There has been a few cases of CleanTalk causing problems for legitimate users of the site - two users have reported their legitimate posts being outright blocked (in one case this was due to a VPN, the other one has no explanation whatsoever), and we've also had a few cases where posts were flagged for moderator approval despite having no need to be (I'm a bit less concerned about that last part - I consider that to be a tolerable side effect, it's the outright blocking that concerns me).
I raised a few potential solutions on the staff board, and am now bringing them into public discussion.
Option 1 - Keep as-is, accept it will cause problems sometimes
Self-explanatory. I really don't like this option - aside from that it's going to frustrate users who have done nothing wrong, another concern is that new users may be attempting to sign up, running into problems, and we never know because they never reach out to us, so they just give up and don't join.
Option 2 - Use CleanTalk with altered settings / customizations
The main ideas here are (a) disable the filter that stops suspected spambots from even accessing the site (even to read it), and (b) only apply the spam check to posts from new users (with the "what counts as a new user" being a to-be-discussed point). I was a bit hesitant about this due to the amount of work that would be involved, but it actually looks like the plugin has at least rudimentary features to help with this. The problem with this approach is that it still doesn't really help much with users who don't even manage to register (if they do manage to register and attempt but their posts get outright blocked, I'll at least see them in the CleanTalk admin panel - but a blocked registration attempt is literally impossible to distinguish spam attempts from legitimate ones, especially at a quick glance).
Option 3 - Mod/admin approval of all registrations and posts from new users
The idea for this one is - get rid of CleanTalk, and rely on human approval for new users. Admin approval would be needed for new registrations, and mod or admin approval would be needed for their first few posts. The biggest problem here is how to handle a case of "spambot makes account, never posts, just spams via PM" (while also being mindful of that there are several legitimate users who don't ever post publicly, but do communicate with other users via PM). Maybe this isn't a big enough concern to worry about right now - I haven't received any reports of PM spam so far.
Option 4 - Revert to old setup, deal with spam as it happens
And the last option is simply to go back to minimal anti-spam measures (just security questions etc - not much point in CAPTCHA these days, it's trivial for AI to defeat it), and accept that spam attacks will happen once in a while, and that they're annoying but not really the end of the world - users here should be savvy enough to identify and disregard them, so the issue is yeah, really just that they're annoying.
I was initially favoring option #3, but after seeing that the CleanTalk plugin already has some features that might help get a good enough setup of option #2, I'm leaning more towards that. Discussion of this matter on the Staff Board also, where other staff did respond, was leaning towards preferring option 2. As an interim measure I've already implemented option #2 part (a) (disabling the filter that blocks the site entirely for suspected spambots) and will see what difference that makes, if any.
And for any legitimate users trying to sign up who are encountering issues - please, reach out to us. You can contact us on the Lemmings Forums Discord (https://discord.gg/aNvQ8b3hfW), or on the #lix IRC channel on QuakeNet.
On further investigation, applying option #2 seems very simple indeed - so I've gone ahead and done that for now.
At this point in time, if I've understood the options and configured everything correctly, spam checking should now apply to registrations, as well as posts from users who have not yet made 5 approved posts. Once you've hit 5 posts, your posts should just go through without being checked (as it's probably a safe assumption - and we can change the settings if this turns out wrong - that if your first 5 posts either were approved by CleanTalk, or flagged but then approved by a moderator, you're probably not a spambot).