10 minutes might be a bit of an overkill, even for new users only. As I have noted, I tend to find out 5 seconds fairly quickly, with legimate posts I actually wanted to make (never mind that five seconds would not prevent timeout-related double-posting, anyway)... About thirty seconds is something I'd personally be able to tolerate, if it was something that went away sooner rather than later.

The fourth feature, though more of an unlikely wishlist feature, would be a system for trusted users to vote to nuke spambots without mod intervention. Mods would simply see a feed of accounts nuked by the community which they could then reverse if there was some sort of wrongful nuking.

This seems to be far too dangerous. I've seen far too many griefing incidents, and if it was a fairly unknown and none-too-confrontational user who was targeted, it might easily slip attention. I don't think less-than-mods should have that kind of power. By default, only mods are the users you trust enough.

Maybe have it based around users of some renown, based on post count, account age or something, and to make a player ban effective, it needs at least three "votes" to be effective?

Mind you, that'd still need a safety net to prevent a group from taking out others in anger. Perhaps the ability could be revoked if abused

---

As for timer for delays, maybe increasing delay if posts are too quick? Or something to check for identical posts on newer users?

Identical posts would be slightly better (though still not ideal, for reserves and bump/quick notice type things).

"Too quick" is a varying number for everyone. I'd rather not spend half of my little five-minute break waiting behind a arbitrary posting speed limit...

Still opposed to any kind of non-mod ban/hide/silence type action.

Just to add my two-cents, any kind of rate limit for established accounts will easily break any speed-posting focused RP like my own. Removing the limit for older accounts is an absolute necessity.

Anti-Spam System Proposal

The first feature we need is a regressive ratelimit. The fewer posts/PMs you have, the longer you have to wait between posting. This addresses the issue of a single spambot creating posts as fast as the forum can accept them (as it was in the recent spambot attack). I will also ratelimit by IP address so a spambot can't just even their spam across a bunch of accounts so easily.

For example, if an account has 0 posts, they would only be able to create a topic or post every 10 minutes. Once they get 5 posts, they can post every 5 minutes. Not sure of the numbers yet, and I obviously don't want to kill the momentum of a new user, but that's the idea. Really depends on what kind of spambot behavior we have.

Existing established users wouldn't be ratelimited (beyond perhaps a sanity-check of a few seconds to prevent double posting once and for all).

When addressing spambots, in my experience, you don't need perfect countermeasures, just countermeasures that makes things annoying enough for them to stop (if there's a human driving them). It's possible that a ratelimit alone is enough for me to re-enable registrations while I work on the following features.

The second feature is a moderation-queue for new accounts. It should be a list of the first 5 or so posts by each newly registered account. From there, mods can nuke spambots or, more importantly, promote new-but-legitimate users into full members so they can escape the ratelimit. That would make our lives a lot easier, bless our moderators who have had a very shitty modkit over the last two years.

The third feature is a general report-post/report-user system. Something we've needed for a long time but kept getting procrastinated due to our two-year lucky streak of minimal spambot issues.

The fourth feature, though more of an unlikely wishlist feature, would be a system for trusted users to vote to nuke spambots without mod intervention. Mods would simply see a feed of accounts nuked by the community which they could then reverse if there was some sort of wrongful nuking.

I'm implementing those in order (ordered by urgency) and hopefully the ratelimit alone is enough to discourage the spambots that attacked us last weekend.

My Critique on the 4 proposals.

• First Proposal does make sense and I have seen it used on another forum in a similar matter, however I think the wait could potentially harm new member's contribution to a new RP, thus causing them to miss out. If someone on day 1 with 0 posts wants to enter a roleplay, they may need to post to say they are interested, post the character sheet and perhaps ask a question or two for clarification on details, that could be a 30-40 minute wait. On the internet with the speeds we run and post at, that's a very long time.
  I'd actually be inclined to have a counter of sorts where every x minutes (eg: 15 perhaps) your allocated post limit is set to y amount (ie: 3 posts every 15 minutes). A regular poster wouldn't notice it too much as the chances of making 4 or more posts in 15 minutes wouldn't be easy, per say, but to a copy paste spammer they would hit that limit very early on. Until the member reaches z posts (eg: 30 posts) or a set time frame they are classed as a newbie and will have this limit placed on them. You would also have to be clear as to the number of posts they could have during their y time frame so that they can manage their replies more eficiently and not always burn out with simple "Interested in this RP!" posts.
• Second Proposal is fine. A simple tick to say that a member is all good, but it's not something that should be relied on all the time as it's extra work.
• Third Proposal is much appreciated. It's always nice to report, not just bots, but also bad behaviour. I do think more should eventually be added into this for both clarity and ease of use (eg, being able to report members, PMs, and Visitor Messages).
• Fourth Proposal...
  
  

  The fourth feature, though more of an unlikely wishlist feature, would be a system for trusted users to vote to nuke spambots without mod intervention. Mods would simply see a feed of accounts nuked by the community which they could then reverse if there was some sort of wrongful nuking

  
  I can see the potential for abuse. While the intention is good, an issue can occur when a group of people decide to troll and harass an innocent member. There would need to be several things added to this for it to work fully.
  
  
  • Only what I would call elite members should be allowed to use this feature. People who have been here for over a year or two and only those who have a high post count. Generally these would be people who are more invested into the forum than your newer members and know the insides and outsides of the site
  • Everyone who flags a post has their name added to a public list of flaggers on that particular post, and possibly on their member page. If 'Internet Tough Guy' wants to bully all the newbie members, then you have all the information on his profile so that he can be addressed and even have these powers removed. That way only the members who do the job right will be able to use this feature
  • Flagged users shouldn't be banned, but perhaps have their post per time frame (going back to first proposal) reduced (ie, from 3 post every 15 minutes to 1 post every 15 minutes). That way the community is still helping contribute to the maintenance of the forum but you are not relying on moderators for cleaning up the errors and possibly loosing a few new members because the community thought 'MrBOT' was a bot and not a legit user.

Perhaps a solution to new users "running out" of posts on small things like declaring interest in an rp would be to add a system where the poster of an interest check can see who is subscribed to their post? That way the x posts per y minutes wouldn't be wasted on saying they're interested, and could instead be used for asking questions about the rp, posting sheets, etc.

This might be making it too complicated though, when a finetuned x per y system would probably work fine in most cases

Not everyone cares about, or looks at notifications, and not everyone who subscribes to a thread is actually interested in partaking (could be a mistap on one of those pesky phone screens for all that we know). I'd perceive people (even if they're only thread-starters) seeing what you're subscribed to more as a source of awkwardness...

And I'm still opposed to arbitrary limitations on posting. I'd rather take my chances with the blue pool/tennis field captchas on registration that I get wrong five times in a row. 10/15 minutes is a long time if you're a busy person. Getting "you must wait 15 minutes to post another message" during your bi-hourly ten-minute break a happy user does not make. Especially if it means you will have to postpone replying in one of your threads for hours for solely that reason.

Sounds somewhat overly complicated.

n posts per t minutes is probably one of the easier systems to use and implement.

---

And we do agree that any system where non-mods are permitted to issue anything akin to bans should be heavily restricted.
High post counts + long membership is a fair requirement to have such power.

Sure, this would mean that quite a few people wouldn't be able to have such power, but it would still ease the burden of the mods.
Also, a simple safety measure like the one we mentioned earlier (that it takes several "empowered" to actually ban), would probably be wise to prevent revenge bans. And of course all such should be reviewed by mods later on.

There are a lot of people who can only access a computer once a day, or who otherwise cannot sit around waiting for arbitrary posting limits to let them post again. If I have roughly twenty minutes and five RPs, I should be able to reply to them all, IC and/or OoC (in my case, granted, OoC, since my average IC post is around two thousand words and will take up all of those twenty minutes), and maybe reply to a couple of discussion threads while I'm at it.

Time on site and number of posts are no indicator of the person's judgment or lack of vindictiveness. I've seen an actual mod with over two thousand posts and five years on site silence people who did not agree with her, as well as another mod who took to harassing specific users off-site, and a couple of other incidents - now multiply those accounts by number of active users this, not exactly small, site has.
Furthermore, people do tend to move in packs. If X votes that, so, chances are, will their five friends.

And of course all such should be reviewed by mods later on.

Then as far as mods are concerned, it would be no different from actual reporting feature. The exact same amount of work.

In terms of the posting restrictions, is it at all possible to limit thread creation rates? In my experience with the spambots they've generally created their own thread as opposed to posting in existing ones, which may change if thread creations rates are limited for new users, but further fixes can always be amended later.

In my mind, new users are far less likely to create a whole host of new threads shortly after joining as opposed to posting.

True, its not indication of their (lack of) vindictiveness or such. but there are fewer of those, and using pure statistics, the fewer people you pick, the fewer of the "bad" type you'll most likely get.

A limit of 1 new topic every five-ten minutes for the first 50 posts and up to five posts per fifteen minutes or 10 posts per hour seems like a less troubling barrier for new players while still stopping most bots.
On that thought... Account age might be just as relevant a barrier for such... Not many bots survive beyond their first day or three... so:
if account has less than 50 posts: 1 new topic every 10 minutes max
If account has less than 100 posts: 2 new topics every 10 minutes max
If account is less than 72 hours old, no more than 5 posts every fifteen minutes

Are those restrictions better, @Kangaroo, @Shienvien?

True, its not indication of their (lack of) vindictiveness or such. but there are fewer of those, and using pure statistics, the fewer people you pick, the fewer of the "bad" type you'll most likely get.

A limit of 1 new topic every five-ten minutes for the first 50 posts and up to five posts per fifteen minutes or 10 posts per hour seems like a less troubling barrier for new players while still stopping most bots.
On that thought... Account age might be just as relevant a barrier for such... Not many bots survive beyond their first day or three... so:
if account has less than 50 posts: 1 new topic every 10 minutes max
If account has less than 100 posts: 2 new topics every 10 minutes max
If account is less than 72 hours old, no more than 5 posts every fifteen minutes

Are those restrictions better, @Kangaroo, @Shienvien?

It depends whether we're discussing the spambots we've specifically recieved here or the more general ones that exist on the internet. In terms of what we've experienced so far, there's two distinct spam bots, the Vance Miller which makes on thread and is never touched again (which is not a huge issue due ot low volume) or the Korean gambling spambot which generated a few hundred topics in a few minutes.

In terms of stopping those bots, restrictions should be time based as the posting occurs straight after creation. So something like the 1 new topic every 10 minutes would work but the step up should be based on time, i.e. say a week because the spambots I've seen make an account then spam straight away.

I think the focus for right now is to stop the Korean gambling spambot as quickly as possible as a short term fix so we can open regristrations and then organise the exact specifics of other restrictions in due course.

indeed and agreed, @Kangaroo

I've given it some more thought, now... If we keep getting the sorts of bots who make new threads, then I'd restrict new users to maximum of three threads per hour until the account is three days old (so they can still make an into thread, post that RP they wanted to port over, and make in IntChk/hiring thread for it without being penalized), and leave post count alone for simply new players.
Now, lets assume a "flag" option will be added - my idea is that it would not ban an user, but rather be the only time a posting limit would be superimposed - say, three posts per hour. And of course, the flagged user would still show up in some flagged users list (along with the person(s) who flagged them) for mods to peruse.
Also, there should be around a dozen active mods for a site this size (we have nineteen mods and two admins for a site with an user total of roughly ten thousand elsewhere...) The idea is that regardless of timezones, other duties and what not, there would still be at least one mod who'd take a look on reports every hour or so (there were bots that were still active four hours after being first reported last time). Until we get a benevolent AI to work for us, mods are human, thusly needing sleep and having real-life obligations.

So:
* Max 3 threads per hour until an account is three days old. No posting restriction.
* Ability to flag an user as bot, which will restrict them to 3 posts per hour until a mod reviews them.

This should be sufficient to ensure the bots wouldn't annoy users too much before a mod gets on and nukes them. And would be less likely to have genuine busy new users to want to flip the site off.

I'll continue to make some progress on the Guild and get registrations turned on again ASAP. I'd like to try to avoid too much bikeshedding. Yall give me way too many excuses for procrastination. Look how long this post is.

The amount of noise generated by a change is inversely proportional to the complexity of the change.

Currently, I'm visiting my parents in the Texas countryside, so I have some solid chunks of quiet and time.

Right now, I'm going to build a quick feature for mods that lets us toggle on/off registration. That way any of us can allow registration and then, worst case scenario, disable it if the spambots come back immediately. It's simple to build. Also, if it turns out that a ratelimit isn't good enough, then mods can disable registration while they clean up the forum or something.

This feature could turn into some sort of "we're-under-spambot-attack mode" toggle once I get the ratelimit done which would jack the ratelimit up while mods are offline.

Also, I'd like to reassure that my goal here is to limit mass-spambot destruction while maximizing newbie participation, so I won't be happy if any aspect of the proposal is significantly affecting legitimate newbies and if it was, my objectives have failed and I'd reiterate.

10 minutes might be a bit of an overkill, even for new users only. As I have noted, I tend to find out 5 seconds fairly quickly, with legimate posts I actually wanted to make (never mind that five seconds would not prevent timeout-related double-posting, anyway)... About thirty seconds is something I'd personally be able to tolerate, if it was something that went away sooner rather than later.

Yeah, the params can be tweaked. Ideally on the fly so that we can put the forum into an under-attack mode while still allowing new users to join. Also, the idea of the moderation-queue is that we can quick-approve new users (disable the ratelimit) if they seem legitimate, which means the ratelimit is primarily to limit the damage of spambot registrations while mods are offline.

<Snipped quote about users getting the power to nuke spambots> This seems to be far too dangerous. I've seen far too many griefing incidents, and if it was a fairly unknown and none-too-confrontational user who was targeted, it might easily slip attention. I don't think less-than-mods should have that kind of power. By default, only mods are the users you trust enough.

The idea would be that it's hard to gain the community-nuke ability, easy to lose it, easy for mods to review it, easy to reverse decisions, and impossible to farm an account for the ability without being a genuine member for quite some time.

Like most abuse, it doesn't really happen too often in practice. To respond to your scenario, if 5 established-member butt-buddies conspire to nuke someone, then (with the most naive implementation of the system) the victim would be nuked until a mod reverses it. But it also means we get to evict 5 toxic members from the community. More likely is that the community can also vote against nuke-votes and then mods just ban the abusing member. Kind of a lame way to get perma-banned, no?

Also, the difference between a report->nuke system and a community-nuke->review system is that the latter cleans the forum up immediately and isn't bottlenecked by moderators.

This feature is the most fun to talk about, but it's also the least likely to ever get implemented and doesn't even have a shot until we're happy with the features on the list, so I don't want to over-emphasize it with too much attention. Even in the worst case scenario that everyone abuses it, then I'd just turn it off and we wouldn't mention it ever again.

Just to add my two-cents, any kind of rate limit for established accounts will easily break any speed-posting focused RP like my own. Removing the limit for older accounts is an absolute necessity.

Absolutely. The ratelimit is purely for new users and it falls to 1-second very rapidly, as in, within 10 posts. I might disable it entirely for new users posting from residential IP addresses since those are hard for spambots to post from.

@NuttsnBolts: Hopefully my post answers your main concerns.

In terms of the posting restrictions, is it at all possible to limit thread creation rates? In my experience with the spambots they've generally created their own thread as opposed to posting in existing ones, which may change if thread creations rates are limited for new users, but further fixes can always be amended later.

In my mind, new users are far less likely to create a whole host of new threads shortly after joining as opposed to posting.

Yeah, posting includes creating topics.

@Shienvien @Ellri: Account age isn't enough because, although unlikely, it's possible to then farm accounts and wait for them to age. One of the purposes of the ratelimit being post-based is to force spambots to reveal themselves.

-snip-

I was more meaning if there was a way that only included thread creations, based off the current spambots we've encountered.

True, hadn't considered the farm account type, @Mahz. But only a fraction of spambots are of that type, yes?

So maybe a combination would work?
If a user starts posting immediately, it'll remove limits by the 72^nd hour.
If a user doesn't post in that time, it will not remove the limits until a certain post count has come and gone.

That way, people can get rid of limits in multiple ways, even as multiple spambot types can be stopped. After all, once a user starts posting, it'll be fairly easy to spot bots.

Granted, the above might be overly complicated.

True, hadn't considered the farm account type, @Mahz. But only a fraction of spambots are of that type, yes?

Yes, but sometimes they're the hardest to control because a large sum of them can be built up over time and released at any given point. Because the mods won't be able to spot them in the new user listings, they might have to go through the IPs and often that can be a bit tricky when they could be linked up to proxy generators.

Ultimately it comes down to how complicated the coder wants to make the bot. They can even make them act as a fake human in the intro section with a vague "Hello. I'm new" that people may dismiss as a normal timid member until they change to bot mode a month or so later.

EDIT: Holy crap my grammar is bad tonight :P

Indeed. The most advanced bots will be hard to spot. which is why our latest suggestion goes for "latest of the two". No matter how good the system is, some bots will get through, and that is where the community comes in to identify and ensure termination.

Just deployed the ability for mods to toggle registration on/off.

@Ellri I'll fix the friendships thing now.