Composr Tutorial: Dealing with annoying users
Written by Chris Graham
Composr provides a number of ways to deal with the annoying users or the users who do not adhere to your site policies (for a good discussion of site policies see the Legal and social responsibilities tutorial).Some of these tools actively enforce your policy, some of them allow you to 'moderate' to maintain your own policy, and some of them provide punishment for users that abuse policy (such that they may be removed from causing further harm, or made an example of such that other users do not 'follow suit').
Table of contents
Active filters (word filter and field filter)
There is a simple word filter which will allow you to prevent a list of words from appearing on your site, unless the user that posts them has the privilege to bypass the word filter.Access the word filter from:
Admin Zone > Security > Word filter.
The word filter makes no attempt to try and detect when users try to 'cheat it', as this would be a futile struggle: if users abuse the filter, then they are almost certainly knowingly that they are doing so, and thus setting themselves up for punishment.
In addition to the word filter there is a more sophisticated filtering system, the The form field filter system.
Validation
Composr, by default, will not allow most forms of non-trusted content to appear live on the website without validation by the staff. When a user that is not in a trusted usergroup posts content, then they will have no choice but to have it posted as not validated, and a notification will be dispatched to the staff. The staff can then choose what to do with the content (as part of their "moderation" duties).There is a module where staff can see all content which is not validated (in case the notification was missed or disabled):
Admin Zone > Audit > Not validated resources
By default, the forum, the chatrooms, and Wiki+, are the main exceptions where validation is not required. This is because these are community orientated areas of the website, where instant posting is desirable.
Naturally, privileged users may edit and delete any content on the system; by default, these privileged users are those in the staff usergroups. It is possible to configure Composr so that users may edit/delete their own content though, or even all content if you like.
It's a common practice to use rank to automatically grant additional access, such as bypassing validation. Rank is discussed in the Tools for subsites and subcommunities tutorial.
Content privacy
Members may specify the privacy settings for content they post, if the content_privacy addon is installed. For example, they may post an image and set it so only their friends may view it.Warnings / Punishments
There are a number of ways to punish members who do not follow site policy (such as trolls), including:
As all these methods work on members, but only banning by IP address works for guests, you may wish to consider making it a requirement for all users to join in order to participate on the website. In other words, you may wish to remove privileges for guests to make submissions. Guests by default do not have the privilege to submit content in Composr sites.
- Charging points from the member
- Banning them in various ways described under "Banning"
- Moving them to a restricted usergroup (there's an inbuilt "Probation" feature to move them automatically into probation usergroup for a limited period of time)
- 'Verbally' (unofficially) warning them, via a Private Topic or other means of private communication
- Giving them a formal warning via the warn form (read on)
As all these methods work on members, but only banning by IP address works for guests, you may wish to consider making it a requirement for all users to join in order to participate on the website. In other words, you may wish to remove privileges for guests to make submissions. Guests by default do not have the privilege to submit content in Composr sites.
All the various punishment tools are brought together for convenience on one screen named "Warn member" (Conversr only).
This screen can be accessed from either:
A note about Private Topics sent for warnings: A private topic will not get sent to the member for their warning if nothing is written in the "Message" field and "Include punitive actions in message" is unticked (unchecked). Also, if "Message" is blank but "Include punitive actions in message" is ticked (checked), a private topic will get sent, but it will only contain the punitive actions taken.
All punitive actions are defined in hooks under hooks/systems/cns_warnings. You can develop additional punitive actions for the warnings system (e.g. through non-bundled addons) by making new hooks. See the "ban_ip" hook for a basic example. In each hook are the following methods:
If you use the warnings system to put a user in probation, Composr automatically returns their only usergroup as Probation, disregarding other settings until their probation expires. Their usergroups will continue to display as normal, but from a permission point of view, they'll only be in the probations usergroup.
This screen can be accessed from either:
- members' post ("Warn" button) (recommended method when punishing a member for a forum post they made; you will have more punitive options)
- or, from any member-profile screen ("Warn member" or "Deal with as spammer" under Audit)
Warnings Form
The warnings form consists of the following options that can be utilised to easily deal with problematic members or spammers:- Warning Type: A "Formal Warning" counts towards the member's total number of warnings, whereas an "Off-the-book Warning" does not. Furthermore, off-the-book warnings are not listed to the member on their profile (but if you issue punitive actions, those might still show up while they are active).
- Punitive Actions
- Ban the member's IP address: Bans the last-known IP address of the member so they (and others) can no longer access the website from that IP. The ban is performed on the .htaccess file so they cannot even access the website anymore. Note that if you ban the IP address but not the member, they can still log in from another IP address / device.
- Ban member: This prevents the member from being able to log in to their account anymore, but they can still use the site as a guest. Additionally, other visitors can no longer view their profile. Note that it is still possible for a member to register a new account (e.g. from a different IP and using a different username and IP address).
- Change usergroup to: Change the primary usergroup which this member belongs (such as to de-rank them).
- Extend probation: Start a probation period, or extend an existing one, by this many days. The member will only have the permissions assigned to the "Probation" usergroup regardless of any other usergroup they are in until probation expires.
- Delete content
- A list of recently posted content by the member will appear in this section. You can choose which content to delete. This is handy for quickly mass-deleting spam content posted by a member.
- Charge or Reverse Points
- A list of point transactions involving this member within the last 7 days (50 maximum) will appear. You can choose which ones to reverse. You do not have to reverse ones for which you are deleting the associated content; they will be reversed automatically. Reversed points will also be subtracted from the member's life-time points.
- Charge points: Take points away from the member. It is permissible to charge more points than they have in their balance; this will put their balance in negative points. Charges will add an anonymous record in the points ledger. Charged points will subtract from the member's life-time points (unlike debiting points from their points profile) because it is considered a punishment to their rank. However, they will not automatically be reassigned the correct usergroup if they lost a rank. You should reassign their usergroup manually via the 'Change usergroup' punitive action.
- Explanatory Text
- You can load a previously-saved explanatory reason and message by clicking the "Load an explanation/message" link.
- Reason: A brief categorical reason for the warning (use what is most relevant). This is used in the logs and in statistics (for filtering and categorising by reason; useful for transparency reports). Some default reasons are provided in the dropdown via the EXPLANATORY_TEXT_DEFAULT_LIST language string (though you can also specify your own):
- Child Exploitation: Any violations involving minors especially but not limited to grooming or distribution of sexual material of minors
- Extremism / Terrorism: Promoting extreme and dangerous idealogies / conspiracies; making violent plots; intimidating the community at large or inducing panic
- Fraud / Scams: Any violations involving the theft / abuse or attempted theft / abuse of money or points
- Harassment / Bullying: Repeatedly bothering certain members; manipulation; intimidating specific members; making others feel unsafe or unwelcome; blackmail
- Harmful Substances: Sale or promotion of harmful drugs or substances (this could also include prescription drugs or controlled substances depending on where you sit regarding that for your site)
- Hate Speech / Prejudice: Inciting violence or harm; targeting others based on a protected class
- Impersonation: Pretending to be another member or staff
- Intellectual Property: Any violations involving the infringement or plagiarism of copyright, trademark, intellectual property, content. or the like. This also includes sharing cracks / cheats / patches / serial codes for games or software.
- Misinformation / Disinformation: Knowingly spreading false or manipulated / misleading information without clearly indicating such (e.g. satire or parody)
- Privacy: Any violations involving the privacy of others, such as exposing the personal information of others publicly or re-posting content belonging to someone else in a more public area of the site
- Security / Site Integrity: Any violations involving the security / integrity of the site such as hack attempts, abusing site features, spreading dangerous files, or disrupting the performance of the site or server
- Sexual Content: The unwanted sharing of any sexual content or nudity, or the sharing of such in a non-restricted section of the site
- Spam: Posting any unwanted, low-quality, or irrelevant content (e.g. advertisements, copypasta, flooding the forums, posting in the wrong places of the site)
- Toxic Behaviour: Any general behaviour not classified by other categories considered to be toxic in nature and upsetting the community (e.g. trolling, being obnoxious / obscene, excessive profanity)
- Violence / Gore: Any content or behaviour which is violent / aggressive in nature or containing / glorifying bodily harm
- Other Illegal Violation: Any violations not covered in the other categories which violate local laws
- Other Non-illegal Violation: Any violations not covered in the other categories which do not violate local laws but are still unwanted in nature for the site
- Message: You have the ability to write a Private Topic message to be sent to the member for their warning. You could include details about what punitive actions you are taking, reminders to re-read the rules / next steps to take, repercussions for future violations, and so on. You may not want to include punitive actions in this field if you tick (check) the Include punitive actions in message tickbox (checkbox).
- Save explanatory details: If you want to save what you wrote in the "Reason" and "Message" fields for later use, you can provide a name here. The next time you want to use it, click the "Load an explanation/message" link at the top of the "Explanatory Text" section to pre-populate a saved reason and message. If you have Include punitive actions in message ticked (checked), the auto-generated punitive actions are not included in the saved message.
- Include punitive actions in message: Auto-generate information about what punitive actions you are taking for the Private Topic sent to the member. This is beneficial so you do not have to write them yourself in the message. But it also allows you to better manage saved reasons / messages; you can re-use a saved reason / message without having to edit it for the punitive actions you are taking now.
A note about Private Topics sent for warnings: A private topic will not get sent to the member for their warning if nothing is written in the "Message" field and "Include punitive actions in message" is unticked (unchecked). Also, if "Message" is blank but "Include punitive actions in message" is ticked (checked), a private topic will get sent, but it will only contain the punitive actions taken.
All punitive actions are defined in hooks under hooks/systems/cns_warnings. You can develop additional punitive actions for the warnings system (e.g. through non-bundled addons) by making new hooks. See the "ban_ip" hook for a basic example. In each hook are the following methods:
- get_details: return null to disable the hook or an array of details, such as 'order' to define the field order on the warnings form.
- generate_text: generate past-tense text to explain the punitive action taken (used in the warnings history)
- get_form_fields: renders / attaches form fields, intro paragraph text, and/or hidden fields on the warning form for this punitive action
- actualise_punitive_action: actualises / applies the punitive action on the member. This gets called for every hook when the warning is submitted, so you should check if an action should actually get applied via POST parameters from the form. You must add a record into the f_warnings_punitive table for each punitive action applied, and you should also call log_it or cns_mod_log_it. The warnings module does not do these automatically as some hooks may apply more than one punitive action (e.g. deleting multiple forum posts). The logs will be associated with the warning ID.
- undo_punitive_action (optional): reverses a punitive action when a staff member clicks "Undo" on the warning history for the action. If the method is not defined, then no undo action will be allowed for this hook. You do not need to do anything with f_warnings_punitive here; the warnings module will take care of that. However, you should log_it or cns_mod_log_it the reversal. The log will be associated with the warning ID. Note that if actualise_punitive_action applies more than one action, then each action will have their own individual undo capability, so undo_punitive_action should not undo more than one action at a time.
- get_stepper (optional): defines an array of maps to be displayed on the member's 'Standing' profile tab including for the stepper at the top. Each map in the array contains the following:
- order: Integer defining the order of steppers and information (lower is to the left on the stepper, further up for information). If multiple hooks or items define the same order, it is assumed they use and control the same stepper and thus will be merged.
- label: The short label for the stepper item
- explanation: A tooltip explaining when the stepper is highlighted / active
- icon: A path to an icon to use on the stepper
- active: Whether the stepper item is highlighted
- active_color: A class in stepper.css to define the colours of the stepper when highlighted
- info: An array of maps indicating items to display under the stepper for further explanation / information (e.g. explaining the active punitive actions, where they apply, and when they expire). Each map contains icon (a path to an icon) and text (the Tempcode to use for the list item). Should be left an empty array to not add any items to the list.
Probation
The probation feature is designed to work via the warnings system. You could manually put a member into the probation usergroup, but it's not advisable because any secondary usergroups they are in may lead to extra undesirable privileges. Furthermore, manually adding them to the probation usergroup will not show up on their 'Standing' tab. The recommended method is to set the time until which they finish probation, either via editing their account or using the warn form.If you use the warnings system to put a user in probation, Composr automatically returns their only usergroup as Probation, disregarding other settings until their probation expires. Their usergroups will continue to display as normal, but from a permission point of view, they'll only be in the probations usergroup.
Banning
There are many methods for banning a Composr user:
- Banning a member via editing their member account. This is perhaps the most useful method of banning and shows them an error when they next log in telling them they've been banned. It also prevents others from being able to see their profile anymore which is especially useful if they spammed stuff on their profile. Note that there is no way to prevent a user re-joining with a new username; members can still re-join with a different IP, username, and/or e-mail address.
- Banning an IP address, or IP address range. Banning IP addresses is useful to totally remove a user's ability to access the site; unfortunately, users can very easily switch IP addresses so it is not a perfect tool. More information about IP addresses is given in the Using IP addresses to trace users tutorial.
- 'Banning' a member via changing their usergroup to one with virtually no privileges. This is useful if you want to reduce access in a highly customised fashion. It is highly recommended using the probation mechanism for this.
- Banning member submission. This is useful if you only want to ban a member from making submissions, and not the whole site; it is done from the Action Logs module (accessed from Admin Zone > Audit > Action logs). This feature is also useful if you are not using Conversr, and want to ban a member in Composr, but not in the forum.
Advanced banning
Some sites may experience very persistent and difficult spammers. Composr is good for automatically penalising/blocking bots. Composr has great tools for dealing with regular spammy users. However, human users in poorer countries may earn a living by repeatedly going through large numbers of sites (perhaps on a spreadsheet), manually registered and posting spam under fresh accounts (including fresh e-mail addresses and fresh IP addresses) each time. As the e-mail addresses of such users are throw-away, it can be impossible to contact them to even let them be aware that you are deleting their spam and their efforts are worthless. Spammers can use different IP addresses to post by using proxies (which may be hacked servers), or simply by forcing a new IP address to be pulled from their ISP.Composr has 2 advanced banning features to deal with this:
- Automatic banning – ban users who post certain strings, in a definable way (before the spam even can go through)
- Reasoned bans – show special messages to banned users
Reasoned bans may often be used to scare a spammer that you have researched but otherwise cannot contact. You can provide customised responses to them to let them know you are treating their spam seriously.
Configure reasoned bans in XML from Admin Zone > Setup > Configuration > Configure advanced banning – or by hand-editing data_custom/xml_config/advanced_banning.xml based on the default data/xml_config/advanced_banning.xml.
Here's an example based on some actual spam that was affecting the composr.app forums:
Code (XML)
<advancedBans>
<automaticRule trigger="https://americanmadepro.com/" pages="topics" types="_new_topic" action_member_ban="true" action_reasoned_ban="pakistani_spammer" action_ip_ban="false" />
<reasonedBan codename="pakistani_spammer" http_status="451" title="Violation of The Prevention of Electronic Crimes Act, 2016" image_url="uploads/website_specific/spam/logo.png" message="Your account has been found in violation of [url="Islamic Republic of Pakistan - Ordinance LXXII"]uploads/website_specific/spam/law.pdf[/url]. Your account is therefore banned, pending possible legal action for the entity behind {IP_ADDRESS}." />
</advancedBans>
<automaticRule trigger="https://americanmadepro.com/" pages="topics" types="_new_topic" action_member_ban="true" action_reasoned_ban="pakistani_spammer" action_ip_ban="false" />
<reasonedBan codename="pakistani_spammer" http_status="451" title="Violation of The Prevention of Electronic Crimes Act, 2016" image_url="uploads/website_specific/spam/logo.png" message="Your account has been found in violation of [url="Islamic Republic of Pakistan - Ordinance LXXII"]uploads/website_specific/spam/law.pdf[/url]. Your account is therefore banned, pending possible legal action for the entity behind {IP_ADDRESS}." />
</advancedBans>
Here we are automatically banning users posting a link to a certain website; upon review we found the spammers were mostly posting from Pakistan, and the website was hosted in Pakistan. We do not IP-ban them because we want them to actually see the ban message. The ban message lets the spammer know they are in violation of Pakistani law, with a link to the copy of the law we hosted, the logo of the Pakistani government to make it look official, and their IP address. A "blocked for legal reasons" HTTP status is used.
There is also a redirect_url parameter for reasonedBan that we are not using, that will redirect the banned member to a URL of your choice.
This system may seem extreme, but sometimes extreme measures are needed to deal with the most persistent of spammers. It could also be used to deal with people posting far-right/far-left/Islamist material that is designed to radicalise people into violent revolution – by banning such people and redirecting those people to a deradicalisation programme.
Note that reasoned bans will not work when banning someone by IP address. The software intentionally bails out early with a generic error message when someone tries accessing the site from a banned IP address. This means the reasoned ban system never gets loaded when that happens.
Automatic bans are similar to the security alerts (hack-attacks). The difference is hack-attacks are general hacker/spammer signals Composr is hard-coded to be able to detect, are individually logged as incidents, and cumulate towards IP bans – while automatic bans are custom defined by the webmaster for clear specific threats, resulting in immediate configurable banning.
The advanced banning configuration also has <hackattack> rules, which are documented in the Security tutorial.
The Standing Tab
Every member will see a 'Standing' tab on their profile when viewing their own profile. Staff with the privilege to assume any member can also see this tab on any/all member profiles.
The 'Standing' tab is an overview of the member's current account standing in regards to the warnings system. At the top, a stepper indicates either their overall standing or types of active punitive actions against them. An explanation of their standing, including specifics to active punitive actions, are listed under the stepper. Finally, a list of formal warnings against the member is displayed in a table at the bottom. Staff will also see a link where they can view, edit, and audit all warnings (including off-the-book ones) against the member.
The 'Standing' tab is an overview of the member's current account standing in regards to the warnings system. At the top, a stepper indicates either their overall standing or types of active punitive actions against them. An explanation of their standing, including specifics to active punitive actions, are listed under the stepper. Finally, a list of formal warnings against the member is displayed in a table at the bottom. Staff will also see a link where they can view, edit, and audit all warnings (including off-the-book ones) against the member.
The Action Log (audit trails)
The action log will allow you to trace what actions have been performed on the site; and where given, the reasons for doing them. This log gives a combined view of submission, administration, and moderation actions, and provides integration with the tracing and IP banning modules, as well as submitter banning of its own.
This module shows the recent actions performed by you and your staff. Virtually every action that is done by your staff is logged here, which at the time of writing is around 300 actions.
There are also 'sort by' and 'show per page' options at the bottom of this module to help you refine which recent actions you see.
Access the action log from:
Admin Zone > Audit > Action logs (audit trail)
This module shows the recent actions performed by you and your staff. Virtually every action that is done by your staff is logged here, which at the time of writing is around 300 actions.
- Username is the name of the member who performed this action
- IP Address is the IP address of the member who performed this action.
- Date and Time is the date and time when the action occurred. You may click this date to view further details on the submission as well as do (un)banning related to it.
- Action is the name of the action they performed.
- First Parameter is one of the parameters of that action – which will differ from action to action.
- Second Parameter is one of the parameters of that action – which will differ from action to action.
There are also 'sort by' and 'show per page' options at the bottom of this module to help you refine which recent actions you see.
Access the action log from:
Admin Zone > Audit > Action logs (audit trail)
Filtering by parameters
In order to search by First/Second parameter you'll need to know what they are for whatever action you are searching. There is no documentation on what they mean, but you can ascertain it by browsing past actions of the type you want to search. They are often IDs and human-readable titles.Notifications
Staff may set up a notification so they know whenever anything is added to the action log. This will not be sent out for entries that only relate to private data accesses, however (as those are potentially very high-traffic).Post history
If you are using Conversr, then you may make use of the 'post history' feature. This feature was designed for the situation where a member has edit and delete permission over their own posts, and abuses it to hide evidence of their own misdeeds. For staff, a 'history' button is provided by any edited post, and a 'history' button by any topic with post-deletion history. The interface under these buttons allows:
- viewing of old versions
- restoration of what was deleted
- the ability for staff to eternally erase posts from the history record.
See also
- Using IP addresses to trace users
- Legal and social responsibilities
- Coordination between staff and staff/members
- Composr member system
- Basic forum moderation
- The form field filter system
- Anti-spam settings
Feedback
Please rate this tutorial:
Have a suggestion? Report an issue on the tracker.