September Spam Attack


Thanks @Relyss for handling the deluge of spam for us! We’re talking with TR about more permanent solutions.


Also, please keep flagging the spam. 3 flags and the post is hidden even before the moderators have a chance to do anything about it.


Man, it’s always those Koreans… I mean, some Koreans, i’m a Korean and it’s odd, because, there’s no real way to find this forum in the common Korean Browser, for one thing, typing the name in korean only blrings up HearthStone, ans typing in English only brings up a few posts at-all aside the homepage

Thankfully one of our dear Community member (whom i will bot name since i’m not sure if he/she wants it to be super public)
Has started a StoneHearth Cafe(equivalent of a forum for us) a while ago, and is faring pretty decently for most part, considering the game and how young the Cafe is

I hope it wasn’t that Cafe that made acces to the forums visible to the spammers, since it does link bolth the forum and the homepage,(hell, even Prais)

It disgusts me to see other Koreans Troll or spam, esspecially on English oriented websites or games.
You’ve pribably seen some Korean guy in Overwatch spewing out Korean or extremely bad English, And i Hate it, it’s a disgrace for the country and they still have that sense of ‘Korean Master-race’ while they perform so poorly, i can’t stand it, if they can’t speak English, they shouldn’t play at the american server, Especially since there’s a DEDICATED KOREAN SERVER, full of people all the time, i’d rather them be at-least nice to people(manners?)even if they’re saying korean, or use even poor english, caus what’s the point of speaking korean in a english server

Same here, not to say that they should o the the Cafe, just, Don’t, like, what’s the point here, it’ll probably be more effective to go to one Korean website than to go to 50 English oriented ones, 'cause, i dunno? Nobody can understand what they say?

sorry about that, i just can’t stand it

Just, the thing is, it hurts me, perhaps even more than it does for you guys, because i’m pretty much the only Korean guy here, and it almost feels like i’m somehow the cause, because i’m one of the few access points to this website, if i was hacked, this forum is exposed, and hell, they’re freakin Koreans, and it hurts to be one as well

It’s… Shameful to say that i’m part of such a community


So, we need measurs of stopping them,

Us Koreans have bad, and i mean BAD temper, simply blocking them from posting for a hour after registration will just break their interest for most of the part,

They don’t put much effort in their spams, so most are just Copy-pasted so detecting for repeated content or almost identical posts are a good way of sopping them if there is multiples of posts


If you make it go by way of “steam link” you can make it so you can only post if the game has been purchased and in that accounts library. Problem being, what about the ppl whom only use bumble or what not?

Possible answer: Put those ppl on a very temp probation period, like only allowed to post once every 1-3 mins and they can only post with no tags, till a moderator can give them full access.


don’t think too much over it.

I always believed that the world will always has its share of a$$h—$, regardless of whatever language you speak or country you are in. (or maybe it should be : there is always a little a–h— potential in everybody? lol)

And those a–h—s are hardly representatives of whatever people they came in. I mean, I’ve seen much more spams in english, but it would be ridiculous if I had to be ashamed of it…

And regardless of what people and what background, there is always possibility of something common that can bring people together. In a classic speech, I would quote “music”, but here, it’s “stonehearth” :wink: We should try to judge each person on how he (or she) conducts himself/herself, not on which genepool, cultural background etc.


OK - so here’s what we’ve done. First, @Relyss deleted the spam posts and blocked all the offending users. She did this as you guys flagged posts and new users kept registering. Next, I went through and deleted the users entirely, as well as blocking the IPs for each spam user. As a protection tool (hopefully temporary, but we’ll see) we now have the first 2 posts from new users go to an approval queue, where a moderator must approve the post before it goes live. Hopefully, this will allow us to catch this type of spam before it makes to onto the forums.

While this adds to the mod teams workload, we only average 7 new users per day, meaning that we’ll have to approve 14 posts each day. Considering that it only takes 2 clicks to view and approve a post, this should not be an issue. Once we’ve confirmed that the spam has died down, we’ll look into removing this precaution.

What does this mean for you:

  • If you already have an account - nothing. There should be no changes that affect you.
  • If you are new and trying to make an account, it might take some time after you submit your post before it goes live. Between myself, @8BitCrab, @Relyss, and @megashub, plus the devs if they notice, we should be able to approve things nice and quick.

If this doesn’t work, or the spammers are crafty and post 2 nice posts then start spamming, we’ll consider further options. Regardless, if you see spam, please flag it! It not only helps us deal with it quicker, but it can hide posts automatically.


Sounds great to me.

As I’m new to admining Discourse (especially how it handles user auth), I’m curious about options like re-captcha and other bot prevention signup methods. Does Discourse offer any such options as plugins?


Not that I have seen. Because Discourse is a Javascript app (really limited HTML) there have been no confirmed cases of automated bots attacking a site. All spam has been found to be human spam.

Here’s what Discourse looks like with JS disabled. You can’t even log in!


Have you guys considerd (not sure if its possible here) A delay on new users before they can make a topic or add a reply? Lets say half an hour up to an hour. Most spammers are all about posting as many spam in as short amount of time as possible. In my opinion this would not increase de mods load and still lets new users who mostly come here when they first have an issue be able to post after the half hour

Could just be me totally noobing out on the forum moderator field, but thats what i was thinking :slight_smile:


That is not currently possible on Discourse. We’ve been handling the new user’s posts in the approval queue so far, and at least in my opinion is hasn’t been bad. We’ve caught a few more spammers, and 2 clicks really isn’t bad. I’d rather let the user post spam into the queue (and then block their IP) then delay the problem by preventing them from posting and allowing them to return.

Edit: There are lots of rate-limits for new users, and we could change them as we see fit, but delays to first post isn’t one of them. The available settings are delay between creating a new topic, max new topics, max replies, max links, and max images.


I did not look behind the scripts exactly, but isn’t it rather easy to inject scripts into a webpage loaded in a browser? if so, things can be automated.

well, if my guess is anywhere near the mark, the initial steps are probably guided by a human, but once the steps are figured out, it can be handed over to the bots (injected scripts) that can emulate whatever the human can do to a webpage (click, enter text, trigger javascripts).

Still, it is probably very hard to stop a determined spammer. What we need is just to make things just difficult enough to send them off looking for easier preys.


Anything is possible, and certainly scripts can be injected into a webpage. Spammers aren’t there yet because there isn’t a big enough pool of targets for them. Once more of the web is “pure” JS, we’ll see that increase. Sort-of like how there “are more viruses on Windows” because there are more machines to target.

Agree 100%. Like many forms of security, we just have to be that much more difficult than our neighbor - “you don’t need to outrun a bear, just your friend running besides you”.



The Discourse team has continued to investigate our spam attack and has recently discovered how the spammers managed to get around all the different spam checks that exist. Turns out that the spammers would post something inconspicuous, then quickly edit the post after submitting it with the spam text. As the edit was done within the “ninja-edit window”, it didn’t appear as an edit. Further, edits are not run through the spam filter like new posts are.

###Temporary Fix
As a temporary fix, the developers have implemented a new site-level setting allowing us to disable edits for TL0 (new) users. We’ll be working with TR on Monday to get this enabled.

###Long-term solution
The long-term solution planned is to send post edits during the “ninja-edit window” through the same spam checks as a new post. Once this has been implemented, I think it will be safe to disable the moderators must approve new user’s first 2 posts setting that we’ve had enabled for the last 3 weeks.

##Moving Forward
We don’t plan to have further spam incidents, but unfortunately spam is something we have to deal with having an public forum on the internet. As a reminder, if you see spam, please flag it immediately. Don’t reply, like, PM, or acknowledge the post in any way. Flags let us see quickly that there is something we need to deal with. If none of us are online, 3 flags on the same post and it is hidden automatically until we can review it.

##Thank you
I want to once again thank everyone for their understanding regarding the spam attack 3 weeks ago, and especially everyone who flagged the spam posts. I also want to thank all our new users for their patience while their first posts waited for manual approval in the queue. This is an amazing community, and I am honored to get to work for you every day.