This proposal has been implemented

Reviewed by @product and accepted in the main project
It is funded by European Commission
Developed by Tremend
Available in release 0.24 via #6696, #6804 and #6941

Detect the use of spam-bots and ban non compliant users

Main repo (merged)

Virgile Deville 17/07/2020 11:06

**Is your feature request related to a problem? Please describe.**

Fight against disinformation, spamming and trolls. At the moment, if the administrators do not set a proposals limit per user, it is easy for a malevolent user to create one account and use a tool like Selenium to publish hundreds of contributions. Furthermore, administrators are not able to ban users.

**Describe the solution you'd like**

Implement a way to report users

Like we have a way to flag a contribution for moderation, a similar mechanism can be implemented to flag users and give moderators the ability to block said user. Everyone can participate in this reporting (admin, moderators, users) and flag users based on their harmful behaviour towards the debate or the content they posted on they public profile (avatar, biography, personal website).

Add a flag to report users on their public profile;
In the admin, add a column to the participant table that displays the number of time a user was reported and make a sortable column so the admin can see first the ones with most reports and take action (block) if needed;
Send notification to moderator and admin when a user is reported.

Allow administrators to ban non compliant users

Administrators should be able to ban users, for example when someone repeatedly attack the debate. This ban should be transparent.

Add a “ban” action button in the Participants panel.

Admin can unban user
Users will be banned at the Decidim Identities level meaning they cannot access the website with another provider through the EU login. (Ex : I connect with Twitter, got banned I cannot connect using Facebook if it has the same email or is associated to my EU login id)

When a user is banned :

an attribute (ex: blocked) is added to their profile which makes it impossible for them to login
its avatar is replaced by the default one
its pseudo is replaced by “Banned user”
Profile page is rendered inaccessible by non-admin users (to facilitate moderation based on their contribution history)
All contribution remain visible

Automate the ban of spamming users

In order to detect those users, we need to define behaviours we want to prevent. For example, we can consider that more than ten messages published in less than one minute from the account justifies that the system automatically blocks the user.

An asynchronous job could check the database every minute, searching for such behaviour and report or block user.
The detailed list of behaviours in question should be made public and the code open sourced.

**Describe alternatives you've considered**

Above measure are up to selection / discussion.

**Additional context**

We've seen these behaviour happen in our latest experiences when we scaled it to a couple dozens of thousand users : automated user creation, automated content creation, coordinated mass posting.

**Does this issue could impact on users private data?**

**Funded by**

EU Commission

Filter results for: Funding available

Comment

Liked by Arnau and 10 more

Liked by

Arnau

Daniel

Pau Parals

txema

Pauline Bessoles

Pierre Mesure

Jari

Tom Sydekum

Bastian Große

Alexandru Emil Lupu

Decidim Product

Comment details

Fingerprint

The piece of text below is a shortened, hashed representation of this content. It is useful to ensure the content has not been tampered with, as a single modification would result in a totally different value.

Value: a9864b6de5451c27d00671eefd21364af04475260a4b26c40b4d4d9db921805a

Source:

{"body":{"en":"<p>**Is your feature request related to a problem? Please describe.**</p><p>Fight against disinformation, spamming and trolls. At the moment, if the administrators do not set a proposals limit per user, it is easy for a malevolent user to create one account and use a tool like<a href=\"https://www.selenium.dev/selenium-ide/\" target=\"_blank\"> Selenium</a> to publish hundreds of contributions. Furthermore, administrators are not able to ban users.&nbsp;</p><p>**Describe the solution you'd like**</p><p><strong>Implement a way to report users</strong></p><p>Like we have a way to flag a contribution for moderation, a similar mechanism can be implemented to flag users and give moderators the ability to block said user. Everyone can participate in this reporting (admin, moderators, users) and flag users based on their harmful behaviour towards the debate or the content they posted on they public profile (avatar, biography, personal website).</p><ul><li>Add a flag to report users on their public profile;</li><li>In the admin, add a column to the participant table that displays the number of time a user was reported and make a sortable column so the admin can see first the ones with most reports and take action (block) if needed;</li><li>Send notification to moderator and admin when a user is reported.</li></ul><p>\r\n<strong>Allow administrators to ban non compliant users&nbsp;</strong></p><p>Administrators should be able to ban users, for example when someone repeatedly attack the debate. This ban should be transparent.&nbsp;</p><p>Add a “ban” action button in the Participants panel.</p><ul><li>Admin can unban user</li><li>Users will be banned at the Decidim Identities level meaning they cannot access the website with another provider through the EU login. (Ex : I connect with Twitter, got banned I cannot connect using Facebook if it has the same email or is associated to my EU login id)</li></ul><p>When a user is banned :&nbsp;</p><ul><li>an attribute (ex: blocked) is added to their profile which makes it impossible for them to login</li><li>its avatar is replaced by the default one</li><li>its pseudo is replaced by “Banned user”</li><li>Profile page is rendered inaccessible by non-admin users (to facilitate moderation based on their contribution history)</li><li>All contribution remain visible</li></ul><p><br></p><p><strong>Automate the ban of spamming users</strong></p><p>In order to detect those users, we need to define behaviours we want to prevent. For example, we can consider that more than ten messages published in less than one minute from the account justifies that the system automatically blocks the user.&nbsp;</p><ul><li>An asynchronous job could check the database every minute, searching for such behaviour and report or block user.</li><li>The detailed list of behaviours in question should be made public and the code open sourced.</li></ul><p><br></p><p>**Describe alternatives you've considered**</p><p>Above measure are up to selection / discussion. </p><p>**Additional context**</p><p>We've seen these behaviour happen in our latest experiences when we scaled it to a couple dozens of thousand users : automated user creation, automated content creation, coordinated mass posting.</p><p>**Does this issue could impact on users private data?**</p><p>No</p><p>**Funded by**</p><p>EU Commission</p>"},"title":{"en":"Detect the use of spam-bots and ban non compliant users"}}

This fingerprint is calculated using a SHA256 hashing algorithm. In order to replicate it yourself, you can use an MD5 calculator online and copy-paste the source data.

You are seeing a single comment

View all comments

Virgile Deville 25/11/2020 17:36

Hello @roxanaoprescu
I think the community is interested in the user_quota system you describe.
We should make it easy to enable / disable in the admin because it might not be useful to all instances.
Could you provide more details on your implementation so we can discuss it ? @carol and @andres are also interested

Roxana Oprescu 26/11/2020 08:56

Our quota system works like this:
○ Allow 3 posts per day for citizens that have no post in the last 6 months
○ Allow 10 posts per day for citizens that have at least three posts for more than
one day and less than six months old
○ Allow 25 posts per day for citizens that have more than 20 posts in the last six
months and older than 24 hours
○ Allow any moderator / admin up to 100 posts per day
○ Inform any user that exceeds the quota that they did so and ask them to come
back in 24 hours (this will be as an warning message)
Those values are configurable from admin's dashboard (Settings section)
https://www.linkpicture.com/q/Screenshot-from-2020-11-26-09-47-10.png

Virgile Deville 26/11/2020 15:01

So the logic behind it is the more active you are the more post you get to make right ?
Could you tell me what you put behind the word post ?
I'm assuming : proposals, meetings, debates, comments
Is the amount of post a total of these four ?

What do you think about my proposal of implementing a checkbox to enable, disable the quota system ?

Roxana Oprescu 26/11/2020 15:44

@virgile_deville Yes, the main idea is to encourage users to be more active and to have less content reported (because all the content that has been reported is not included into the calculation of the new quota value). So it's important to be active, but at the same time to have unreported content in order to be able to post more on the website.
"Post" = add content (comments and meetings) on the website. For each user we take into account all the comments published (and not reported) and all the meetings created (and not reported).
About your proposal with the checkbox, we cannot give you an answer right now because we need confirmation from our client. But in order to obtain a similar behavior, quota's values can be updated to a large value (e.3000) from admin's settings.

Virgile Deville 26/11/2020 19:48

But in order to obtain a similar behavior, quota's values can be updated to a large value (e.3000) from admin's settings.

Right that's a good way to disable it.
I think it's weird that "Post" doesn't include at least proposals (which is gonna be used by the EU for COFE).
Best would be that Post = proposals, meetings, debates, comments
so that the feature cover whole the UGC possibilities in Decidim

Essential

Preferences

Analytics and statistics

Marketing

Detect the use of spam-bots and ban non compliant users

Liked by

Please log in

Cookie settings

Essential

Preferences

Analytics and statistics

Marketing

Detect the use of spam-bots and ban non compliant users

Share

Liked by

Confirm

Please log in