A Playbook

Spam at scale,
solved in layers.

A working checklist of tactics that big, free, public communities (100k+ members) actually use to keep the bots out without killing the open-door feel. Work through it, check off what applies, ignore what doesn't.

Progress

0 / 0

01Probation & member restrictions

Spammers want to act fast — links, DMs, and posts within minutes of joining, because their accounts get banned just as fast. Delay matters more than detection.

Posting delay for new members

New members can read but not post for the first 24–72 hours. Native on Discord (verification levels), configurable via roles on Circle and Mighty Networks. On Skool, approximate this by setting categories to require admin approval and granting a "trusted" role after X days.

Eager first-time members lose their highest-motivation moment. Some never come back after the delay.

High impact Discord native Skool workaround

DM restrictions until activity threshold

The most damaging spam isn't public posts — it's bots DMing every member with crypto, OF, or coaching pitches. Gate DMs by role on Discord, Circle, or Mighty. Many large Skool communities just disable member-to-member DMs entirely and route intros through a public space.

Disabling DMs kills peer-to-peer connection, which is half the reason people join communities in the first place.

High impact Skool: disable entirely

Comment-before-post requirement

Require new members to leave 3–5 comments before they can create their own post. Kills drive-by spam posts cleanly, and as a bonus, forces real members to read the community before contributing.

Expert newcomers with genuinely valuable first posts get forced into low-effort comments to "earn" the right to share.

Engagement bonus

02Auto-moderation on first posts

A new member's first post is the highest-risk post they will ever make. Filter that one hard.

Link blocking on first post

Any post from a member with fewer than X posts that contains a URL goes to a moderation queue instead of publishing. Discord AutoMod does this natively. On Skool, build it with Zapier or Make watching the new-post webhook, checking author post count via API, then flagging or deleting.

A moderation queue is only useful if a mod actually reviews it. Backlogged queues silently kill real members' good posts.

High impact Discord native Skool via Make

Keyword blocklist

Standard spam terms: telegram, whatsapp +1, "DM me for", investment opportunity, crypto wallet addresses, common OF redirect domains. Auto-hide or auto-delete on match. Maintain the list — spammers rotate phrases.

False positives in topical communities — a fintech group can't ban "investment," a travel group can't ban "WhatsApp." Tune carefully.

Maintain monthly

Pattern detection (caps, numbers, shortened URLs)

All-caps posts, phone numbers, shortened URLs (bit.ly, tinyurl, t.co outside Twitter context) get flagged. Most platform automods handle this; on Skool you build it.

Spammers adapt fast — spelling out "dot com" or using Unicode lookalikes routes around naive pattern matching within a week.

Platform automod

Image-only posts flagged

A common spam pattern is a first post with just an image (containing a phone number or Telegram handle baked in) and no text body. Auto-flag any first post that has an image and no body text.

Visual-first communities (design, art, fashion, food) live on image-only posts. This filter is wrong for them by default.

03Signup-stage friction

The cheapest spam to stop is the spam that never signs up. Add cost at the door.

Application question that requires specific context

Not "why do you want to join" — bots answer that with GPT now. Instead: "What's a tool you've used in the last week that you'd recommend?" or "Paste a link to something you've made or written." Bots fail these or produce obviously generic answers a human can spot in 5 seconds.

Reviewing answers doesn't scale. At a few hundred signups a day, even 5 seconds each becomes a part-time job.

Highest leverage

Phone / SMS verification at signup

Massively raises the cost of spawning fake accounts. Available on Circle and some others; not on Skool. Tradeoff: a real conversion hit on signups (10–30% drop is normal). Big public communities have to decide if they'd rather have 100k members with 15% spam or 70k members with 1% spam.

Privacy-conscious members refuse to hand over a phone number to join a free community, and SMS APIs (Twilio, etc.) add real per-signup cost.

High impact Conversion cost

Block disposable email domains

Block known throwaway providers (mailinator, guerrillamail, tempmail, etc.) at signup. Easy win, no friction for real users. Maintained lists are on GitHub.

Sophisticated spammers use fresh Gmail or custom domains — this only catches the lazy bottom tier.

Easy win

04Rate limits & trust tiers

Earn-as-you-go permissions. New members do less; trusted members do more.

Rate limits on posts and comments

Cap new members at 2 posts per day and 10 comments per day for their first week. Stops the "join, dump 40 spam posts, get banned" pattern cold.

Enthusiastic new members hit the cap fast, get a "you can't post" error, and assume the community is broken. UX matters here.

Trust scoring with tiered roles

Members earn a "trusted" role after milestones — 30 days plus 10 posts plus 5 received likes, or whatever fits. Trusted members can post links, DM freely, post images. Untrusted members can't. This is essentially how Reddit's karma works and how most well-run Discord servers operate.

Gamifies engagement in ways that reward volume over quality — people farm posts and likes to unlock privileges.

High impact

05Moderation operations

The deterrent isn't the rule, it's the speed of enforcement.

Visible report button + fast mod response

Sounds obvious, but the deterrent effect of spam being removed within an hour is huge. Spammers test communities: if their first post survives 24 hours, they come back with 50 accounts. If it's gone in 30 minutes, they leave.

Report buttons get weaponized in heated communities — members report each other over disagreements, drowning mods in noise.

Mod coverage across time zones

For 100k+ communities, you need coverage. Spam waves often hit at 3 a.m. local time on purpose. Either a global mod team or automod that doesn't sleep.

Volunteer mod teams burn out fast and bring their own politics. Paid mods are a real line item most free communities can't justify.

Ban evasion detection

When you ban someone, flag their IP, email pattern, and device fingerprint (where supported) so the same person rejoining gets auto-blocked. Discord and Circle are stronger here; Skool tooling is limited.

IP bans catch shared networks (offices, coffee shops, dorms). Real members get locked out for someone else's behavior.

Honeypot channels or posts

An obviously-bait pinned post ("Drop your Telegram here for free signals") auto-bans anyone who replies. Surprisingly effective against low-effort bots.

Confused new members occasionally reply sincerely, then get banned with no warning. Bad first impression if it misfires.

Niche but fun

The counter-argument

Maybe the spam problem at 100k+ free is structurally unsolvable.

Many community operators who have scaled past 100k members say the better play is a $1–9/month entry fee. Even $1 kills 99% of spam, because spammers don't have the cards or Stripe accounts to scale across thousands of fake signups. Sam Ovens built Skool's whole pricing model around this insight. Worth raising in your reply if you want to push back gently on the "free at 100k" premise.

Take it with you

Want your own copy?

Your checkmarks save to this browser only. Download the file, open it locally, and check things off as you work through your own community setup. No tracking, no account, just a single HTML file.

↓ Download HTML