Back to Blog

Blocking 99% of Spam for a 4,500+ Member Discord Server

case-studymoderation
Paillat

Paillat

Founder

siBluesky siGithub

Creator of NiceBots.

A French-speaking Discord community of over 4,500 members had been dealing with recurring waves of spam from compromised and bot accounts - crypto scam pitches, fake get-rich-quick schemes, Discord invites to NSFW scam servers, and a more recent wave of image spam designed to exploit Discord’s auto-embed behavior. Their moderation team had an established workflow and clear standards, and needed a solution that would integrate with that rather than replace it.

The Spam Problem

Several types of spam dominated. The most common was text-based: accounts posting variations of the same scam template across multiple channels - typically offering to teach people to earn $100k in a week in exchange for 10% of profits, with a Telegram handle or phone number to contact. A related variant dropped Discord invite links to NSFW scam servers, which was particularly disruptive in a community that isn’t adult-only.

Moderation report for a text-based crypto scam - account posting identical Telegram scam links across 3 channels, 48h timeout

The second type was subtler and harder to catch with conventional tools. Accounts would post sequences of image URLs with no text at all. Because Discord auto-embeds any image link regardless of where it’s hosted, these would render directly in the channel: fake screenshots of celebrities on X/Twitter promoting crypto casinos, complete with fabricated follower counts and pinned posts. No keywords to catch, no suspicious external domain to blocklist.

Moderation report for image URL spam - account posting CDN image links across 4 channels, 24h timeout

The third variant used direct file uploads. Rather than linking to an image, accounts would attach the scam images directly to their message - the same fake celebrity endorsements, now bypassing any link-based detection entirely.

Moderation report for attachment spam - account posting fake celebrity crypto endorsement images across 3 channels, 48h timeout

The content across all three variants was often the same: fabricated endorsements from public figures directing users to crypto gambling sites, paired with fake withdrawal confirmation screens to add credibility.

Detection Architecture

The system doesn’t rely on a single detection method. It combines behavioral signals at the account and message level, evaluated in real time against a Redis cache.

Behavioral heuristics are the core of the system. Rather than asking “does this message look like spam?”, the system primarily asks “does this pattern of activity look like spam?” The key signals include:

  • Message velocity and channel spread: the number of messages sent relative to how many distinct channels they appear in. Five messages across four channels is treated as more suspicious than six messages across two - a spammer targeting as many channels as possible leaves a different footprint than an active user staying in one conversation.
  • Prior interaction: whether the account has meaningfully participated in the server before. Accounts posting high-velocity content with no prior engagement are weighted more heavily.
  • Link behavior: whether links in a message resolve to an image, which is exactly the mechanism image URL spam exploits.
  • Attachment signals: the number and size of file attachments in a message.

When a combination of these signals crosses a threshold, the account is automatically timed out and a moderation report is generated. Crucially, because detection is primarily behavioral rather than content-based, the system doesn’t need to match message text or recognize image content - it catches the pattern of activity regardless of what the message actually contains.

Redis backs the rate tracking and fingerprint cache, keeping detection latency low enough to act before a spam wave propagates across channels.

Moderator-Defined Rules

The heuristic engine is dynamic. Moderators can define their own pattern rules using a simplified regex-based syntax, letting them encode knowledge about their specific community - recurring scam formats, known bad actors, content patterns that only make sense in their context. The system improves over time without requiring code changes, and moderators stay in control of what gets flagged.

Discord Automod Integration

The server already used Discord’s native Automod system. Rather than run in parallel and create a fragmented audit trail, our bot integrates directly with Automod: when Automod takes an action, the bot generates a moderation report for it in exactly the same format as reports from our own detections. Every moderation action - whether triggered by Automod, our heuristics, or a moderator-defined rule - appears in the log channel in a consistent, reviewable format that matches what staff have always used.

Results

Within 48 hours of deployment, spam incidents dropped by over 99%. The moderation team’s workflow remained intact - the logs looked the same, the review process worked the same, and staff could verify or override any automated action without adapting to a new system.

NiceBots builds custom Discord tooling. Reach out at hello@nicebots.xyz or join our Discord.