# Filter/delay on new account posting



## BecSon (Jun 12, 2022)

Recently there is a spammer on fa using the browsing tab to spam graphic irl imagery AND linking to a discord which is not giving up, abusing the ability to INSTANTLY post without any verification of said imagery

the best part is it takes mods several minutes because they are real people

Why in the seven rings of hell do we not have 1. a verification system to see if its not just the same person over and over, 2. any program that recognizes that this is the same malicious imagery and automatically disables said persons ability to send the same image over and over, images have data that cannot be changed even if they change the name or file type. 3. blacklisting of certain ips, while vpns exist it doesnt hurt to cover ALL the bases. 4. a WAIT 24 HOUR SYSTEM FOR NEW ACCOUNTS, literally the simplest way to identify if an new account is not good is by looking at what theyre doing in said wait time


----------



## Oddcreepyhaunts (Jun 12, 2022)

I was wondering if anyone was gonna talk about this


----------



## BecSon (Jun 12, 2022)

Oddcreepyhaunts said:


> I was wondering if anyone was gonna talk about this


people NEED to start talking about this, its every 5 months now and FA staff put a bandage on it before that bandage gets ripped off 5 seconds later


----------



## Oddcreepyhaunts (Jun 12, 2022)

Yea I just seen it twice in this week!
I think they shouldn't just only ban and forget tho
heck it keeps linking to a discord for some reason and idk if I wanna find out what goes on there


----------



## quoting_mungo (Jun 13, 2022)

BecSon said:


> 3. blacklisting of certain ips, while vpns exist it doesnt hurt to cover ALL the bases.


I can say with confidence that this is something FA does have. There’s a lot of reasons to use it sparingly (I don’t believe they can be set to automatically expire, for one, and most ISPs use dynamic IPs), and in the case you describe it wouldn’t surprise me if the abuse came from several distinct sources (links to a Discord server to me suggests that it _could_ very well be a case of a “raid” organized on that server).

I totally get your reasoning, and sadly can say from experience that it’s a lot less clear-cut than it seems.


----------



## Dragoneer (Jun 13, 2022)

BecSon said:


> Recently there is a spammer on fa using the browsing tab to spam graphic irl imagery AND linking to a discord which is not giving up, abusing the ability to INSTANTLY post without any verification of said imagery
> 
> the best part is it takes mods several minutes because they are real people
> 
> Why in the seven rings of hell do we not have 1. a verification system to see if its not just the same person over and over, 2. any program that recognizes that this is the same malicious imagery and automatically disables said persons ability to send the same image over and over, images have data that cannot be changed even if they change the name or file type. 3. blacklisting of certain ips, while vpns exist it doesnt hurt to cover ALL the bases. 4. a WAIT 24 HOUR SYSTEM FOR NEW ACCOUNTS, literally the simplest way to identify if an new account is not good is by looking at what theyre doing in said wait time


This is something we have been combating since FA came about. In fact, most sites tend to be dealing with the same issues. It's not just an FA-specific issue, not by far.

We have email verification and ways to check that.
We do have ways to block certain files, but otherwise, we would basically need to implement an algorithm to scan and check every upload. This has a cost/resource investment to implement, and the question becomes how do we pay for it. Everything costs/requires something.

Also, "images have data that cannot be changed" is simply not true. You're thinking of hash blocking, which can be defeated simply by a changing a single pixel and resaving the image. It takes somebody determined seconds got circumvent it.
There's an absolute megaton of VPNs out there, each with thousands/tens of thousands of IPs. There's ways we could shore up certain things, and we have been, but you can't just block a VPN. You have to manually block the entire range of IPs, and those IPs are changing on a day to day basis, and the VPNs don't exactly make a public list of all their IP addresses.

Eventually you hit a point where your actions start to have a negative impact on regular issues.
Wait 24 hours for new accounts to... do what exactly? I understand your frustration, I really do. But what happens after 24 hours? What stops a person from pre-creating a dozen accounts, each with their own unique IP and email address? Further, this seems to imply a person is manually verifying and investigating every new account during that time. There's literally thousands of accounts created a week.
There's honestly no simple solution to it, as almost anything you could implement either has a cost or huge limitations. It's something we've been combating for years. It's something every site is constantly fighting against.


----------



## quoting_mungo (Jun 13, 2022)

Dragoneer said:


> Also, "images have data that cannot be changed" is simply not true. You're thinking of hash blocking, which can be defeated simply by a changing a single pixel and resaving the image. It takes somebody determined seconds got circumvent it.


I think they're thinking about metadata? Maybe. Which still isn't very hard to get rid of or change.

A temporary (like, max a week, probably less, just to prevent false positives in the long run) upload block for hash matches for any nuked submission _might_ slow things down a _little_ bit (any automation would have to incorporate extra steps to change that single pixel, and I'm sure there's some would-be trolls out there who don't realize how easy it is to get a new hash for an image), and if it's resource-cheap (very much unlike image search type matching) it _could_ maybe be worth it. But yeah - that very much depends on whether the resource tradeoff is small enough, and by no means would be a flat neat solution to resolve the larger issue.

This is me agreeing with you, to be clear. And also cringing on your behalf because I remember the fucking mess it was any time someone decided to pull one of these stunts. (And of course how invisible successful interventions are.)

The best resource-cheap option I can think of is more severe flood protection for new accounts diminishing over time and/or with uploads, which should have minimal effect on legitimate users (possibly excluding people who are moving from one account to another) who are unlikely to run into the limits, and hobble rapid-fire flooding from single accounts. Not sure if forcing it to spread out over multiple accounts is ultimately a net win, granted. It's definitely a no-perfect-solution situation here, with the attackers having much less to lose than the site does.


----------



## Inferndragon (Jun 19, 2022)

Another idea that could potentially help is having it for people to post any art. Would be for them to verify their account using a phone number and then using a Text 2 step verification thing (For only the first time they post).

This would be useful for you as it would allow you to tie "multiple" accounts together (Mainly the people who are less technically savy)
So if one account was banned for X reason you could also ban the others that are "linked" together.

It wouldn't stem the tide completely, but it could help a little bit with weeding out repeat offenders.


----------



## Dragoneer (Jun 19, 2022)

Inferndragon said:


> Another idea that could potentially help is having it for people to post any art. Would be for them to verify their account using a phone number and then using a Text 2 step verification thing (For only the first time they post).
> 
> This would be useful for you as it would allow you to tie "multiple" accounts together (Mainly the people who are less technically savy)
> So if one account was banned for X reason you could also ban the others that are "linked" together.
> ...


But who pays for something like that? What devs we pulling off one one project and putting onto another? This is a reasonable suggestion, but something like this isn't free, nor even cheap, and every time you add to the dev pool it takes away from other projects and has a cost. Plus the moment you require that you now kind of have to require it for everybody.

That said, we're aware of the problem and are working towards it.


----------



## quoting_mungo (Jun 20, 2022)

Dragoneer said:


> But who pays for something like that? What devs we pulling off one one project and putting onto another? This is a reasonable suggestion, but something like this isn't free, nor even cheap, and every time you add to the dev pool it takes away from other projects and has a cost. Plus the moment you require that you now kind of have to require it for everybody.
> 
> That said, we're aware of the problem and are working towards it.


IMO it’s reasonable until you consider how varied FA’s community is. It’s kinda unavoidable that a website be gated behind Internet access, but we shouldn’t forget the possibility of perfectly legitimate users who cannot (for one reason or another) use sms-based 2FA. Maybe they’re in a situation where the texts they receive aren’t private. Maybe they don’t have access to a reliable cell network, or a cell phone. Increasingly uncommon in today’s world, but they still don’t deserve to be shut out.


----------



## Dragoneer (Jun 20, 2022)

quoting_mungo said:


> IMO it’s reasonable until you consider how varied FA’s community is. It’s kinda unavoidable that a website be gated behind Internet access, but we shouldn’t forget the possibility of perfectly legitimate users who cannot (for one reason or another) use sms-based 2FA. Maybe they’re in a situation where the texts they receive aren’t private. Maybe they don’t have access to a reliable cell network, or a cell phone. Increasingly uncommon in today’s world, but they still don’t deserve to be shut out.


And again, the costs.

As I said, I have a much better concept in mind that I've discussed with the team, and one I think is pretty cool overall. It's just a matter of resources.


----------



## quoting_mungo (Jun 20, 2022)

Dragoneer said:


> And again, the costs.
> 
> As I said, I have a much better concept in mind that I've discussed with the team, and one I think is pretty cool overall. It's just a matter of resources.


Oh, yes, absolutely, people underestimate the costs. My point was more that even without the costs being a factor (in a magical imaginary world where FA is an independently wealthy business entity), such a system would shut part of the community out, and shutting part of the community out is very much undesirable.


----------



## Dragoneer (Jun 20, 2022)

quoting_mungo said:


> Oh, yes, absolutely, people underestimate the costs. My point was more that even without the costs being a factor (in a magical imaginary world where FA is an independently wealthy business entity), such a system would shut part of the community out, and shutting part of the community out is very much undesirable.


Yeah, I just always emphasize costs.

For example, we've got a big new feature to open up on the site (official support for 4K image posting) but in order for us to roll it out en masse we need more storage space, which requires some significantly beefy upgrades. Implementing anything always has a cost, be it dev time, resources, or bandwidth, so it's something I generally like to reiterate with these kinds of posts.


----------



## quoting_mungo (Jun 20, 2022)

Dragoneer said:


> Yeah, I just always emphasize costs.
> 
> For example, we've got a big new feature to open up on the site (official support for 4K image posting) but in order for us to roll it out en masse we need more storage space, which requires some significantly beefy upgrades. Implementing anything always has a cost, be it dev time, resources, or bandwidth, so it's something I generally like to reiterate with these kinds of posts.


Yup, that’s absolutely fair!

I lean towards pointing at human issues and technical challenges if they’ve not already been raised (and resource costs if they have) to make sure bases are covered. The sort of numbers involved are often larger than people assume, and FA’s assets/income seems chronically overestimated, so if what gets the point across is “you’d be shutting people out of the platform through no fault of their own,” I figure that’s a point worth raising as well.


----------



## Dragoneer (Jun 20, 2022)

quoting_mungo said:


> Yup, that’s absolutely fair!
> 
> I lean towards pointing at human issues and technical challenges if they’ve not already been raised (and resource costs if they have) to make sure bases are covered. The sort of numbers involved are often larger than people assume, and FA’s assets/income seems chronically overestimated, so if what gets the point across is “you’d be shutting people out of the platform through no fault of their own,” I figure that’s a point worth raising as well.


Yeah, it's far more complex than that, especially after recent events.


----------



## Foxridley (Jun 21, 2022)

Dragoneer said:


> This is something we have been combating since FA came about. In fact, most sites tend to be dealing with the same issues. It's not just an FA-specific issue, not by far.
> 
> We have email verification and ways to check that.
> We do have ways to block certain files, but otherwise, we would basically need to implement an algorithm to scan and check every upload. This has a cost/resource investment to implement, and the question becomes how do we pay for it. Everything costs/requires something.
> ...


I know you've mentioned limited resources, so I don't know how that might apply here. On Wikipedia it is possible to block an IP range; this is used sparingly for the most part, but some egregious cases call for it.


----------



## Dragoneer (Jun 21, 2022)

Foxridley said:


> I know you've mentioned limited resources, so I don't know how that might apply here. On Wikipedia it is possible to block an IP range; this is used sparingly for the most part, but some egregious cases call for it.


The problem is IP ranges don't really apply to a VPN, and if you block a VPN or an entire ISP, you potentially block hundreds of legitimate users.


----------

