#1057 Support to flag/disable suspicious accounts

Reporter Ge0rG
Owner Nobody
Stars ★★★ (5)
  • Priority-Medium
  • Type-Enhancement
  • Status-Started
  1. Ge0rG on

    There should be a way to mark/flag accounts as suspicious / spammy, without outright deleting them. I'm looking for a feature where I can automatically restrict an account that has performed shady activities like registering and not logging in for a month, sending masses of messages etc.pp. Deleting an account removes all the associated meta-data and makes recovery impossible in the case of erroneous flagging. It would be great to be able to "tag" an account, and that tag would be automatically applied to all sessions of that account on login, restricting it. A specific implementation could restrict all flagged accounts to only contact a single support JID and reject any other form of communication. A generic implementation could leverage mod_firewall to limit what the account's sessions are allowed to do, and provide different tags that can be applied.

  2. Zash on

    I imagined these "tags" as named timestamps, like mod_firewalls MARK ORIGIN, but persistently attached to accounts instead of sessions. These would be added on events such as account creation, login etc (like mod_lastlog), manually via eg an adhoc-command and a mod_firewall action. This should allow things like restricting new accounts until explicit admin approval, or time passed, and explicit account flagging. I'm not sure if MattJ had something different in mind.

    • tags Status-Accepted
  3. Ge0rG on

    I had imagined them as a mere list of strings, but I can see merit in having a string->timestamp relationship as well. "Time passed after account creation" is actually a metric that has been there before and is actively circumvented by spammers, by creating a bulk of accounts and using them only a month later.

  4. Zash on

    An attempt at this done in https://hg.prosody.im/prosody-modules/rev/165d2877eeac Actions: MARK USER=label UNMARK USER=label Condition: USER MARKED: label (optional timespec) Works like MARK ORIGIN & friends but is persistent and shared between all sessions of the same user. Loading and storing is done on resource bind and unbind and is cached as long as the user has at least one session online. The code for that is disabled by default unless `firewall_experimental_user_marks` is set to true.

    • tags Status-Started
  5. ge0rg on

    It would be a great thing to integrate those marks with mod_register_dnsbl_* as well :)

  6. MattJ on

    ge0rg: Have you used the code Zash committed? Any feedback?

  7. ge0rg on

    Integrated it into my mod_firewall based spambot detector now. Looks good, doesn't seem to crash. The caching feels a bit cumbersome (ensure that all sessions are offline, delete state), would be great to have some hacky(?) way to change it at runtime.

New comment

Not published. Used for spam prevention and optional update notifications.