Mahz Admin

@Ellri Okay, you should see all friendships now. roleplayerguild.com/me/friendships

Just deployed the ability for mods to toggle registration on/off.

@Ellri I'll fix the friendships thing now.

I'll continue to make some progress on the Guild and get registrations turned on again ASAP. I'd like to try to avoid too much bikeshedding. Yall give me way too many excuses for procrastination. Look how long this post is.

The amount of noise generated by a change is inversely proportional to the complexity of the change.

Currently, I'm visiting my parents in the Texas countryside, so I have some solid chunks of quiet and time.

Right now, I'm going to build a quick feature for mods that lets us toggle on/off registration. That way any of us can allow registration and then, worst case scenario, disable it if the spambots come back immediately. It's simple to build. Also, if it turns out that a ratelimit isn't good enough, then mods can disable registration while they clean up the forum or something.

This feature could turn into some sort of "we're-under-spambot-attack mode" toggle once I get the ratelimit done which would jack the ratelimit up while mods are offline.

Also, I'd like to reassure that my goal here is to limit mass-spambot destruction while maximizing newbie participation, so I won't be happy if any aspect of the proposal is significantly affecting legitimate newbies and if it was, my objectives have failed and I'd reiterate.

10 minutes might be a bit of an overkill, even for new users only. As I have noted, I tend to find out 5 seconds fairly quickly, with legimate posts I actually wanted to make (never mind that five seconds would not prevent timeout-related double-posting, anyway)... About thirty seconds is something I'd personally be able to tolerate, if it was something that went away sooner rather than later.

Yeah, the params can be tweaked. Ideally on the fly so that we can put the forum into an under-attack mode while still allowing new users to join. Also, the idea of the moderation-queue is that we can quick-approve new users (disable the ratelimit) if they seem legitimate, which means the ratelimit is primarily to limit the damage of spambot registrations while mods are offline.

<Snipped quote about users getting the power to nuke spambots> This seems to be far too dangerous. I've seen far too many griefing incidents, and if it was a fairly unknown and none-too-confrontational user who was targeted, it might easily slip attention. I don't think less-than-mods should have that kind of power. By default, only mods are the users you trust enough.

The idea would be that it's hard to gain the community-nuke ability, easy to lose it, easy for mods to review it, easy to reverse decisions, and impossible to farm an account for the ability without being a genuine member for quite some time.

Like most abuse, it doesn't really happen too often in practice. To respond to your scenario, if 5 established-member butt-buddies conspire to nuke someone, then (with the most naive implementation of the system) the victim would be nuked until a mod reverses it. But it also means we get to evict 5 toxic members from the community. More likely is that the community can also vote against nuke-votes and then mods just ban the abusing member. Kind of a lame way to get perma-banned, no?

Also, the difference between a report->nuke system and a community-nuke->review system is that the latter cleans the forum up immediately and isn't bottlenecked by moderators.

This feature is the most fun to talk about, but it's also the least likely to ever get implemented and doesn't even have a shot until we're happy with the features on the list, so I don't want to over-emphasize it with too much attention. Even in the worst case scenario that everyone abuses it, then I'd just turn it off and we wouldn't mention it ever again.

Just to add my two-cents, any kind of rate limit for established accounts will easily break any speed-posting focused RP like my own. Removing the limit for older accounts is an absolute necessity.

Absolutely. The ratelimit is purely for new users and it falls to 1-second very rapidly, as in, within 10 posts. I might disable it entirely for new users posting from residential IP addresses since those are hard for spambots to post from.

@NuttsnBolts: Hopefully my post answers your main concerns.

In terms of the posting restrictions, is it at all possible to limit thread creation rates? In my experience with the spambots they've generally created their own thread as opposed to posting in existing ones, which may change if thread creations rates are limited for new users, but further fixes can always be amended later.

In my mind, new users are far less likely to create a whole host of new threads shortly after joining as opposed to posting.

Yeah, posting includes creating topics.

@Shienvien @Ellri: Account age isn't enough because, although unlikely, it's possible to then farm accounts and wait for them to age. One of the purposes of the ratelimit being post-based is to force spambots to reveal themselves.

The first feature we need is a regressive ratelimit. The fewer posts/PMs you have, the longer you have to wait between posting. This addresses the issue of a single spambot creating posts as fast as the forum can accept them (as it was in the recent spambot attack). I will also ratelimit by IP address so a spambot can't just even their spam across a bunch of accounts so easily.

For example, if an account has 0 posts, they would only be able to create a topic or post every 10 minutes. Once they get 5 posts, they can post every 5 minutes. Not sure of the numbers yet, and I obviously don't want to kill the momentum of a new user, but that's the idea. Really depends on what kind of spambot behavior we have.

Existing established users wouldn't be ratelimited (beyond perhaps a sanity-check of a few seconds to prevent double posting once and for all).

When addressing spambots, in my experience, you don't need perfect countermeasures, just countermeasures that makes things annoying enough for them to stop (if there's a human driving them). It's possible that a ratelimit alone is enough for me to re-enable registrations while I work on the following features.

The second feature is a moderation-queue for new accounts. It should be a list of the first 5 or so posts by each newly registered account. From there, mods can nuke spambots or, more importantly, promote new-but-legitimate users into full members so they can escape the ratelimit. That would make our lives a lot easier, bless our moderators who have had a very shitty modkit over the last two years.

The third feature is a general report-post/report-user system. Something we've needed for a long time but kept getting procrastinated due to our two-year lucky streak of minimal spambot issues.

The fourth feature, though more of an unlikely wishlist feature, would be a system for trusted users to vote to nuke spambots without mod intervention. Mods would simply see a feed of accounts nuked by the community which they could then reverse if there was some sort of wrongful nuking.

I'm implementing those in order (ordered by urgency) and hopefully the ratelimit alone is enough to discourage the spambots that attacked us last weekend.

Right now I'm trying to finish my rate-limiting system (and supporting modkit) so that I can turn registrations back on.

(I'll post more on that in a moment)

Catching up on some Guild work today.

@Mahz

Will the full friends list be fixed?

What issue are you having?

@Mahz Do you think you would want to see a model of a dice rolling system?

Sure. Honestly I've started building a dice system ~5 times but tend to lose steam once I realize I don't really know how people would want it to work on a forum.

This is unrelated to the spambot invasion but I was wondering if it's possible to have another sub-forum for 1x1 Interest Checks and roleplays that are explicit in sexual content to separate those that are not? It's warding off a lot of potential 1x1 roleplays that are interested in doing something that has nothing to do with mature/sexual content. There are very few threads that are in the interest checks that are not 18+ on content and it's really annoying to have them shoved off because of all the people bumping on their 18+ thread with literally everyone trying to have their 18+ thread on the first page.

Please considering doing something about this because it'd be a huge improvement as I'm a preferred of 1x1's but not of libertine, sexual content and I'm absolutely sure a lot of others can agree with me.

Yeah, it a good idea. This has come up a few times but I wasn't sure what would be best. Perhaps it'd be simplest for there to just be an 18+/adult section that people must opt-in to seeing.

Originally I was working on a unified roleplay/int-check search system where you filter by tags (so I'd just introduce some adult tags like "18+"), but it's too big of an undertaking for it to hold up features like a private adult forum. I think a subforum is the best compromise. I'll make an issue for it.

It's true that we discourage adult content in the public forum due to the terms of agreement with our advertising provider (Google), but the enforcement has been so lenient that the whole thing will best be resolved by a private adult subforum that doesn't serve ads.

Okay, Recaptchas should be off now.

Update: Ok, I think we've nuked the forum back into a tolerable state.

I hate that new-user registrations are now disabled, but tomorrow I'll begin the process of fleshing out some new system ideas for preventing this sort of spambot vandalism in the future. The sooner I figure out the next steps, the sooner new people can join the guild again.

For instance, maybe it's worthwhile to build a quick invite system so that existing, trusted members can let their friends join the forum if they know them off-site. Something like that in the meantime. Dunno yet.

I still have some straggler spambots to delete and possibly some bugs that have emerged during today's server hot-fixes.