Catalog Spam

This blog from the Instructure Product Team is no longer considered current. While the resource still provides value to the product development timeline, it is available only as a historical reference.

jfenton
Instructure Alumni
Instructure Alumni
15
3653

Some Catalog users have noticed a sharp increase in fake accounts being created over the last few weeks. We're adding 2 new features to Catalog to help mitigate the issue. 

 

First, you'll notice in your beta environment that we've added reCAPTCHA to the registration process. This will block bots from being able to create Catalog accounts, as well as deter groups of humans from creating fake users. By default this will be turned on for all accounts in production on the 18th. However, we know some institutions have customized the registration flow. If you would prefer not to have reCAPTCHA added to your registration page, please let your CSM know before the 18th. While the reCAPTCHA setting isn't user accessible, we can also easily enable or disable it at any point in the future for institutions who would like a change. 

 

Second, we're adding the option for institutions to use and manage a list of allowed or blocked domains for new user registration. For example, if an institution was seeing fake accounts getting created from the domain fakeusers.net, they could add that to their blocked list. Or, if an institution only wanted users to be able to create new accounts using their institution's domain, they could add that to their allowed list. 

 

These lists will be configurable in the UI under the Catalog info tab. Sub accounts will have the option of inheriting the setting from the parent account or managing their own list. Only one list can be active at a time per Catalog, and an allowed or blocked list does not need to be used. Look for this to hit beta later today or tomorrow. The plan is also to push this to Production on the 18th. 

 

We know these changes are coming rapidly and appreciate any feedback. 

 

 

Edit 4/15/20

We were hoping to have the allowed and blocked lists ready to go out along with the reCAPTCHA work, but it's going to take us a bit longer to get it wrapped up. Only reCAPTCHA will go to production on the 18th. We'll see how much this mitigates the creation of fake accounts and evaluate if we need to release the registration restriction lists early or if it can go out with the normal release. If we do decide to release it early I'll update this post. 

This blog from the Instructure Product Team is no longer considered current. While the resource still provides value to the product development timeline, it is available only as a historical reference.

15 Comments
jsowalsk
Community Champion

Thanks,  @jfenton ‌ for this. Where can we see an example of the allow/block list?

JustinBrooksby
Community Participant

Thanks Jon this will be super helpful to us and many others

jfenton
Instructure Alumni
Instructure Alumni

Sure. Here are a couple of our mockups. The final version may be slightly different. 344811_Screen Shot 2020-04-15 at 11.06.15 AM.png

344812_image (15).png

jsowalsk
Community Champion

Thanks!

jsowalsk
Community Champion

Hi  @jfenton ‌ I still do not see this is Beta Catalog. Where should I be looking?

sbarry2
Community Participant

I noticed the reCAPTCHA has been added. Thank you. Just some quick feedback. I have noticed that the accounts, for our institution, are usually created on a Saturday, shortly after midnight. So we got a batch this past Saturday, 4/18. but they may have been created before the reCAPTCHA was added. I will monitor this weekend for activity.

I do believe the whitelist will alleviate this. All of the accounts we get are the same domain. 

Thank you again.

jsowalsk
Community Champion

Has there been any progress made on the block list?

erinhmcmillan
Instructure Alumni
Instructure Alumni

Hi, Jessica,

Our team is working to get into beta this week! Release notes will be available soon.

Erin

jsowalsk
Community Champion

Great, thank you.

lftapper
Community Participant

Has anyone seen any improvement with the implementation of the recaptcha? I've been noticing lots of @gmail.com spam registrations, so blocking and allowing domains won't really work for us.

kevinhitt
Community Participant

Hey Lindsey, 

For reference, my team hasn't seen any spam registrations since reCAPTCHA was implemented - although we have only ever gotten a handful over the past year and a half since adopting Catalog. 

I am curious to ask - how do you and your team determine they are spam registrations? Are they registering for free courses or paid courses? 

Thank you,
Kevin Hitt 

jsowalsk
Community Champion

Have you tried using the whitelist to allow for only a certain demographic to enroll in the course? Check the Release Notes: Catalog‌.

lftapper
Community Participant

hi Kevin,

Thanks for your reply! We have found them in the past creating ePortfolios in Canvas, so sometimes they will get caught under "ePortfolio Moderation" and post a bunch of advertisements and junk. It turns out a lot of these that I found are much older from when we used to have Canvas self-registration enabled (and had requested Support remove them for us but they are still in there) so it looks like this is my bad - I can't confirm now that they came from Catalog. The accounts I had found initially were coincidentally timed to when we launched Catalog but I can't blame it now Smiley Happy

Thanks again!

Lindsey

lftapper
Community Participant

hi Jessica,

Thank you! I will definitely look into that. I am not consistently seeing any specific email domain from the spam users but it might be helpful in the future! It looks like something was enabled on the Canvas side (even though I disabled it a few months ago) which might have caused this, so I think it's my fault this time!

-Lindsey

jsowalsk
Community Champion

No problem. The only other way they could get in is by creating an eportfolio like you previously mentioned.