This Strip is Not Safe For Work!

registering is on hold until I clean up

Can you check the IPs? Would be good knowing where these attacks are coming from! This is the same guy who's been spamming PanelJam and Drooodle Also, to prevent this in the future, I'd suggest putting a cooldown on messages cause this guy has been posting like a hundred comments within a second. I'd imagine putting a limit to only being able to post 1 comment within a second, and not being allowed to post more than 50 comments within an hour. It could be bypassed by making more accounts, but it would definitely slow down attacks like this.

Maybe consider that friends-only feed or being able to block a user from your own personal feed! If that was in place someone like this would be trivial for any user to never see.

unless I can make a limit on making accounts I doubt it can be stopped I try to add some ip check but with that can be easily worked around even if we figure it out anyway security stuff just suddenly took priority for now I whacked the spamming accounts and registering will be disabled for a while (if anyone needs to re-register you can email me; lost password and login still should work as usual)

`Peyo` Don't forget this one: https://pchutney.com/user/72

If someone wasn't actively looking for comments, that attack actually wouldn't have been visible to users unless they were viewing those specific threads or checking the feed. So you're just a couple measures away from shutting out vandalism from the view of the average user who is willing to put measures to use themselves.

`Peyo` Also an option needs to exist to limit comments on friend games only to friends. While the current ability to flick out offending panels and comments is good, if someone uses a script to spam hundreds of comments at a time it will render those options useless, and flood the game owner's message box to a terminal level.

sure thing, for now I added some indication on who got dealt with there are plenty of measures .. problem is that so many of them can get dodged easily e.g. if I need emails to register you can just make a temp email in a second I could set it so only trusted users can post or draw but then you can still just make like 10000 accounts or something (or if there is a captcha 10-100 by hand) I'm still doing research on this

`TeeEffDee` that should be actually implemented (comment limit on friend games) unless someone can comment on this strip: [https://pchutney.com/strip/450](https://pchutney.com/strip/450)

`Peyo` Oh I didn't know that was implemented, wonderful! I thought comments were open and had to be removed on a comment by comment basis. I think concentrating on stopping people from making extraneous accounts is a good thing of course, but, if you can put in tools so that effectively someone using the average entry-level account simply can't be seen by a user who doesn't want to see them, that's getting ahead of it. If you can do that primarily, then it makes the stopping of extraneous accounts an important, but not immediate, issue. For example I noticed the vandal was doing @ to another user in a burst of the messages. Does that mean that user will have to manually look at and delete hundreds of messages, or else choose to delete all messages? That could be an issue possibly.

Love the Tombstone you gave the spam account `Peyo` 😆 Was this just a test run of a spam bot you implemented, or this was some idiot who found his way here?

`TeeEffDee` I may have been one of them, woke up to 1456 mentions by Spamton 😅 But thankfully, Peyo hooked us up with a ‘Clear All’ function for messages 😁🙏

in theory you can just clear all messages and be done with it .. but I'll clean them from the DB just in case

`Painovoima` I'm afraid it was the real deal (seems to be too lazy to draw anymore and just spams the talk in PJ too .. maybe it's a different new troll this time?)

`Painovoima` It was you but I didn't want to mention it unless it was okay with you! Apparently it is.

ok the messages should be clean now but `Painovoima` let me know if there are any anomalies

`Peyo` What I was thinking of is they'd end up in the message archive, thus somewhat defeating the usefulness of a message archive. Also there may be cases where people want to save messages, and having someone able to come in and load it up with spam wouldn't be that great.

The idea you mentioned about Trusted Users is neat, may be on to something. This way newcomers can still join, with limited accounts that only allow - 1 Panel a day, - Commenting to a single ‘Mod Account’ you would have access to, can’t comment to public/trusted user feeds, - if prove to be legitimate user, only through you could they be granted a trusted account (full feature) Maybe even have a feature to allow only 5 new accounts a day for the site, helping it stay open to newcomers, but maintaining a level of exclusiveness to legitimate users, Not my field of expertise though, just spitballing ideas 😁👍

I am curious though, how this user found PChutney. Unless they scrolled through 20+ pages in the PJ Threads and happened across the post you made about the site, they must have known what to look for. Perhaps they were guided here by someone on the inside?

They knew about the site already I believe https://pchutney.com/user/62 is the same person, so they've had a link to this place for a while

that's a good question maybe they found it through google? anyway I also cleaned out the topics (there were about 1000 empty strips made) the only victim was the consistent ID numbering

`TeeEffDee` of course, no worries TFD! I don’t mind! 😁 `Peyo` Will do! So far nothing to report; I will be vigilant, thanks for your quick response to handling this asshole, my friend 🫡

`Barococopper` unless he decides to spam with that one too I'll leave it alone (he cannot make any new ones after all)

I say, verification should consist of a new user doing a 4 panel comic on their own and submitting it for approval, and until it get approved they don't get access. You don't want someone who can't swing 4 panels on here anyway. They'd be a liability! They might walk into a door frame and hurt themselves.

`Barococopper` ah, I see, damn, was hoping they would not find it, ha ha. Would be cool to delete threads from PJ.

`TeeEffDee` yes that is a good idea.. I thought of maybe I could make playpen strips and topics and new users could only use those.. of course that still leaves us with the problem of how many accounts one can make so far twitter and other similar sites solves this by tying it to a phone number (which is kind of iffy imho) I'm still researching options on this one

`TeeEffDee` Capital idea, TFD! The 4 Panel Portfolio for approval! 😁

maybe we could use PJ as proving grounds? and then they could just drop me an email if they want an account? .. nevermind just brainstorming

I say if someone is going to submit a decent 4 panel strip for every account they make, let 'em make as many as they want, I love looking at strips! Also the more someone draws and writes the more identifiers there are for spotting them. So what you want to do is get people posting as much info such as handwriting and graphic style that makes them as easy to spot as possible. I get what you're saying tho, you don't want people making loads of accounts. I think having to do some actual work of a quality that would get you accepted would solve a lot of it, too. These freakshows don't even have the work ethic it takes to spam the old fashioned way and have to be script kiddies, so they're pretty creativity-averse.

Yeah I don't see the number of accounts being an issue if they're forced to draw a 4 panel comic per account to get them approved. Make them work for it!

`Peyo` I like that idea as well, already a few PJ artists who would love this site that could be invited, so already sort of a proving ground. It’s like if you show promise and find joy in drawing to the best of your best, the watchful eyes of PChutney will swoop in and whisk you away to a paradise among drawing website; Panel Chutney! 😁

`Peyo` I like the idea of using PJ as a proving ground too!

I think having the initiation on the site itself makes more sense, as it doesn't rely on PanelJam staying usable, and also... There's nothing stopping from anyone making an account in someone else's name, which would be very easily exploited under that sort of a system,

`Barococopper` Good point, yeah, perhaps best if PJ serves more of a place to seek out artists who wish for a better drawing experience, then invite them to be initiated here on this site. So even if they proven on PJ they good, would still have to pass the test of a 4 Panel approval here? Lots of great ideas here, curious to see what Peyo implements! Also, `Peyo` , are there not security plugins usable on PChutney that would assist in making your life easier, automating some way. Only if you find it’s a lot to handle of course, you aren’t giving that impression in anyway though 💪🍅 You may already be using some though, I only speak from limited self taught experience with Wordpress websites; none of which are professionally optimized by the way 😅

I guess if PJ goes down I could set up a second chutney that is open for everyone and that could be used for proving grounds? in theory the site is set up in such a way that this should be possible: having two or more sites on the same domain -- but I have not tested it yet (also don't take this one too seriously -- it's more of a possibility than a real solution)

Hey, now that’s another great idea 😁👌 A ‘Premium Panel Chutney’ for those truly dedicated, and then ‘Panel Chutney Proving Grounds’ for new member examination. Criteria would be simple too I’d imagine: - Likes to draw, best of their ability - won’t derail - won’t spam Don’t think that’s asking much 😅

Just to clarify, I didn't mean I think people should be SENT to Panel Jam as a trial I meant we should keep an eye on Panel Jam and invite people from there who would be a good fit. I'm pretty sure sending someone to Panel Jam would qualify as a war crime for about 10 different reasons.

ok here is the current plan: - new users will be set automatically untrusted until I manually set them to be trusted - untrusted users will only be allowed to post in a friends strip or topic (and cannot make new ones) .. and the friend will have to be a trusted user (and I plan later to slowly add limits on how much an untrusted user can post - instead of a daily limit I'm thinking of a maximum total strips/topics/comments that can be made etc. ) - limit which emails we accept (based on the emails you guys use there are about 4 providers on my list) - limit to one account per email - new users will need to login with their email first time (similar to.. or with the password recovery system.. I'm still not sure about this part) it's not perfect (far from it) but it's better than keeping registering closed indefinitely (and if it goes wrong we can always turtle in again like now)

`Peyo` I think you're doing a great job so I want to say that up front so I don't come across as constantly just nitpicking, but one thing I would caution is make sure that system doesn't give new members (let's say for the sake of argument vandals who are trying to get an "in" in order to vandalize) a motivation to bombard existing users with notices, beg, or bully them to validate them with a friend acceptance. One of the big problems, and you can see this on PanelJam's forum where there have been a lot of discussions between vandals and normal users, is that a lot of people love the idea of vandals turning around and becoming good users or dropping the routine, and they'll constantly give in, giving multiple chances to hope to make that happen. It's a very naive approach. There are a lot of people out there who have no motivation beyond just whipping it out and pissing on everyone. If that seems nasty, I am actually CENSORING myself from what I really mean. But as long as those people get charitable treatment they're going to just piss an endless stream on any given situation, and will not quit. I've seen this a lot. People will isolate others behind the scenes and bully them into being on their side, and will do everything they can to try and get into a position where they can cut loose with another bladder full of piss right on the whole proceedings, and during this, they're thinking forward to the NEXT time they're going to do it. There is no end. Like in the mind of these people there is no "when I stop vandalizing" it's only looking for the next opportunity. So if you're serious about blocking out vandals the approach has to be to give the ordinary user the tools to clamp off that stream of piss. I fully understand wanting to stop them from a site standpoint, but working backwards to that from giving the individual the ability to shield themselves from the endless rain of piss these people produce is a must.

hmm.. yes that is a good point.. ok how about this one: new users will have a very hard limit on how many strips/comments they can make (like. max 3 new strips, max 1 topic, max 10 comments, max 10 panels -- and won't be able to pass or mention other users -- and these won't be daily limits but an overall total limit per untrusted user) (maybe here could be another limit: only allow them to draw panels in their own strips?) and they won't know about these limits until reaching them I would still have to set them to be trusted manually and of course they can always get untrusted again if they just tried to fool us so with this approach having friends or not won't matter (and the friends only mode will be just an extra layer on top of this for the hopefully few suspicious ones that still get in somehow) I highly doubt it would fully eliminate spamming but might slow it down to manageable speed and as in the previous plan the registering would be tied to email on a max 1 user per email basis (won't fully eliminate the problem either but at least it would make it harder to make more users)

`Peyo` That sounds great! Keeping new users sandboxed and having it where you personally checked them out and approved them would pretty much settle it. Vandals thrive on exploitable automatic systems, so anything with hard limits and a need for personal approval from a site owner shuts down almost all vandalous efforts. It would also stop them from playing nice to get one account approved so they can use that approved account to approve other accounts of theirs. Like I said, one thing that was impressive about the setup here is that when the spammer attacked yesterday, unless you were LOOKING for it you wouldn't necessarily even see it. That's good! I think anything else that adds more stumbling blocks for vandals will only make it better.

in the end we got lucky that it was only spamming and it was easy to clean up -- it served as a sort of light stress-test on how much damage the site can take (stats: the sql database went up from 1mb to 16mb) it's kind of sad how much the net is in the dark ages -- I mean if someone really wanted to destroy this site for some reason they could just DDOS us .. like bomb us with more connections than the servers can handle (and that would probably take out the hosting service as well) anyway I'm about halfway done with the updates and will probably add them sometime next week: then we can open registering and let the next troll in.. 😅

ok I added the new system .. by default all of you who have registered so far should be trusted users (let me know if there are any anomalies) new registered users are now non-trusted by default they have a limit on: - how many strips they can make - can only post in their own strips - cannot make forum topics - cannot like strips - their strips have comment limits - cannot pass strips - you cant pass them strips - and also mentions don't work for them they need to be set to be trusted by me manually but I imagine legit folks will usually be set as trusted quickly these limitations are really only to trap spambots and people with bad intentions .. and now place your bets: how long until we get a new troll who finds a workaround?