sense workflow wise to re-open a ticket to indicate it has something pending, it's not fully needed.
I usually handle these pretty fast, but today is a Red Hat recharge day and I have been trying to clean up our auth cluster outage.
User rilake disabled.
Thanks Kevin. Nothing of that is urgent, so no need to explain. We just expected that the ticket is hidden to you until it is reopened, I interpreted zlopez initial post that way.
However, in that case, I guess it makes sense to stick with this ticket and just post new users, and if not possible to reopen, discourse mods can just leave it closed.
Aaaaaaaaaaaand we have another spam candidate :)
Disable as332
See also https://pagure.io/fedora-infrastructure/issue/12154 about discourse user "justinacolmena"
Thanks for making aware :)
A new spam user. Please disable: axnoy308
@nb Can you please remove my full name from your post of 2 months ago? It is contained in a line you cited from an email, the line begins with "On Fri, Aug 23, 2024"
@py0xc3 I replaced the name in the post with XXXXX
XXXXX
Thanks & thanks :)
Another spammer on Discussion: chankopit23
chankopit23
Please suspend johneric001 on FAS They spammed on discussion.f.o.
johneric001
Also sam420 and jonnybaba009
sam420
jonnybaba009
All of them are now disabled. Could you next time re-open the ticket as well? It's easier to catch it when it's open.
Please disable the following users:
nisuara575 sarkaar54 mjrou421 rojiara06
They spammed in Discourse. All four are the same person/organization: three have the same IP (and posted more or less the same content with only minor differences), while rojiara06 has a different IP but posted the same spam content like the others.
Could you next time re-open the ticket as well? It's easier to catch it when it's open.
At the moment, pagure seems to be configured to only allow the creator of the ticket to open it again. Others can only post. There is a discussion about it above, I interpreted Kevin's comment that we should keep doing it that way. An alternative would be that every Discourse moderator creates their own ticket and then always re-open their own ticket when new users come up, not sure if your team would prefer that?
Creating a separated ticket for each spammer takes more time and then it takes about as much time to disable an account in both systems than it takes for a spammer to create a new one, a little like giving them the possibility to cause a denial of (moderation) service :) That's why we would like to avoid an approach with "one ticket one case". But one ticket per mod should be no problem, I assume that might be a good compromise that achieves your preference?
Oh, I must have missed the comments or forgot about them. In that case let us continue as before.
All of the spammers are now disabled.
Thanks :)
Feel free to let us know if you prefer another approach than the current one, we just assumed this one is your preference too, but we are open for alternatives, just in case :)
I'm still getting the e-mails so I'm OK with that.
Another spammer: please delete "sawerd"
Disabled :-)
We have another spammer: please disable "emmoinco"
Done
Threatening spam posts. Please disable "profmufirwa"
New spam user. Please disable: nipenag
Spammer on discussion.f.o. happyu
happyu
Please disable another spammer: mosko
Both disabled.
Another one please: nadir2123
nadir2123
Disabled
Hello,
Another one: ikerimahoccult
ikerimahoccult
User is now disable
One more: chubpa
chubpa
User is now disabled in FAS
Thanks, looks like spam is on the rist a bit. A new cryptospammer turned up today: ryankingsley
ryankingsley
Please disable qorkey2519
qorkey2519
That account floods Discourse with many AI posts and topics
User is now disabled in the FAS
Please disable williamleo09 (spam)
williamleo09
Please disable anilkuma (spam)
anilkuma
Please disable kitten1111 -> they are spamming the forum with copy/paste "How Are You My Friend" posts without relation to the content
kitten1111
Another spammer: please disable aaronhiggins
aaronhiggins
Please disable cstripcom -> spammer
cstripcom
Please disable charlessmith1 and davidparker.
charlessmith1
davidparker
Both accounts have the same IP and both accounts were created roughly at the same time: davidparker opened a spam topic to promote their company and products (not related to Fedora at all), and the other account (obviously the same person) then bumped the topic by thanking and tried to start a conversation about the topic.
Both of them are now disabled
We have some accounts that spread AI-generated topics among categories (some share the same text, some the IP): please disable everlynderives, ameliabenjamin, rosaturner034, hazelemerson.
everlynderives
ameliabenjamin
rosaturner034
hazelemerson
Please also disable henrybrok as they spread spam.
henrybrok
All of the users were disabled in FAS
Please disable quickinfo -> AI
quickinfo
Please disable codewithmoss -> AI
codewithmoss
Both of them are now disabled.
Please disable spam account: chudmarani141314
chudmarani141314
Account is now disabled.
We have a spam wave. Please disable spam accounts: elkerbo1 sepatubot1 jikhooko280 momo28277
Metadata Update from @kevin: - Issue assigned to kevin
Disabled those.
Metadata Update from @kevin: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Another spammer. Please disable: senot1282
A mix of spam/trolling/spread of false information. Please disable: verolomstvo
User is now disabled.
The user created a new account, so I also blocked their IP in Discourse (hopefully that gives us at least some time and increases the entry barrier a little), but I am not sure if that makes a difference if they sign up for another FAS account given that we do not use a Discourse-based login. Please disable artsiomryzhanki -> same as verolomstvo
artsiomryzhanki
Please disable kr40a1994q343 -> spammer
kr40a1994q343
Sorry for the delay. Disabled.
New spammer. Please disable: proxl696 pertama25 moris99
proxl696
pertama25
moris99
All spammers are now disabled.
Metadata Update from @zlopez: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Another spammer. Please disable ashuur
ashuur
Another spammer: ayzell
ayzell
Please disable: weldon systemno karlsruhe
weldon
systemno
karlsruhe
It is the same user who registered multiple times in order to confuse, offend and disrupt. We could link them through their IPs and their behaviors/pattern as well.
Please disable: weldon systemno karlsruhe It is the same user who registered multiple times in order to confuse, offend and disrupt. We could link them through their IPs and their behaviors/pattern as well.
They already created their next account. Please also disable kynlea
kynlea
Next one, all same behavior/pattern and from Switzerland: sheengreen
sheengreen
They created another account. Please also disable: malka
malka
Someone decided to be a troublemaker on discussion.f.o. Please disable: lakeesha54 newborn90 mandy
lakeesha54
newborn90
mandy
All of the above accounts are now disabled in FAS.
Please disable payok1802 it is spamming on discourse.f.o.
payok1802
Account disabled.
Please delete spammer: jacks004
jacks004
Please disable jhonyjojon They spammed us on discussion.f.o.
jhonyjojon
Please disable samlsen (spammer)
samlsen
Please disable abdullah85 they spammed us on discussion.f.o. with inappropriate pics
abdullah85
Please disable andriyanto98 They spammed us on discussion.f.o.
andriyanto98
Another spammer. Please disable mohdmuchis
mohdmuchis
User is now disabled in FAS.
Please disable anchormpl. Interesting new case of breaking our rules: They created an account on Discourse without using it to communicate with the community, but they only set up their account profile like a marketing page that lures into their product and forwards to their representative and website (the username is the company name). We assume that is for SEO reasons. I asked them to elaborate their intentions just to give them the chance to elaborate but didn't get a response after >2 days. In the end, clearly spam. The origin of the account creation also indicates spam anyway, and they have not shown any activity except setting up their marketing page (including no reading etc).
anchormpl
Please also disable drakeshawn -> very same IP address, and the very same type of profile, but for another type of company.
drakeshawn
Please disable michaellusa2 They spammed us on discussion.f.o.
michaellusa2
Please disable spammer: sana3995 q9w0kiqomh
Interesting: if a user has been deleted in Discourse, it seems they can just login with the same credentials again, and re-use their FAS login to re-create their Discourse account -> I did delete sana3995 already in Discourse but without blocking their IP, but now they are active again. So it seems indeed that deleting users in Discourse before they are disabled in FAS does not add any value except if it goes along with deleting their IP. Somehow I expected the username remains blocked in Discourse so that the FAS account can no longer be used at least in Discourse, but of course the settings just say they delete the account, so it indeed makes sense that the FAS account can be used to re-create the Discourse account without further efforts. Just to have the behavior documented / fyi.
sana3995
I suspended them forever (don't like to ban IP when it can be avoided) in order to avoid them causing disruptions until they are disabled.
These users have been disabled.
Another spammer. Please disable fsdfsdfsdfdsd
fsdfsdfsdfdsd
Another spammer, reminds on the last 2 or 3, maybe they belong together: barby2254
barby2254
Please disable elitecaregiversunited (the same case as anchormpl)
elitecaregiversunited
user disabled.
Please disable rajawali, spammed discussion.fp.o. Deleted and blocked there.
rajawali
Be careful with blocking in discourse, as that always blacklists the IP. If we do this regularly, the chances increase that users who are not related to a spam case at some point just accidentally end up with a blocked IP (some of our infra just had that issue with a block of IPs we got, which seem to be blacklisted in some services:). If the account gets disabled in FAS, their email address is effectively blocked anyway, which in most cases should be more effective than blocking their IP address. What I started to do, when they really try to come back by recreating their account through an FAS login (which seems to work until they are disabled in FAS :O ), is to suspend them for unlimited, and then remove them once they are disabled in FAS. We don't really have a regulation/rule about this, so just a thought :)
Yes, I think best would be to always just suspend for unlimited on the discourse side and wait for them to be disabled to delete them. (Or does deleting them do much good? perhaps they should be just suspended forever?)
Cool, I'll do that in the future. Please disable fridaynightfunkin
fridaynightfunkin
@py0xc3 : do you want to note this in our SOPs so it's documented somewhere and we can point others to it?
Or does deleting them do much good? perhaps they should be just suspended forever?
Well, to delete them makes them to no longer "waste space" in our Discourse, and it can be a requirement to keep our process of deleting illegal posts simple: if a user creates 10 spam topics, we either have 11 tasks (delete 10 posts each separately, and then suspend user), or we just click at the 1st flag "yes, its spam, delete them", and Discourse does the rest automatically -> Discourse recognizes that if a user has, e.g., 10 spam flags, and I tell it at the first "yes, delete the user" that it can assume all other flags to be illegal too and thus delete all of them along with the user account. If I click "yes, delete only the post", Discourse does not go beyond this one action as it is indicated to Discourse that the user account might be justified in general, so its unclear if really all their flags are actually spam.
As already indicated above, suspension seems to not exist in all types of flags. I remember to have done the suspension some times separately (so outside the flag) with a user comment in the user's account. This was in cases when a user had been warned before while the subsequent flag did not allow me to suspend. I am also not sure if deletion exists in all types of flags though, but at least off the cuff I don't remember cases in which I had to delete a user without having the possibility within the associated flag.
When a mod is interacting with a user (warning, suspension, deletion) directly, without flags, then it indeed does not make a big difference, except that the deletion at the end rather than permanent suspension would be the same way as the incentives spread through Discourse. So processes among different types of cases would be more unified & moderators would always go the type of way that is in some cases triggered by Discourse through incentives (= presented choices & subsequent behavior of Discourse)
If they are permanently suspended, they remain visible as suspended users for all times: problem is the new type of spam we receive in the recent months -> if the user account's profile is spam too (used to create a type of marketing page), then the permanent suspension does not solve the issue, but rather keeps that page online.
However, one big advantage of suspension compared to deletion: the user cannot exploit the time until FAS is disabled by re-creating their account, though I have seen this until today only once, and it is a case that will resolve itself once infra disabled the FAS account. The worst that can happen is that the very user finds out, the very mod is no longer available, and a second mod repeats the process with them. Don't think this can ever pose a major threat.
I agree, that makes sense, though the question is which of the two variants do we want to put in the SOP. I'm fine with both, though I have a tendency to stick with a simple process that intuitively follows the means of Discourse, so to keep deleting in Discourse + disabling in FAS rather than suspending in Discourse + disabling FAS. We have to be aware that not every mod has the SOP in mind and I doubt that all regularly check the SOP's updates. So I presume it is most intuitive to do it the Discourse way, as the behavior of Discourse might impact the behavior of moderators over time, following whatever is easiest and quickest. Anyway, I am +1 for both if a majority agrees.
Shall we open a Discourse topic about it to see if other mods agree to the SOP change and which one has a majority?
Done.
Yeah, all good points on the workflow... whatever you all decide to do is fine for me.
Please disable grogu001 -> spammer.
grogu001
So far the participating majority goes towards deleting accounts in Discourse when they are scheduled to be disabled in FAS, but I think this does not yet justify to update the SOP because I am not sure if the majority supports to make "minor" updates to the SOP before doing a major revision (which we aim to do for long but lack time). Let's see if/how the discussion topic develops, I stick with deleting for now.
The user is now disabled in FAS.
Please disable juli01 -> likely the same spammer, likely using a vpn or so.
juli01
I already disabled this one as it was spamming on pagure as well.
Please disable susisusisusi , pukipuki99 , wiwiwkwiwik for spamming. There are several indications that all three are the same spammer.
susisusisusi
pukipuki99
wiwiwkwiwik
Users are now disabled in FAS
Please disable patokkau -> spammer.
patokkau
Please disable maraz2987 -> spam
maraz2987
Disabled in IPA
Metadata Update from @nb: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Please disable xenomorph05230 -> spammer.
xenomorph05230
Please disable ahmadi -> spam
ahmadi
Please disable tauildiego -> spam
tauildiego
User disabled in FAS.
Please disable bvmsgbienhoa -> spam
bvmsgbienhoa
Please disable the user nonki -> repeated accumulation of flags from the community for spam, offensive behavior, illegal links and offenses against other users.
nonki
Please disable john765 -> spam
john765
Please disable ptokajajan7 -> spam
ptokajajan7
Please disable riskitusjarianto -> AI
riskitusjarianto
Please disable tonyalamb -> spam
tonyalamb
Please disable developer89 -> spam
developer89
Please disable carljames -> spam
carljames
Please delete kingprince -> spam
kingprince
Please disable gqrkvdnke -> spam
gqrkvdnke
Please disable two accounts: developer122 -> spam deinversicherung -> spam
developer122
deinversicherung
Please disable john4037 -> spam
john4037
Please disable carissaschmitt -> spam
carissaschmitt
Log in to comment on this ticket.