20

Today I was reminded of this again by a discussion on Meta Stack Overflow. The situation is following:

There is nowhere that a destroyed spam-flagged post will show up in the moderators' queue; it'll only show up in the lists of locked/deleted posts, etc.

(source)

Since we know this to be the case, that means that a post that gets destroyed by 6 spam or offensive flags in the vast majority of cases receives no further scrutiny, no further review and is left as deleted/locked.

But what happens if an innocent user is targeted by another malicious user who creates 6 accounts, and gains 15 rep on each so that they can flag?

Users that have multiple of their posts destroyed as abusive / spam face automatic IP blocks, and very quick question/answer bans. They also face -100 reputation every time it happens. That opens the floor to a terrifying (and near undetectable unless the victim contacts SE directly) abuse scenario:

  • Normal user draws the ire of one determined user or a group of friends
  • They decide to nuke a few of his new posts using spam flags
  • The victim is now IP banned from posting on their SE site
  • They also lost all of their reputation, so they can no longer post on meta (5 reputation privilege)

In this scenario, the only thing the victim can do is to notice that a few of his posts suddenly vanished (the reputation history does not show that deduction and the deleted posts are not listed anywhere) and use the "contact us" button and file a ticket. This requires the victim to have:

  • Working knowledge of how deletions work on here
  • Working knowledge of the -100 rep penalty and working knowledge that it doesn't show up in the reputation history
  • Awareness of the "contact us" option

In order to even know just what the hell happened to them that they're now suddenly banned and lost all of their reputation.

In the volume of (legitimately spam/abusive) posts that are destroyed daily on Stack, the victim would be the only person who could ever realistically find this out.

This is not just limited to intentionally malicious abuse. It could easily happen if someone misclassifies something as spam and others pile on. Hell, it could have happened already somewhere sometime and we never found out about it. Again, it would be on the victim to have working knowledge of the intricacies of the site and how to correct their situation.

Do we have any tools to prevent this form of abuse effectively? Should we?

Improve this question
8
  • 1
    I'm not saying this isn't an issue but I regularly look through recently deleted posts. The information is there so its not undetectable (although that's probably skewed by me only having 10k tools on a smaller site).
    – Cai
    Commented Nov 23, 2016 at 11:07
  • 1
    @Cai Yes, but recently deleted posts only displays up to 1 hour. We need an expanded list of deleted posts (perhaps at least up to 24h), and probably a separate list of deleted posts via spam flags for >10k-ers to audit.
    – Samuel Liew
    Commented Nov 23, 2016 at 11:16
  • 1
    @SamuelLiew that isn't true (see here). A filter to see deleted posts via spam/offensive flags would of course be good though, yes.
    – Cai
    Commented Nov 23, 2016 at 11:19
  • 2
    Are you describing an hypothetical case or can you back this by a real example when requested?
    – rene
    Commented Nov 23, 2016 at 11:54
  • @rene I do not have an example on hand. This is a hypothethical case, although it really wouldn't surprise me if this had happened somewhere on SE before.
    – Magisch
    Commented Nov 23, 2016 at 11:56
  • You'd have to hope that a sock puppeteer would display similar actions in other situations, which are considerably simpler to spot.
    – Bathsheba
    Commented Nov 23, 2016 at 12:52
  • @Bathsheba It doesn't even necessarily have to be a sockpuppeteer. It could be a group of 6 colleagues / friends
    – Magisch
    Commented Nov 23, 2016 at 12:53
  • 2
    Mods should be notified that a user has posted spam, if for no other reason than to see if that user has more going on that needs action (more spam posts, invalid spam posts, patchy/flaky dry skin, avocados, etc)
    – user1228
    Commented Nov 23, 2016 at 14:32

2 Answers 2

Reset to default
21

This isn't a theoretical possibility, it has been attempted three times on Stack Overflow in my time there. In each case, it was caught as it was happening and severe penalties were handed out. Still, a handful of times over a few years on a site the size of Stack Overflow is a pretty rare occurrence.

We do have the ability to quickly review posts destroyed using spam or offensive flags via the deleted:1 locked:1 search option, which I often use to clean up after spammers and trolls. This gives us some visibility for community-flagged posts.

We can clear these flags after the fact in cases of abuse, invalidating the votes and penalties imposed by them, so it's not too late to correct this when caught afterward. Again, all such cases I've encountered were caught before enough flags allowed for auto-deletion.

Still, I really would like for community-deleted posts and comments to be shown to moderators in an easily reviewable fashion. I think the best approach would be an auto-flag on community-deleted spam or offensive posts, because that would put these right in front of us and not force us to remember to run a query or visit a dedicated link each day. It would also allow us to delete spam or troll accounts easily.

This kind of abuse can also happen around comments, and there we have had comments deleted by coordinated sock puppet rings that moderators didn't catch for months because of how these were silently removed. I still believe moderators should receive some kind of notification on community-deletion of comments flagged as "rude or abusive". Even after working with the new "too many rude comments" auto-flag, I'm still finding many cases where horribly offensive comments are being silently hidden from moderators, so I don't consider this to be fully solved.

Improve this answer
20

It's not only the victim that can notice this, but anyone that saw the original post and noticed that it was deleted as spam/offensive.

There are differences between the malicious spam flags you describe and real ones that could be used to protect against this kind of abuse:

  • real spam flags tend to be cast against very new posts, not ones a year old or so
  • the user of the spam post almost always has only 1 rep and no positive participation

It might work to simply require moderator action on a spam flag instead of acting automatically if the target user has a significant amount of rep. Those cases should be very rare, and either false positives, or self-promotion cases that would benefit from moderator involvement anyway.

Offensive flags are a bit different. I don't think they cause IP-based measures, but I'm not entirely sure. But I think a strategy similar to the spam flag one could work, as several valid offensive flag against an established user would indicate a situation where moderators might want to be aware even if the post is automatically deleted to enact further consequences.

Alternatively, the flags could be applied automatically in every case just like now, but trigger community-cast flags to make the moderators aware and either confirm everything is okay, or deal with the situation.

Improve this answer
5
  • 9
    +1 about the mod check for higher rep users - spam posts by higher-rep users are extremely rare, so they probably need more attention than most.
    – angussidney
    Commented Nov 23, 2016 at 11:12
  • 2
    This is a great solution. In my over 2000 valid spam flags across the network, I've almost never seen users with rep >10 posting it.
    – Magisch
    Commented Nov 23, 2016 at 11:32
  • 2
    Abusive flags cause the same IP blocks as spam flags.
    – ArtOfCode
    Commented Nov 23, 2016 at 11:43
  • There's really no problem with all of the automatic actions that spam/offensive flags can have (it is an important tool to deal with spammers if there isn't a mod online, especially on smaller sites where it could be hours before a mod will come on). All you need is the follow up flag for the mod; they can undo all of the actions taken if the flags were really inappropriate (and that's not going to be the common case, even if it can happen on rare occasion).
    – Servy
    Commented Nov 23, 2016 at 15:05
  • A high-rep user getting a spam flag could also be a compromised account (and the person who cracked the account is posting spam). That's another case you probably want a mod to look at.
    – derobert
    Commented Nov 24, 2016 at 18:32

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .