feedback on new user role progression

We might have swapped "not a spammer" issues with real spam issues. This gets aggravated by the fact that we still get multiple reports (ie issues) for the same node of spam. I have regularly up to five dupes. That is a lot of clicks for basically nothing of value.
I would like to see how often new users are confirmed via the button. I have to do it quite often while checking the comment approval queue (is there anybody else checking this btw?) in cases where users are clearly legit but none of the responders to forum post were willing to use the button.
I suspect the overall UX for new users has gotten better but "our" experience has gotten sizably worse.

I haven't seen any flooding spam for quite some time. Isn't that also attributed to this change or was that an entirely different change?

I'm curious to see how others feel about it.

I feel like it's been a good start. In particular the granting of confirmed role by other community members. However, we did not yet implement all the originally planned changes to roles and permissions, due to other initiatives being a little higher on the priority list. I will be reviewing the plans vs current situation in the next few days and create issues for leftover tasks.

For example, authenticated users can still create new case studies, doc pages, etc. We planned to move those permissions up to confirmed user, but wanted to have confirm user button in place first to make obtaining the role easier.

imo its been highly detrimental with very little ROI.

I would not agree with that. Most of the problems discussed in this issue are in fact not related to user role progression changes.

The forums have been inundated with tons of spam and very very low value/meaningless posts.

The only change in user role progression which could be blamed for this is opening up forum post creation to email unverified users. This was mentioned before and every time I went through a bunch of recent spam posts to check how many of their authors were email unverified. I only saw one spam post by such a user, out of maybe 30 or 40 I looked through.

If there were a lot of examples of spam by email unverified users, we could reconsider this permission. But so far I didn't see them.

Authenticated users were able to create forum posts before, they are able to do it now still. So user role progression didn't bring new spam here.

Then today I stumbled across an important documentation page completely wiped out by an unconfirmed user.

Again, authenticated users were able to do this before as well. We can however move this permission up to confirmed users. I'll use a separate issue to discuss this.

Not to mention the enormous uptick in spam tickets in the webmaster's issue queue.

Again, not sure this relates to user role progression per se. We do need better tools to report and block spam (e.g. to avoid duplicate reports of the same spam node).

to see very little legitimate posts by unconfirmed users

This might be hard to see both for 'email unverified' and 'authenticated but not confirmed yet', because once the user verified email or got the role, you can't see on the post if it was created *before* that happened or after.

I would be curious to see query results on how many posts 'email unverified' users create (and for not they only thing they can create is forum topic and comment), however we'd need a scheduled job of sorts to run the query. We'll look into this.

I would like to see how often new users are confirmed via the button.

I was trying to get statistics on this, but unfortunately right now no log entry is saved anywhere when the role is awarded via the button (or not via the button for that matter). We are planning to switch to Universal Analytics on Drupal.org soon, and that will allow us to create custom event to track usage of the button.

I haven't seen any flooding spam for quite some time. Isn't that also attributed to this change or was that an entirely different change?

I would say most likely we can attribute this to Mollom being installed. In particular, it does a good job protecting user registration form.

Yeah, those meaningless posts are difficult. I always wonder if they are people with not-so-good English and nothing to say that are trying to contribute, or if they are setting up accounts in preparation to spam with them.

I think that there are two major things that would cut a large amount of spam (especially the Chinese flood we're seeing yesterday and today):

1) No signatures until they are community user. This already has an open issue (https://www.drupal.org/node/2452511), but it's had no movement.

2) No links in posts until they have achieved some goal (maybe a confirmed user). On another forum I'm a member of, it's 15 posts.

There should be some automatic way to make a person pass from a role to another one, basing on the user's activity, but there should be an automatic way of removing a role with more permissions, if necessary. Of course, there should not be easy to trick the system to make it give a role.

This gets aggravated by the fact that we still get multiple reports (ie issues) for the same node of spam.

I started to build a system for drupal.org to deal with this last year, but the contribution process for drupal.org is just too much of a hassle, so I stopped doing development for drupal.org. So as of recent, in order to try to stop multiple reports on the same post/comment, I've started adding a comment that the node/comment has been reported. This way other users can see its already been reported before reporting themselves. I notice a few others have followed suit (Yelvington in particular).

This Chinese spam flood we've got going on right now is beyond even that though - it would take hours just to report it all.

@Jaypan I noticed that and it helps me a lot. Thx!
Glad to see that @tvn has the reporting problem on her radar.

Well, our current system obviously has a major hole in it that's been exposed by these Chinese spam threads about unviersities. This is about the worst spam flooding I've ever seen on DO in my time here. We are about three days in, and they just don't stop. There are some gaps in between mods being around as well, so sometimes they are there for many, many hours before they are dealt with.

As it's coming up on the weekend here, I only expect it to get worse, as regular spam that is reported on a weekend usually takes until Monday or Tuesday (JST) to get cleared out (no mods clearing spam on the weekends usually). By that time this coming week, we will likely have thousands of these Chinese spam posts on the site.

An update on this: we are keeping an eye on what are the roles of the spammers who are part of the massive attack happening now. The day before yesterday I myself checked about 60 spammers and only 5 of them were email unverified. B_man will give us updated stats tomorrow.

Also #2452511: Allow signatures only to users with 'community' role was fixed and deployed on Drupal.org some time ago.

Re screenshot in #7 - I agree those posts are meaningless, however, they have nothing to do with the role progression per se. You can see 'confirm' button on those comments, which means all those users verified their emails. We don't display that button until users verify emails. So those users are exactly the same authenticated users we had before any changes to the role progression. They could spam before the same way the can now, we didn't suddenly make it possible for them.

Got the latest stats (below) on blocked users. It seems only in the last few days they figured how to abuse email unverified role. We are going to temporarily take away the permission to create forum posts from this role over at #2594165: Remove permission to create forum posts from email unverified users.

mysql> SELECT substr(from_unixtime(u.created), 1, 10) AS created_on, count(DISTINCT u.uid) AS total, sum(r.name = 'email unverified') AS email_unverified, sum(r.rid IS NULL) AS 'authenticated' FROM users u LEFT JOIN users_roles ur ON ur.uid = u.uid LEFT JOIN role r ON r.rid = ur.rid WHERE u.status = 0 GROUP BY created_on DESC LIMIT 50;
+------------+-------+------------------+---------------+
| created_on | total | email_unverified | authenticated |
+------------+-------+------------------+---------------+
| 2015-10-15 | 52 | 19 | 33 |
| 2015-10-14 | 39 | 11 | 27 |
| 2015-10-13 | 127 | 77 | 50 |
| 2015-10-12 | 381 | 249 | 132 |
| 2015-10-11 | 14 | 1 | 13 |
| 2015-10-10 | 169 | 104 | 65 |
| 2015-10-09 | 284 | 128 | 156 |
| 2015-10-08 | 209 | 17 | 191 |
| 2015-10-07 | 111 | 2 | 109 |
| 2015-10-06 | 34 | 2 | 32 |
| 2015-10-05 | 35 | 1 | 34 |
| 2015-10-04 | 7 | NULL | 7 |
| 2015-10-03 | 28 | NULL | 28 |
| 2015-10-02 | 18 | 1 | 17 |
| 2015-10-01 | 34 | 2 | 32 |
| 2015-09-30 | 33 | 1 | 32 |
| 2015-09-29 | 20 | NULL | 20 |
| 2015-09-28 | 18 | NULL | 18 |
| 2015-09-27 | 5 | NULL | 5 |
| 2015-09-26 | 14 | NULL | 14 |
| 2015-09-25 | 14 | NULL | 14 |
| 2015-09-24 | 18 | 1 | 17 |
| 2015-09-23 | 20 | 3 | 17 |
| 2015-09-22 | 19 | 1 | 17 |
| 2015-09-21 | 14 | NULL | 14 |
| 2015-09-20 | 3 | NULL | 3 |
| 2015-09-19 | 24 | 1 | 23 |
| 2015-09-18 | 21 | 1 | 20 |
| 2015-09-17 | 17 | NULL | 17 |
| 2015-09-16 | 28 | NULL | 28 |
| 2015-09-15 | 19 | 1 | 17 |
| 2015-09-14 | 23 | 1 | 22 |
| 2015-09-13 | 7 | NULL | 7 |
| 2015-09-12 | 21 | NULL | 21 |
| 2015-09-11 | 22 | 0 | 21 |
| 2015-09-10 | 20 | NULL | 20 |
| 2015-09-09 | 29 | NULL | 29 |
| 2015-09-08 | 14 | NULL | 14 |
| 2015-09-07 | 18 | NULL | 18 |
| 2015-09-06 | 5 | NULL | 5 |
| 2015-09-05 | 17 | 1 | 16 |
| 2015-09-04 | 18 | NULL | 18 |
| 2015-09-03 | 25 | 1 | 24 |
| 2015-09-02 | 21 | 1 | 20 |
| 2015-09-01 | 20 | NULL | 20 |
| 2015-08-31 | 18 | NULL | 18 |
| 2015-08-30 | 11 | NULL | 11 |
| 2015-08-29 | 14 | NULL | 14 |
| 2015-08-28 | 15 | NULL | 15 |
| 2015-08-27 | 11 | 1 | 10 |
+------------+-------+------------------+---------------+

Also, after my comment yesterday I realized that email unverified don't have permission to comment at all, so they couldn't create comments in #7.

Going to close this issue as most of feedback is addressed.