Hi,
I would like to open a general ticket for user accounts that have been deleted in Discourse (discussion.fedoraproject.org) by moderators because of spam, AI or other such violations that make a deletion of the account necessary: these user accounts need to be deleted in FAS as well.
We currently discuss how to decrease the overhead for moderators in the process of such deletions: As a first step, I would open this as a general ticket for reporting accounts that a mod has already deleted in discourse, so that you can then delete them in FAS as well. A post here saves a lot of time compared to opening a new ticket each time - I assume this is fine for the infra team as well?
Also, I would like to ask if you are fine with reporting users by email to admin@fedoraproject.org rather than by a ticket here? This would be comparably easy to a shared ticket like this one. I would like to ask if you have a preference about that (maybe also with the possibility in mind that some of this process can be automated at some time).
DELETED rory586 REASON spam
We already have one ticket like this created by @mattdm, but I'm OK with this to make it official. Just don't forget to reopen the ticket each time, so we notice it.
The e-mail is OK as we can search the user by e-mail as well.
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, low-trouble, ops
The user is now disabled in FAS
Metadata Update from @zlopez: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
If you delete the user.. then what happens when someone else creates a new rory586 account? Would they get seen as a spammer even if they aren't. There are a lot of rory586 out there from people whose initial account was named that.
rory586
In the past we just disabled accounts because of this.
Sorry, my comment was unclear. I meant if it makes a difference for you if we report by a ticket/post here or by writing an email to you to admin@fedoraproject.org. So not report the user by their email address, but report their username through an email from the moderator to you.
Metadata Update from @py0xc3: - Issue status updated to: Open (was: Closed)
then what happens when someone else creates a new rory586 account?
The goal is to block the email address and potentially their IP permanently. I guess this is the highest we can do to force spammers/attackers to invest as much efforts as possible before repeating their actions. The user account name itself is not really the problem in such cases, not sure if it makes sense to block the account name. There are many other potential account names they can use anyway ;) At the same time, an abused account name can still be a name that someone else might use for appropriate reasons later. Otherwise spammers / attackers could achieve a denial of service of user names as they can intentionally achieve that useful usernames are blocked. If someone else later uses the account name with a different email address, I see no reason to generally not allow it.
I am not 100% sure how it works in discourse, but based on the messages I get from the Discourse system, the username remains allowed but the IP and the email address get blocked.
All of the spam-waves I have dealt with since 2016 rarely come from the same IP address longer than 10 minutes. These days they rent fleets of 'compromised' systems (aka someone installed a dodgy VPN software not realizing they are now also an endpoint for that VPN) to do work. They also pay one set of people to open up accounts in various systems which may be either inactive or 'valid-looking' for weeks before being turned into a spam account. The teams use scripts which will take common user names, and use email addresses from various 'One-Minute-Email' services and other free Email systems to get past any initial requirements for a unique email.
At one point it was easier to track because user foobar100 would be linked to email fizban101@gmail.com and foobar101 would be linked with fizban102 etc. However they dropped that when various email providers started looking for such patterns and blocking. Instead they moved to various 'privacy' email services which give 'ten-minute-email-accounts' and such with a thousand or more domains making it hard to 'block' all of them.
Sorry for not having an easy solution to this.
There is none. But all we can do is blocking address and email. This at least creates a little effort the undesired party has to do, and this disables accounts, which otherwise keep spamming. It is not a satisfactory mitigation, and of course new spam accounts come up, but it is at least a type of mitigation: accounts that start to spam keep doing it, and once we deleted them, we have a pause (and they to conduct the effort).
There is not much more we can do, but ignoring these accounts and allowing them to proceed is hardly an alternative. So let's keep on-topic ;)
The e-mail is OK as we can search the user by e-mail as well. Sorry, my comment was unclear. I meant if it makes a difference for you if we report by a ticket/post here or by writing an email to you to admin@fedoraproject.org. So not report the user by their email address, but report their username through an email from the moderator to you.
The ticket is always better.
Yes, tickets are much better than emails. We could just re-use one ticket for this as long as it's open when it needs actions.
Note that we don't delete these users. We disable them. They can then never be able to login or interact with their account, but the account is still there and the email address is still associated with it, so no one could make a new account with the same name (because the disabled one is still there). Also no one could just make a new account with the same email (because the email is still associated with the disabled account), so they would have to use a all new account name and all new email address.
I'll start using this ticket from now on, too.
FWIW, this current attack seems to all use a particular email provider, and the generated email addresses tend to follow a pattern. Plus, they're all from the same region of the same country. Maybe we can do something at the FAS level to make things more difficult for them?
We can reject/forbid new accounts using a particular email domain. If this domain is something that isn't super big/popular thats an option.
It is, unfortunately, outlook.com.
Anyway, here's a new one, not part of that group. Good old fashioned link spam for a change.
spotsurv
Disabled.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Another one, also a spam user: sandipmetiermedia
Another spammer: davidsmith012
Sorry, just a question. In order to request a user suspension we are supposed to use this thread instead of filing a ticket for each request?
In order to request a user suspension we are supposed to use this thread instead of filing a ticket for each request?
Yes. The idea is to save time because you now just need one post, but ensure that you do not just click "comment" but "Comment & reopen" (unless it is already open) to ensure people get a message and see that something new came up: the ticket will be re-closed once all current cases have been processed, so that we can then re-open it once new cases came up.
This thread also gives us some overview of the current situation.
Another spam account: veloba1340
User disabled.
New spam user: robertsmith88
New spam user: rilake
Yes. The idea is to save time because you now just need one post, but ensure that you do not just click "comment" but "Comment & reopen"
Mh. @py0xc3 is it possible that only the user that opened the ticket can reopen it in case it was closed? Because I can only "comment" here, I haven't the option to reopen the ticket.
<img alt="Screenshot_from_2024-08-23_08-34-34.png" src="/fedora-infrastructure/issue/raw/files/820fade3fc5e582a5163d96283e09cf8db8c284dcadd8e443ee105dd0f7c0815-Screenshot_from_2024-08-23_08-34-34.png" />
Yeah, it seems that only repo owner/developer/admin and those who opened the ticket are able to re-open this. I now reopened it.
Question to the repo owners: can this issue be somehow mitigated? So that all moderators of Discourse can re-open this ticket?
I don't think so. I think the easiest way would be for a new ticket each time (or at least each person have a ticket that they reopen if there is a new spammer)
On Fri, Aug 23, 2024 at 1:12=E2=80=AFPM Christopher Klooz <pagure@pagure.io=
wrote: py0xc3 added a new comment to an issue you are following: `` Yeah, it seems that only repo owner/developer/admin and those who opened the ticket are able to re-open this. I now reopened it. Question to the repo owners: can this issue be somehow mitigated? So that all moderators of Discourse can re-open this ticket? `` To reply, visit the link below or just reply to this email https://pagure.io/fedora-infrastructure/issue/12091
wrote:
py0xc3 added a new comment to an issue you are following: `` Yeah, it seems that only repo owner/developer/admin and those who opened the ticket are able to re-open this. I now reopened it.
Question to the repo owners: can this issue be somehow mitigated? So that all moderators of Discourse can re-open this ticket? ``
To reply, visit the link below or just reply to this email https://pagure.io/fedora-infrastructure/issue/12091
Just FYI, I get every comment here. If you are 'watching' this project you get all the comments from the tickets (permissions permitting) if they are open or not.
So, while it makes sense workflow wise to re-open a ticket to indicate it has something pending, it's not fully needed.
I usually handle these pretty fast, but today is a Red Hat recharge day and I have been trying to clean up our auth cluster outage.
User rilake disabled.
Thanks Kevin. Nothing of that is urgent, so no need to explain. We just expected that the ticket is hidden to you until it is reopened, I interpreted zlopez initial post that way.
However, in that case, I guess it makes sense to stick with this ticket and just post new users, and if not possible to reopen, discourse mods can just leave it closed.
Aaaaaaaaaaaand we have another spam candidate :)
Disable as332
See also https://pagure.io/fedora-infrastructure/issue/12154 about discourse user "justinacolmena"
Thanks for making aware :)
Log in to comment on this ticket.