Posted under Site Bug Reports & Feature Requests
I seriously don't see the benefit of limiting votes on comments. Not only does this not apply to posts, if you browse content for just a few minutes and drop some votes on comments you immediately run into the hourly limit. For comments and posts, limits make sense, but limiting interaction with existing content, especially when its already much more sparse just doesn't open up to me as useful in any way.
Does anyone know why this is the case? I just can't wrap my head around it.
Spam prevention, helps prevent making bots to upvote thousands of comments near instantaneously
Moderating comment votes is not easy, I'd even go so far as to say it is one of the hardest things to moderate and thus the most undermoderated (when I was staff I was handling basically 90% of vote tickets, and the only one going out of my way to look for bad votes)
The limits could definitely be raised but removing them is just asking for trouble
The limits could definitely be raised but removing them is just asking for trouble
How much we could raise exactly. My suggestion is to double the limit for higher level users (privileged and above) if there’s isn’t one already. Do you agree?
whatismyname1234 said:
How much we could raise exactly. My suggestion is to double the limit for higher level users (privileged and above) if there’s isn’t one already. Do you agree?
Privileged users bypass many limits already:
The ones they don't bypass:
donovan_dmc said:
Privileged users bypass many limits
Seems like they have a lot of privileges. How about user who’s account is at least 30 days old and not received a single ban in those 30 days
whatismyname1234 said:
Seems like they have a lot of privileges. How about user who’s account is at least 30 days old and not received a single ban in those 30 days
bans are irrelevant, and the only limits tied to account age prevent you from doing those things at all (most are 3 or 7 days)
donovan_dmc said:
bans are irrelevant, and the only limits tied to account age prevent you from doing those things at all (most are 3 or 7 days)
How about a captcha test, since it’s mostly a bot problem, I propose that whenever a user wants to vote more than the hourly limit, they have to take that test. But let’s make it temporarily (maybe 12 hours) so they have to take the test again after it expires
whatismyname1234 said:
How about a captcha test, since it’s mostly a bot problem, I propose that whenever a user wants to vote more than the hourly limit, they have to take that test. But let’s make it temporarily (maybe 12 hours) so they have to take the test again after it expires
That would completely break api usage and third party applications
Captchas also are not hard to solve, at most you're keeping out skript kiddies that don't know what they're doing
donovan_dmc said:
That would completely break api usage and third party applications
Captchas also are not hard to solve, at most you're keeping out skript kiddies that don't know what they're doing
At this point I run out of ideas, what’s your (or anyone really) suggestion for raising the limit?
whatismyname1234 said:
At this point I run out of ideas, what’s your (or anyone really) suggestion for raising the limit?
don't?
honestly, regardless of account age and regardless of pretty much anything else, we really can't trust any random member-level users to not get themselves pwned. we don't need to make it easier for bad actors to pull off another raid like the one from last year on December first.
dfn-451 said:
don't?honestly, regardless of account age and regardless of pretty much anything else, we really can't trust any random member-level users to not get themselves pwned. we don't need to make it easier for bad actors to pull off another raid like the one from last year on December first.
Yeah exactly, the limits are harsh but they're in place for a reason
decade old accounts get hacked pretty often, likely since they haven't been touched in 5+ years and have weak passwords
I'd argue the older an account is the more likely it is to be hacked, barring user error and password1234
donovan_dmc said:
Privileged users bypass many limits already:
The ones they don't bypass:
Do Janitors also bypass the create BUR limit?
Personally, as a forumite, I've somehow never hit the voting on forum posts limit, creating AIBUR limit, and creating forum post limit
Pool creation/edit limits hit hard but you can always borrow a friend
dfn-451 said:
don't?honestly, regardless of account age and regardless of pretty much anything else, we really can't trust any random member-level users to not get themselves pwned. we don't need to make it easier for bad actors to pull off another raid like the one from last year on December first.
Hmmm, so whether to make someone priv+ is based on passing a certain threshold of (how much extra contribution they could make in before they get hacked)/((likelihood they will get hacked)*(how much extra damage they could do)), though the denominator will be evaluated as constant
snpthecat said:
Pool creation/edit limits hit hard but you can always borrow a friend
Getting someone to bypass limits on your behalf is explicitly against the rules
While yes, you're unlikely to get hit for that situation specifically, encouraging that behavior is a bad idea
snpthecat said:
Do Janitors also bypass the create BUR limit?
There is no BUR limit
snpthecat said:
Personally, as a forumite, I've somehow never hit the voting on forum posts limit, creating AIBUR limit, and creating forum post limit
The limits are high, 15 forum posts an hour (same as comments), 15 aliases or implications an hour (combined), and 50 forum votes an hour
Updated
donovan_dmc said:
Getting someone to bypass limits on your behalf is explicitly against the rules
Nope!
3.2 Circumventing Site Restrictions or Suspensions
Do not use alternate accounts to circumvent any site restrictions.
This includes, but is not limited to: bans, upload limits, time-based action limits, and so on.Do not use alternate accounts to abuse the voting system or manipulate public opinion.
Do not have others act on your behalf while currently under a suspension or a ban.
Do not delete and re-create an account to get rid of previous records.
snpthecat said:
Nope!
Yes? I was literally a moderator, I think I should know better how the rules are applied than any normal user
People have been punished and banned for this
It isn't common and most cases would be overlooked, but it absolutely has happened
donovan_dmc said:
Yes? I was literally a moderator, I think I should know better how the rules are applied than any normal user
People have been punished and banned for thisIt isn't common and most cases would be overlooked, but it absolutely has happened
Also does that mean that if someone says
"Hey I used up all my upload limit on uploading this comic, can someone help upload the rest?" will get you a record if a moderator is extremely strict about it?
Also i'm curious about what cases the records you're talking about are given for. comments? upload? edits?
Also would the records be invalid if they talked through email rather than publicly?
Ugh I fucking hate garden variety ban evaders and their ilk. Makes it harder to find rarer forms of rule 3.2 violations
Updated
whatismyname1234 said:
Seems like they have a lot of privileges. How about user who’s account is at least 30 days old and not received a single ban in those 30 days
Cue all the dormant bot accounts just waiting to abuse their power.
There is a reason why attaining Privileged status requires a lot of contributions.
whatismyname1234 said:
How about a captcha test, since it’s mostly a bot problem, I propose that whenever a user wants to vote more than the hourly limit, they have to take that test. But let’s make it temporarily (maybe 12 hours) so they have to take the test again after it expires
So basically a malicious party can successfully solve a captcha and get granted unlimited votes for 12 hours?
Even if you make it so that they need to solve a captcha after X number of votes/hours, you should be able to easily see how this can be abused.
whatismyname1234 said:
At this point I run out of ideas, what’s your (or anyone really) suggestion for raising the limit?
Work hard and attain Privileged status.
donovan_dmc said:
Getting someone to bypass limits on your behalf is explicitly against the rulesWhile yes, you're unlikely to get hit for that situation specifically, encouraging that behavior is a bad idea
I recall that you once said that a banned artist can ask someone to upload on their behalf, isn't that basically getting someone to bypass limits?
Unless that was in reference to uploading artworks instead of votes and stuff.
donovan_dmc said:
Spam prevention, helps prevent making bots to upvote thousands of comments near instantaneously
This limit is pretty arbitrary at best and useless at worst. It targets behavior exhibited by the average user more than the bots. Bot spam is usually mass comment posting, automatic account creation or flooding votes/favorites/pools at very high speed. Users hit the limit regularly because they often read multiple comments at once and participate in community moderation through voting. Limiting harmless actions punishes normal engagement while not actually stopping the actions bots exploit.
Since users often browse in sessions, it takes maybe a couple minutes to hit that limit while browsing comments (constantly happens to me when tagging posts and glancing through the comments) which leads to frustration and reduced community moderation and user participation. Even worse, botnets can just use multiple accounts and stay under the threshold. It is comically easy to write a program that sends 10 votes an hour, only the users have to deal with this "solution".
A blanket limit like this is not a bot-detection tool. Effective bot prevention focuses on behavioral anomalies, patterns that humans don't reproduce and high-frequency actions instead of these low-impact ones. Rate-limiting user votes just isn't an effective method for aiding in bot abuse.
A much more sensible plan would be to detect very rapid actions (like more than 1 vote per second), never clicking, scrolling or using the keyboard like bots usually don't and high actions per minute across multiple types of action. It would make sense to apply restrictions like we have on accounts deemed suspicious through the aforementioned behavioral anomalies or rule violations, not the vast majority of site's user base.
Bot detection is also not a new problem. Solutions already exist and I recommend taking a gander in GitHub's bot-detection topic which offers open-source solutions in a lot of languages.
The current system is ineffective at preventing spam and actively degrades user experience.
averagebuttlover said:
This limit is pretty arbitrary at best and useless at worst. It targets behavior exhibited by the average user more than the bots. Bot spam is usually mass comment posting, automatic account creation or flooding votes/favorites/pools at very high speed. Users hit the limit regularly because they often read multiple comments at once and participate in community moderation through voting. Limiting harmless actions punishes normal engagement while not actually stopping the actions bots exploit.Since users often browse in sessions, it takes maybe a couple minutes to hit that limit while browsing comments (constantly happens to me when tagging posts and glancing through the comments) which leads to frustration and reduced community moderation and user participation. Even worse, botnets can just use multiple accounts and stay under the threshold. It is comically easy to write a program that sends 10 votes an hour, only the users have to deal with this "solution".
A blanket limit like this is not a bot-detection tool. Effective bot prevention focuses on behavioral anomalies, patterns that humans don't reproduce and high-frequency actions instead of these low-impact ones. Rate-limiting user votes just isn't an effective method for aiding in bot abuse.
A much more sensible plan would be to detect very rapid actions (like more than 1 vote per second), never clicking, scrolling or using the keyboard like bots usually don't and high actions per minute across multiple types of action. It would make sense to apply restrictions like we have on accounts deemed suspicious through the aforementioned behavioral anomalies or rule violations, not the vast majority of site's user base.
Bot detection is also not a new problem. Solutions already exist and I recommend taking a gander in GitHub's bot-detection topic which offers open-source solutions in a lot of languages.
The current system is ineffective at preventing spam and actively degrades user experience.
I never said it was a bot detection tool nor did I say it would entirely prevent anything being botted
Also I absolutely reject the idea of the site collecting data about clicks, keyboard usage, scrolling, etc because we all know where that leads (not to mention that related requests would end up on adblock lists within days, and wouldn't apply to api usage)
You're also limited to 2 requests per second and 60 update requests per minute, there are more thresholds
I'd also like to note in the literal second post of this topic:
donovan_dmc said:
The limits could definitely be raised but removing them is just asking for trouble
I am not against raising the limits, in fact I think many should be raised
They've been set for a site that existed a decade ago and should be modernized for expected usage patterns
I'm against removing them entirely
averagebuttlover said:
This limit is pretty arbitrary at best and useless at worst.
That's big talk from someone who has no idea why they were added in the first place.
We place hourly limits on all site actions because we've been the subject of DDOS attempts through seemingly benign mechanisms before, & we're not leaving it to chance. A relatively small group of sockpuppets could easily spread out enough request to overcome our rate limit, & without a more conclusive upper bound they could absolutely succeed in overwhelming the site. Comment votes create a new entry in the DB, update the comment in question, & update both the comment & comment vote indices; under normal use, this isn't a problem, but at large volumes or in conjunction with reams of heavier requests, it's far from negligible. Unless you've profiled the code & have more conclusive evidence than "I think it's not that big of a deal", we're not removing the limit.
donovan_dmc said:
I never said it was a bot detection tool
donovan_dmc said:
Spam prevention, helps prevent making bots to upvote thousands of comments near instantaneously
Saying that it is spam prevention and specifying bots being the target implies that we are talking about something meant to deal with bots specifically. It doesn't change the fact that the limits do negatively impact user experience.
aacafah said:
That's big talk from someone who has no idea why they were added in the first place.
As for why the limits were added, the general reasoning is understandable. My concern is that the solution feels like a temporary measure rather than a long-term, robust approach. Larger platforms (e.g., YouTube) face far more sophisticated spam and botting issues, yet they avoid blanket rate limits on regular user actions because those measures create more friction than benefit. That’s not a comparing apples to apples, but it demonstrates that alternatives do exist.
aacafah said:
Unless you've profiled the code & have more conclusive evidence than "I think it's not that big of a deal", we're not removing the limit.
I'm not saying that the limit has to be removed, but it does have to be increased quite a bit. And as a regular user, I don’t have the responsibility to audit the system. That’s something the development team is better positioned to evaluate. A deeper review might reveal whether the current setting is still appropriate or if it can be refined. I do not have the time or personal investment in the matter to sift through the source code to do profiling and everything, I'm just voicing my opinion based on user experience and my related line of work.
averagebuttlover said:
As for why the limits were added, the general reasoning is understandable. My concern is that the solution feels like a temporary measure rather than a long-term, robust approach. Larger platforms (e.g., YouTube) face far more sophisticated spam and botting issues, yet they avoid blanket rate limits on regular user actions because those measures create more friction than benefit. That’s not a comparing apples to apples, but it demonstrates that alternatives do exist.
first of all, we're not YouTube, literally the largest content-sharing website on the internet, we're a relatively tiny art archive with one (1) paid employee.
second of all, YouTube is, like, mega dogshit at actually dealing with any of the even somewhat nuanced attacks, I mean, every comment section over the course of maybe 9 months had at least three each of: stolen comment posted by a user with that one picture of a cat sitting on cushions that was AI image-to-image'd from porn as their avatar, generic comment with a random image of a naked woman, those accounts with the clipart of a cop and near identical usernames that talk about raping children. meanwhile every other ad is AI generated footage of impossible products or mobile games ads that are extremely suggestive, sometimes to the point of using edited footage stolen from literal porn games. all while random channels are getting terminated for literally no reason.
dfn-451 said:
first of all, we're not YouTube
As I said, it is not an apples to apples comparison.
dfn-451 said:
YouTube is, like, mega dogshit at actually dealing with any of the even somewhat nuanced attacks, I mean, every comment section over the course of maybe 9 months had at least three each of: stolen comment posted by a user with that one picture of a cat sitting on cushions that was AI image-to-image'd from porn as their avatar, generic comment with a random image of a naked woman, those accounts with the clipart of a cop and near identical usernames that talk about raping children
Another major difference here is that we're talking about up and downvoting comments, not posting comments or other content. YouTube, while not perfect at it, is very good at handling botted views, likes and dislikes and has as a result caused a lot more anti-botting projects to crop up.
My point is that the current solution is too disruptive to users and should be eased up on or replaced if possible. Also, the restrictions on posting comments on this site are more loose than comment voting, which I find absurd.
