I thought I’d launch a non-urgent topic to discuss ways to improve spam protection. Today I ran across a comment that made me think a bit about how we do e-mail validation:
That isn’t true, it is trivial to write a POP3 mailbox reader and tell it to process any links using wget or a HTTP request. That would easily remove the human interaction, but nonetheless, I do agree with the steps taken and I agree with your post...
It might be worth considering improvements here in addition to our blacklists and other techniques. Please discuss or add other anti-spam ideas to this topic!
Ahhhhh… But it seems there is no other way to verify the emails. And the verification of emails, I think, is majorly used to ensure user are using their own emails, not detect spam.
Anti-bot works should be done during the ‘signup form filling’ process. The current field hashing approach and captcha is good enough to detect simple bots. Of course, we can still improve that, but it seems the current mechanism is working fine, I’m not worrying this.
I think a problem is that it’s not always automated bots that are causing spam registrations, but actual humans.
Some new ideas and improvements in Discourse in later posts:
Ok, we’ve made a few improvements here that I think were overdue in retrospect: the all user rate limit for creating new topics was increased from 5 seconds, to 15 seconds per topic. There’s no way anyone should be able to create a new topic every...
For example, some maybe interesting ideas for us (long term):
Checking for “too similar” e-mail addresses (a few characters different only) to prevent incremented email addresses.
Maybe disallow multiple signups from the same IP address for some amount of time.
Do we have any email domain blacklist that can be edited? It would be nice to prohibit new accounts (or any email address) from an address that matches domain names on the blacklist.