Spam/bogus join requests


 

Hi All,

I've gotten several reports of groups getting subscription requests from clearly bogus accounts, and I can see it in the logs (a single IP address will go through and subscribe to a bunch of groups using different email addresses). These email addresses never confirm themselves.

Right now, the system treats not confirmed accounts as regular accounts for the sake of subscribing to groups. They can't post or do anything else, but they can subscribe to groups and they do show up in member lists, so owners can see that they're there and can force another confirmation email to be sent to them if needed.

What, if anything, should I change about this? I've gotten several complaints from restricted groups that have to deal with these bogus subscriptions. I can make it so that you can't join a group until you confirm your account, but that interrupts the subscription flow. I could do something like you could join a group as not confirmed, but the subscription doesn't become real until you confirm? I'd appreciate any ideas.

Thanks,
Mark


Douglas Swearingen <dougiebehr460@...>
 

Hello Mark,

I know in the case of the Chronic Pain group I Co-Own that is highly restricted, that we have the same restrictions as the Yahoo Account did.

That is they have to give a pain related reason for wanting to join the group as well as an agreement of the Groups Rules before we will approve them for membership.

The reasons being, in the Yahoo Group we found many people trying to join for three reasons we did not feel were legitimate reasons for membership.  One was trying to mine the members information to try and sell the latest gadget, another was trying to use the members to conduct research for College or other papers, and the third were questionable practitioners trying to mine the members as possible patients for themselves.

I do not know for sure how this would effect the Subscription flow.  Yes, it would slow down someone from simply applying to the group and them being an automatic member.

I do not know if this example helps you or not.

Doug


On Tuesday, February 28, 2017 2:40 PM, Mark Fletcher <markf@corp.groups.io> wrote:


Hi All,

I've gotten several reports of groups getting subscription requests from clearly bogus accounts, and I can see it in the logs (a single IP address will go through and subscribe to a bunch of groups using different email addresses). These email addresses never confirm themselves.

Right now, the system treats not confirmed accounts as regular accounts for the sake of subscribing to groups. They can't post or do anything else, but they can subscribe to groups and they do show up in member lists, so owners can see that they're there and can force another confirmation email to be sent to them if needed.

What, if anything, should I change about this? I've gotten several complaints from restricted groups that have to deal with these bogus subscriptions. I can make it so that you can't join a group until you confirm your account, but that interrupts the subscription flow. I could do something like you could join a group as not confirmed, but the subscription doesn't become real until you confirm? I'd appreciate any ideas.

Thanks,
Mark



Jim Ruby <jim@...>
 

Not sure if this is a good idea, but if they don’t confirm in an determined amount of time they can expire and be deleted.

 

 

 

From: beta@groups.io [mailto:beta@groups.io] On Behalf Of Mark Fletcher
Sent: Tuesday, February 28, 2017 3:41 PM
To: beta@groups.io
Subject: [beta] Spam/bogus join requests

 

Hi All,

 

I've gotten several reports of groups getting subscription requests from clearly bogus accounts, and I can see it in the logs (a single IP address will go through and subscribe to a bunch of groups using different email addresses). These email addresses never confirm themselves.

 

Right now, the system treats not confirmed accounts as regular accounts for the sake of subscribing to groups. They can't post or do anything else, but they can subscribe to groups and they do show up in member lists, so owners can see that they're there and can force another confirmation email to be sent to them if needed.

 

What, if anything, should I change about this? I've gotten several complaints from restricted groups that have to deal with these bogus subscriptions. I can make it so that you can't join a group until you confirm your account, but that interrupts the subscription flow. I could do something like you could join a group as not confirmed, but the subscription doesn't become real until you confirm? I'd appreciate any ideas.

 

Thanks,

Mark


 

On Tue, Feb 28, 2017 at 2:51 PM, Jim Ruby <jim@...> wrote:

Not sure if this is a good idea, but if they don’t confirm in an determined amount of time they can expire and be deleted.

 


The issue is more that the group owners don't want to be bothered at all by these bogus accounts. At the least, making them confirm the accounts before getting added (or pending) to a group.

Thanks,
Mark


 

Mark,

What, if anything, should I change about this? I've gotten several
complaints from restricted groups that have to deal with these bogus
subscriptions.
What is it the restricted group mods don't like?

That is, it is perilous to suggest mitigation ideas when I don't know what it is they don't like having to "deal with".

Is it the pending member notification? Maybe that can be deferred until the person confirms. Or maybe notification of an unconfirmed pending member is a separate notification checkbox.

Is it the mere presence of these NC members in their Members list? I don't see much hope for that without breaking the ability for mods to help legit but NC members get confirmed. Maybe a "confirmed only" view of the list in addition to Moderators, Pending, Bouncing and Banned?

Shal
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


 

On Tue, Feb 28, 2017 at 01:40 pm, Mark Fletcher wrote:
I could do something like you could join a group as not confirmed, but the subscription doesn't become real until you confirm?

That sounds to me like what's being done already, so it must be semantics and what you mean by "doesn't become real." Not sure what you mean by a "real" subscription. Right now, aren't the NC members "not real" members in the sense that they don't have access to the group, don't receive and can't post messages, etc.? How would this change?

Our group doesn't have the problem with bogus subscriptions. In the case of the members who can't confirm, the members have always been legitimate, but just haven't been able to find their confirmation emails, even in their spam folders. This seems to be more infrequent lately than before, so I have no real stake in this and no strong opinion.
--
J

Messages are the sole opinion of the author. Especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


Duane
 

On Tue, Feb 28, 2017 at 01:40 pm, Mark Fletcher wrote:


I can make it so that you can't join a group until you confirm your account
Maybe not activate group subscription flow until the address is confirmed? (And have those expire after x days if it doesn't happen?) Basically, queue the subscriptions until confirmed. Many of the NC that I see on my groups are folks that mistyped the email address, so it could never be confirmed. I go in now and then to delete the extraneous ones.

Duane


Duane
 

On Tue, Feb 28, 2017 at 01:40 pm, Mark Fletcher wrote:


so owners can see that they're there and can force another confirmation email
to be sent to them if needed.
In addition to a subscription queue, how about if the system automatically sends a confirmation email (daily?), then toss the account if it hasn't been confirmed within some time frame (a week?) I don't believe there's a way for someone that is confirmed to go back to NC, only bouncing, so this might also be useful for busy mods.

Duane


Dave Sergeant
 

Just to clarify, while they are 'pending' can they read posts? Our
private groups (when it goes live) is set that only members can read
messages and it is important that remains the case. If that is the
case, and they can only view our homepage and little else, I don't see
a problem.

Dave

On 28 Feb 2017 at 13:40, Mark Fletcher wrote:

Right now, the system treats not confirmed accounts as regular
accounts for
the sake of subscribing to groups. They can't post or do anything
else, but
they can subscribe to groups and they do show up in member lists, so
owners
can see that they're there and can force another confirmation email to
be
sent to them if needed.

http://davesergeant.com


ro-esp
 

On Tue, Feb 28, 2017 at 10:58 pm, Dave Sergeant wrote:


Just to clarify, while they are 'pending' can they read posts?
Our private groups is set that only members can read messages
In that case, NO, they can't read any messages


On 28 Feb 2017 at 13:40, Mark Fletcher wrote:

Right now, the system treats not confirmed accounts as regular
accounts for
the sake of subscribing to groups. They can't post or do anything
else,
groetjes, Ronaldo


Charlie Jenkins <sk8erbyker@...>
 

I would prefer to see some level of confirmation before the subscription becomes real. It seems like this would be less of an interruption than having to send a separate confirmation email (for both the subscriber and the moderator). 


Dave
 

The linuxham group is one that as received as many as 30 bogus subscription requests a day.  This is a group dedicated to amateur radio and I simply reject or ban any request that does not identify the amateur call sign.  The membership never sees these requests, but they do add to the work load of volunteer list moderators.  I would be in favor of subscription confirmations.  Make sure that the confirmation is not one that is easily spoofed by a robot.

I would also suggest that a single IP address subscribing to several groups in a time window be automatically flagged and banned.

Thanks for the really great group forum Mark.

David


 

We are getting swamped witth these. We've gone from 7-15 pending members a day to 50-100.

The problem, Shal, is firstly the sheer volume (trying to fiind the person to approve in a list of five pages) but mainIy it's that we no longer know who is legitimate, so the people who are legitimate are no longer getting the help they need to join the group. We used to leave members pending for 3-5 days and send reminders to them but if we leave them for five days I could end up with 250 pending members or more. Even though I no longer give them so long to respond, we regularly have three pages worth of so-called pending members. I just rejected 115 or so this morning.

It's pretty obvious with some of them (I kind of guessed with donotreplyATairbnb.com), and when I had a host of them from one particular Russian company domain (weird that all the staff suddenly had sick cats), but I can't tell with all the gmail and yahoo addresses.

Ideally I'd like groups.io to somehow filter the baddies (this never used to happen, but I do have a join option on my website, I don't know if that's a factor) but I know that's easier said than done. At the moment I'd prefer the NC members not to show (they never did with yahoo!groups) but since I then wouldn't know about the legitimate NC members, maybe the system could send the confirmation e-mail to them every day.

I'm open to other suggestions.

Thanks.

Helen

On Tue, Feb 28, 2017 at 03:34 pm, Shal Farley wrote:

What is it the restricted group mods don't like?

That is, it is perilous to suggest mitigation ideas when I don't know
what it is they don't like having to "deal with".

Is it the pending member notification? Maybe that can be deferred until
the person confirms. Or maybe notification of an unconfirmed pending
member is a separate notification checkbox.

Is it the mere presence of these NC members in their Members list? I
don't see much hope for that without breaking the ability for mods to
help legit but NC members get confirmed. Maybe a "confirmed only" view
of the list in addition to Moderators, Pending, Bouncing and Banned?


Dave
 

As the owner / moderator of 3 groups I can appreciate Helen's frustration with the bogus membership requests.  It's obvious from the email addresses that these are generated by phishing robots.  Culling these bogus membership requests should not be the responsibility of individual group owners and moderators.  There are some very good tools available to deny global membership to robots.  The best I have seen requires a confirmation by visual recognition feedback, i.e. select all of the boxes which have a cat photo, or all of the boxes with a number, etc.  Wrong selection and the requester is toast.

The 14 day aging on the pending list is ludicrous.  Helen' list would grow to nearly 2000 if she waited for the system to handle the list.

I am experiencing different levels of phishing requests on the 3 groups and it appears to be related to the group name.  If it smacks of opportunity the group is attacked!  My group named "nbems" receives less than 10% of the bogus requests experienced by "linuxham".  The group "larg" is seldom targeted.

Please get this fixed!!

David

On 03/31/2017 04:12 AM, Helen wrote:
We are getting swamped witth these. We've gone from 7-15 pending members a day to 50-100. 

The problem, Shal, is firstly the sheer volume (trying to fiind the person to approve in a list of five pages) but mainIy it's that we no longer know who is legitimate, so the people who are legitimate are no longer getting the help they need to join the group. We used to leave members pending for 3-5 days and send reminders to them but if we leave them for five days I could end up with 250 pending members or more. Even though I no longer give them so long to respond, we regularly have three pages worth of so-called pending members. I just rejected 115 or so this morning. 

It's pretty obvious with some of them (I kind of guessed with donotreplyATairbnb.com), and when I had a host of them from one particular Russian company domain (weird that all the staff suddenly had sick cats), but I can't tell with all the gmail and yahoo addresses. 

Ideally I'd like groups.io to somehow filter the baddies (this never used to happen, but I do have a join option on my website, I don't know if that's a factor) but I know that's easier said than done.  At the moment I'd prefer the NC members not to show (they never did with yahoo!groups) but since I then wouldn't know about the legitimate NC members, maybe the system could send the confirmation e-mail to them every day. 

I'm open to other suggestions. 

Thanks.
 
Helen
 

On Tue, Feb 28, 2017 at 03:34 pm, Shal Farley wrote:

What is it the restricted group mods don't like?

That is, it is perilous to suggest mitigation ideas when I don't know 
what it is they don't like having to "deal with".

Is it the pending member notification? Maybe that can be deferred until 
the person confirms. Or maybe notification of an unconfirmed pending 
member is a separate notification checkbox.

Is it the mere presence of these NC members in their Members list? I 
don't see much hope for that without breaking the ability for mods to 
help legit but NC members get confirmed. Maybe a "confirmed only" view 
of the list in addition to Moderators, Pending, Bouncing and Banned?




Taffman <webmaster@...>
 

What would be really neat (but maybe only useful to my community?) is the ability to define sign up questions. If these fields had the ability to have REGEX validation behind them then you could weed out the undesirables by validating the sign up questions that way. It worked for me on one of the CRM sites I manage, just a thought.


David P. Dillard
 

Would it help to require a statement of why applicants want to join which could not be filled out by a machine properly, then you could glance at this box to see if it was a legitimate subscriber for any that make it through and quickly delete those that are not legitimate.




Sincerely,
David Dillard
Temple University
(215) 204 - 4584
jwne@...

On Fri, 31 Mar 2017, Dave wrote:

As the owner / moderator of 3 groups I can appreciate Helen's frustration with the bogus membership
requests.  It's obvious from the email addresses that these are generated by phishing robots.  Culling
these bogus membership requests should not be the responsibility of individual group owners and
moderators.  There are some very good tools available to deny global membership to robots.  The best I
have seen requires a confirmation by visual recognition feedback, i.e. select all of the boxes which
have a cat photo, or all of the boxes with a number, etc.  Wrong selection and the requester is toast.
The 14 day aging on the pending list is ludicrous.  Helen' list would grow to nearly 2000 if she waited
for the system to handle the list. I am experiencing different levels of phishing requests on the 3
groups and it appears to be related to the group name.  If it smacks of opportunity the group is
attacked!  My group named "nbems" receives less than 10% of the bogus requests experienced by
"linuxham".  The group "larg" is seldom targeted. Please get this fixed!! David On 03/31/2017 04:12 AM,
Helen wrote:
We are getting swamped witth these. We've gone from 7-15 pending members a day to 50-100. The problem, Shal, is firstly the sheer volume (trying to fiind the person to approve in a list of five
pages) but mainIy it's that we no longer know who is legitimate, so the people who are legitimate are no longer getting the help they need to join the group. We used to leave members pending for 3-5 days a
nd send reminders to them but if we leave them for five days I could end up with 250 pending members or
more. Even though I no longer give them so long to respond, we regularly have three pages worth of so-
called pending members. I just rejected 115 or so this morning. It's pretty obvious with some of them (I kind of guessed with donotreplyATairbnb.com), and when I had a
host of them from one particular Russian company domain (weird that all the staff suddenly had sick ca
ts), but I can't tell with all the gmail and yahoo addresses. Ideally I'd like groups.io to somehow filter the baddies (this never used to happen, but I do have a jo
in option on my website, I don't know if that's a factor) but I know that's easier said than done. At the moment I'd prefer the NC members not to show (they never did with yahoo!groups) but since I then wo
uldn't know about the legitimate NC members, maybe the system could send the confirmation e-mail to the
m every day. I'm open to other suggestions. Thanks.
Helen
On Tue, Feb 28, 2017 at 03:34 pm, Shal Farley wrote:
What is it the restricted group mods don't like?
That is, it is perilous to suggest mitigation ideas when I don't know what it is they don't like having to "deal with".
Is it the pending member notification? Maybe that can be deferred until the person confirms. Or maybe notification of an unconfirmed pending member is a separate notification checkbox.
Is it the mere presence of these NC members in their Members list? I don't see much hope for that without breaking the ability for mods to help legit but NC members get confirmed. Maybe a "confirmed only" view of the list in addition to Moderators, Pending, Bouncing and Banned?


Carol Good
 

Would it help to require a statement of why applicants want to join which
could not be filled out by a machine properly, then you could glance at
this box to see if it was a legitimate subscriber for any that make it
through and quickly delete those that are not legitimate.
So far we haven't had any spam signups to our recently moved group. Back in the early days we took the decision to ask applicants to reply giving a name/nickname, age and location before membership was approved. We don't have a large membership, nor do we expect more than a couple of signups a month (if we're lucky!) but spam signups won't respond to a request for details. We had a long period with this issue at yahoogroups (when we were busier with signups) and it was easy to weed out the spammers.

Carol


 

Thank you. I have always had a questionnaire before you can join any of my groups. Unfortunately it doesn't really help in this situation. One of my groups is completely untouched by this problem, the other is overwhelmed.

The lack of response to the questionnaire does not mean the applicant is a spammer. Spammers never fill out the questionnaire, but quite a few legitimate applicants don't either (even before the spam addresses appeared, I rejected more than I accepted, though everyone gets a second chance to join when I reject them). This is my problem, it is hard to spot and help those people in the midst of the spammers. Many of the suspected spammers have ordinary looking e-mail addresses, so I have no way of knowing who is who.

If there is no other way forward, I think I would prefer not to even see any pending members unless they have moved on from NC.

Helen


 

If this is a box on groups.io, I think it's an interesting idea, and even nicer if I don't see the applications to join unless it's completed properly. I just hope it isn't too much for some people though. I loathe captchas myself, and I do have some blind members and don't want to make life harder for them (though I know most of the time they can use an aural captcha instead).

Thank you.

Helen (moderated here. Bizarre)


 

Mark,

Helen wrote:

The problem, Shal, is firstly the sheer volume (trying to fiind the
person to approve in a list of five pages) but mainIy it's that we no
longer know who is legitimate, so the people who are legitimate are
no longer getting the help they need to join the group.
Perhaps it would help if the Pending Approval list could be sorted or filtered by NC status. Of course, that still doesn't help find the "legit" applicants who happen to still be NC.

Helen,

Ideally I'd like groups.io to somehow filter the baddies ... but I
know that's easier said than done.
Right. I don't know if there's any systematic way Mark can weed these out based on information he has that we don't.

... (this never used to happen, but I do have a join option on my
website, I don't know if that's a factor)...
I would guess these are caused by messages sent to the group's +subscribe address, not by access to the "Apply For Membership" (or Join) button on the group's home page. Can you confirm or falsify that based on Activity Log entries?

For email subscription I'm assuming Mark already has some filtering on this based on source authentication (SPF & DKIM) - elsewise I think we'd all have long since been buried by the spambots. So these requests are likely coming from compromised email accounts; or like the airbnb example "backscatter" from attempted use of the group's +subscribe address to access another service.

Shal
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum