How to manage stalker accounts (users with no posts)

zandertrek

Many users on my forum have never submitted a post. Perhaps they signed up just so they could use the search tool. Regardless, they are not contributing. And, there is a good chance the account may have been created by a bot or other entity with no actual interest in the forum aside from how to spam it. These stalker accounts clog up user searches and inflate user stats. How do you handle this? What do you recommend?

julian

Good question!

The answer for here is... we don't. Although we should.

I think a great many people register on this forum just to see what the registration flow is like, or maybe to see if they get access to new things once they are registered.

We also get lots of bots that try to post, or include links in their profile.

We have an "archiver" plugin to lock/delete topics that are old, perhaps I should update that plugin to allow removal of old/stale user accounts too.

zandertrek

@julian I could see that being a useful plugin feature. Settings might include the amount of time and the amount of posts required to keep the account from being automatically deleted. I imagine I would set it so that all accounts without posts would be deleted after 30 days.

In the meantime, I should be able to manage the process manually. I wish I could sort or filter users by more than one field at a time, which would make that process so much easier. Is there a way for me to do that?

Bejan

@zandertrek second that. Particularly the wish for filter combinations and user settings.

gotwf

Closely related to this thread https://community.nodebb.org/topic/15966/non-stop-spammer-sign-ups but I'll post some thoughts here rather than scattering about.

@zandertrek Admittedly, I also have many "inactive" accounts. Always made me wonder. Some of these never ever return. Some do return every once in a blue moon. Others return more frequently. I have reached out to a couple other forum "owners". Seems eighty to ninety percent plus accounts being inactive is pretty much de'rigeur modern times.

I've discussed this with few folks that I know personally "in the real" who fall w/in these groups. Their answers:

• Big Data & Privacy Concerns. These folks no longer participate in any "social media" sites due to big data and privacy concerns. Primarily stemming from awareness of just how bad the "Big Three" are in this regard. These folks tend to be older professionals, highly knowledgeable and aware of stuff like the Snowden Documents.

• Big Government. Closely related to above but slightly different spin. Many jobs in IT nowadays involve intensive background checks and/or some level of security clearance. These folks are savvy enough to know that their electronic communications, both professional and personal may be subject to "continued and ongoing monitoring". Indeed, I took a pass on a pretty sweet gig once because those clauses hidden w/in the small print of a thirty plus page background check agreement. So don't laugh: Big Brother is watching. And he's got one hell of view.

So why then, register at all?

1. Access to search functionality. Just got to be this way to protect against abuse by bots. This, I suspect, is the main one. I do this myself at various site: I passively consume but need search to research. Nothing nefarious here but yeah, sometimes I use temp email addresses cuz, let's face it, many, many sites are poorly managed and compromised w/o the site owners' awareness.

2. Access to private chat functionality. Again, closely related to the first two points above. Some folks like chatting w/their friends privately. They don't use other sites for this because they trust me. They're also savvy enough to know that the moment any third party scripts are involved that the notions of any sense of privacy and/or confidentiality is delusional. Yes, I can still be served up with a warrant. Ditto my cloud provider. Not a silver bullet but at least raises the bar a bit. At least in this country.

Granted these represent a minority. So what to do about the rest? Well, I suspect most fall under one of @julian umbrellas:

@julian said in How to manage stalker accounts (users with no posts):

I think a great many people register on this forum just to see what the registration flow is like, or maybe to see if they get access to new things once they are registered.

Okay, where and what, precisely is the threat? Hmm.....

I suppose some of those private chats could be used for nefarious purposes. I sometimes wonder if Admin accounts should have access to user's private chats but feel this would be a betrayal of confidences of the community at large and I don't want to throw the baby out with the bath water. So I just "endure" until actual problems are reported. I've not had this happen.

As for actual stalkers, I've only had one such occurrence reported. I was always suspect of this particular user from the get go so I perma banned them.

So what is left? All those inactive accounts, some greater than a year. I've thought about nuking accounts older than a year sans any logins but then I ask myself what harm they really cause? I've had accounts that were dormant for long periods, sometimes over a year, others that pop in to post only once or twice a year. Indeed, I have fallen into this category myself: There's a couple sites I used to be quite active on but nowadays it may be a year or two between logins. Nuke one of these and then you've set yourself up as "the bad guy", oppressive overlord, etc. Maybe this is what some are looking for? A reason to bitch and/or defame you? Whatever. Bottom line is that I see little downside to the live and let live approach while there is potential downside to pruning.

Just some thoughts. It is a sticky wicket to be sure.

omega

@gotwf All the nails hit.

This is an incredibly spot on analysis IMHO. It has articulated perfectly the changing trends with cause and effect in focus, which concurs with my own real world examples as an admin over almost two decades.

Might we take a moment and coronate this deleterious phenomenon as the linkedin effect.

It is chilling genuine open and robust exchange and increases self censorship leavening a lot of crap unchallenged that normally would last pissing time as they say. It reduces fine posters curating well considered and researched output.

The net result is traffic suffers, forums suffer. Communities empty out. It’s a race to zero. Thus we all suffer.

The ability of agreeing to differ without descending into all out War (typically instigated from one side) must not be lost!

Otherwise self moderation is mistaken for keeping ones trap shut when it matters most.

zandertrek

@gotwf I really appreciate your hands-on research, analysis, and thorough report. Prior to reading it I was feeling very solid about my new "delete after 30 days accounts without posts" policy. If an account appears to be totally harmless, then I could assume that it is and allow some space for folks to have a bit of anonymity, hidden among a myriad of mysterious accounts. Snowden showed us in black and white who the real stalkers are.

gotwf

@zandertrek Thank you for the kind words. Don't take the above to promote complacency. I favor "The Unix Way": Specialized tools that do one task very well over the more "Monolithic", all bundled into one approach favored by e.g. MS. Thus, I really appreciate NodeBB's "modular" approach.

Along related line of thought: I also favor a "layered onion" approach to security. Hence, preferable, imho, to endeavor to block as much nefarious crap as possible before it hits my app server.

• Firewall rule sets restricting ports to those actually needed.

• Web Application Firewall, a.k.a. WAF. License restrictions preclude binary distribution of Nginx's ModSecurity 3.0 module so one must compile it themselves. A bit too much of a PITA for many. Apache modules do not have such restrictions. Both utilize, the OWASP rulesets, wh/can be challenging to grok, i.e. not a quick and easy one click deployment. But boy, once set up it does an excellent job. That said, WAF's, even commercial offerings, are routinely defeated by dedicated and knowledgeable black hats. Or so I am told by some grey hat types.

• Fail2Ban is simpler to deploy and hence favored by many.

Hope this helps but yeah, it is a fsck'n jungle out there.

P.S.; Oh yeah, iirc, modsec3 can also be integrated with Varnish. I've only dinked around with Varnish. Not for the feint of heart. More enterprise oriented than small hole in the wall sites but deserves a mention whilst I am at it. As an aside, I don't know what magic incantations PHK and crew have up their sleeves but it is very effective against temp email addresses.