Skip to:
Content
Pages
Categories
Search
Top
Bottom

Best way to limit friend requests to avoid spam

  • Avatar of tifire
    tifire
    Participant

    @tifire

    One new member of our site sent friend requests to almost all other members. Even though he may not be a spammer, this did get me nervous. A spammer could just do the same and send friend requests to hundreds of members and ruin the site quickly.

    To avoid spam, I would like to limit the number of friend requests a member can send per hour. I have a couple of questions and hope someone can help:
    1) what’s the best way to get the number of friend requests a member has already sent in given period. Is there a buddypress function to return the number of friend request, or shall I do a WP database query?
    2) After getting the number, the next step is to check if this is bigger than the maxium. The function friends_action_add_friend() seems to be the one that decides if a friend request can be sent, but I didn’t find any action there. Can someone tell me if friends_action_add_friend() is the correct function to look at?

    I would like to do the same to limit the number of updates, comments posted or groups created per hour. I hope similar method can be used.

    Thanks a lot.

Viewing 25 replies - 1 through 25 (of 31 total)
  • Avatar of tim_marston
    tim_marston
    Participant

    @tim_marston

    I would love to know the answer to this one as well?

    Avatar of @ubernaut
    Ben Hansen
    Participant

    @ubernaut

    sounds like an interesting feature suggestion have you looked at trac to see if anyone else has already requested it?

    Avatar of tim_marston
    tim_marston
    Participant

    @tim_marston

    What is trac?

    Avatar of @ubernaut
    Ben Hansen
    Participant

    @ubernaut

    thats where bugs feature suggestions and the like are kept track of:

    http://buddypress.trac.wordpress.org/

    Avatar of Asynaptic
    Asynaptic
    Participant

    @synaptic

    This is a great idea and frankly I’m surprised that it has not been included already. And not just for friend requests but for pretty much all activity on the site: comments, forum posts, etc.

    As long as you limit the frequency to what is ‘human’ you are making spammers’ lives very difficult. The issue is to not make legitimate users upset by setting it too low. But that can be tweaked easily to perfection.

    Avatar of @ubernaut
    Ben Hansen
    Participant

    @ubernaut

    i think bbpress supports throttling i swear i read or heard that somewhere.

    Avatar of Asynaptic
    Asynaptic
    Participant

    @synaptic

    yes it is right in the codex: http://codex.bbpress.org/forum-settings/

    but I don’t think BP has it

    Avatar of danbpfr
    danbpfr
    Participant

    @chouf1

    Avatar of P
    P
    Participant

    @patricksaad

    @Chouf1, that’s my blog you’re linking to. I am not sure if they added Throttling to the new Buddypress version. I opened a ticket months ago, the milestone has been set to: version 1.7 to Future Release http://buddypress.trac.wordpress.org/ticket/3732. This is a bit frustrating since Throttling makes for great spam control.

    @tifire Go to /bp-friends/bp-friends-functions.php in your Buddypress installation and change the friends_add_friend function to the following:

    function friends_add_friend( $initiator_userid, $friend_userid, $force_accept = false ) {
    	global $bp;
    
    	$friendship = new BP_Friends_Friendship;
    
    	if ( (int) $friendship->is_confirmed )
    		return true;
    
    	$friendship->initiator_user_id = $initiator_userid;
    	$friendship->friend_user_id    = $friend_userid;
    	$friendship->is_confirmed      = 0;
    	$friendship->is_limited        = 0;
    	$friendship->date_created      = bp_core_current_time();
    	
    	/**
    	 * BuddyPress Friend Request Throttling
    	 *
    	 * Set a throttle period for user friendship requests
    	 *
    	 * @author Patrick Saad
    	*/
    	
    	global $wpdb;
    	$qry = "SELECT date_created FROM wp_bp_friends where initiator_user_id = '".$initiator_userid."' order by date_created desc limit 1";
        $user_friend_requests = $wpdb->get_results( $qry );
    	
    	if ($user_friend_requests)
    	{
    		$latest_user_request = strtotime($user_friend_requests[0]->date_created, time());
    		$time_since_latest_request = time() - $latest_user_request;
    		
    		// that's 2 minutes
    		$throttle_period = 60 * 2;
    		
    		// if the last request was over 5 minutes ago, allow it
    		
    		if ($time_since_latest_request < $throttle_period)
    			return false;
    	}
    	// End of BuddyPress Friend Request Throttling //
    
    	if ( $force_accept )
    		$friendship->is_confirmed = 1;
    
    	if ( $friendship->save() ) {
    
    		if ( !$force_accept ) {
    			// Add the on screen notification
    			bp_core_add_notification( $friendship->initiator_user_id, $friendship->friend_user_id, $bp->friends->id, 'friendship_request' );
    
    			// Send the email notification
    			friends_notification_new_request( $friendship->id, $friendship->initiator_user_id, $friendship->friend_user_id );
    
    			do_action( 'friends_friendship_requested', $friendship->id, $friendship->initiator_user_id, $friendship->friend_user_id );
    		} else {
    			// Update friend totals
    			friends_update_friend_totals( $friendship->initiator_user_id, $friendship->friend_user_id, 'add' );
    
    			do_action( 'friends_friendship_accepted', $friendship->id, $friendship->initiator_user_id, $friendship->friend_user_id );
    		}
    
    		return true;
    	}
    
    	return false;
    }

    This will prevent a user from sending a friendship request to someone if their recent friendship request date was less than, say 2 minutes (change the $throttle_period variable to modify this time)

    Just gave this a fresh test, works in Buddypress 1.7.2. This same concept can be applied to comments, groups, etc, you just have to find the functions and play around.

    Avatar of danbpfr
    danbpfr
    Participant

    @chouf1

    @patricksaad,
    apologize if i mentionned your blog, but it was the only place i found speaking about this problem.
    FYI, “throttling” is used in BP 1.7.2, but a minima. Should be extanded much more. I guess it’s preferably you open an ehancement ticket on the Trac.
    And thank you for sharing your code. ;-)

    buddypress 1.7.2\bp-core\bp-core-moderation.php (6 hits)
    Line 24: * @uses current_user_can() To check if the current user can throttle
    Line 25: * @uses bp_get_option() To get the throttle time
    Line 32: if ( !$throttle_time = bp_get_option( ‘_bp_throttle_time’ ) )
    Line 32: if ( !$throttle_time = bp_get_option( ‘_bp_throttle_time’ ) )
    Line 40: if ( isset( $last_posted ) && ( time() < ( $last_posted + $throttle_time ) ) && !current_user_can( ‘throttle’ ) )
    Line 40: if ( isset( $last_posted ) && ( time() < ( $last_posted + $throttle_time ) ) && !current_user_can( ‘throttle’ ) )
    buddypress 1.7.2\bp-forums\bbpress\bb-admin\admin-ajax.php (6 hits)
    Line 160: if ( $throttle_time = bb_get_option( ‘throttle_time’ ) )
    Line 160: if ( $throttle_time = bb_get_option( ‘throttle_time’ ) )
    Line 161: if ( isset($bb_current_user->data->last_posted) && time() < $bb_current_user->data->last_posted + $throttle_time && !bb_current_user_can(‘throttle’) )
    Line 161: if ( isset($bb_current_user->data->last_posted) && time() < $bb_current_user->data->last_posted + $throttle_time && !bb_current_user_can(‘throttle’) )
    Line 162: $error = new WP_Error( ‘throttle-limit’, sprintf( __(‘Slow down! You can only post every %d seconds.’), $throttle_time );
    Line 162: $error = new WP_Error( ‘throttle-limit’, sprintf( __(‘Slow down! You can only post every %d seconds.’), $throttle_time );
    buddypress 1.7.2\bp-forums\bbpress\bb-admin\includes\functions.bb-admin.php (4 hits)
    Line 408: $user_meta['throttle'] = $_POST['throttle'];
    Line 408: $user_meta['throttle'] = $_POST['throttle'];
    Line 531: $user_meta['throttle'] = $edit_user->throttle;
    Line 531: $user_meta['throttle'] = $edit_user->throttle;
    buddypress 1.7.2\bp-forums\bbpress\bb-admin\options-writing.php (3 hits)
    Line 43: ‘throttle_time’ => array(
    Line 44: ‘title’ => __( ‘Throttle time’ ),
    Line 47: ‘note’ => __( ‘Users must wait this many seconds between posts. By default, moderators, administrators and keymasters are not throttled.’ )

    Avatar of Asynaptic
    Asynaptic
    Participant

    @synaptic

    @chouf1 I believe patrick’s comment on that ticket is relevant:

    “The function bp_core_check_for_flood in bbp-core-moderation.php is not hooked to anything. No flood control on activity page.”

    @patricksaad could you pls submit a patch to trac?

    Avatar of P
    P
    Participant

    @patricksaad

    @synaptic Will do asap, hopefully we’ll at least have Activity flooding control for Buddypress 1.8

    Avatar of Asynaptic
    Asynaptic
    Participant

    @synaptic

    @patricksaad Thank you! Can it also be added for comments? friend requests, activity, etc. we know bbpress has it so everything else other than forum posts (via bbpress) would be helpful to have throttling

    Avatar of OC2PS
    OC2PS
    Participant

    @sooskriszta

    Sending friend requests to folks you don’t know is an issue that all social networks, be they Facebook, Orkut, MySpace, Hi5, or even LinkedIn, have to contend with.

    That said, I wouldn’t call it the bane of social networking. What really does a purported “spammer” gain by sending friend requests? Annoyance for certain people that they have received a friend request? Unlikely – the text is preset…the spammer cant even include his/her fake links. Also, most folks are now pretty adept at ignoring such messages. And even if somebody accepts the friend request, what does the spammer gain? What does a “friendship” accomplish?

    Comments (WP), forums (bbP) and activity feeds do really really need spam protection. I’m not so sure about the necessity for friend requests.

    That being said, how do the big boys manage friend requests?
    1. LinkedIn: You can only friend people who are 2 degrees away from you OR whose email address you know. Plus, recipients can mark it as spam.
    2. Facebook: Members can control whether they want to receive friend requests at all. Plus recipients can mark requests as spam. Finally, temporary & permanent bans – based on proportion of requests marked as spam.

    Throttling is neat, cool and easily done – perhaps like bbP, site admin can define the throttling parameters for BP friend requests throttling.

    Much more importantly, an Akismet-like solution for activity spam would be nice. I would look for a 2 stage process on the manual “mark as spam” side of things:
    1. Member marks another member’s activity as spam (this is really a flag that puts the activity in a basket for admin to see)
    2. Admin looks through the basket and marks either as spam (in which case Akismet is notified) or not spam.

    Avatar of @ubernaut
    Ben Hansen
    Participant

    @ubernaut

    Well activity is already protected by akismet integration. Regarding the friend requests, one thing you can do now (and i have been forced to) to fight spam is only allow private messages to friends in that case the spammer gains the ability to send spam messages to these friends.

    Avatar of OC2PS
    OC2PS
    Participant

    @sooskriszta

    Well activity is already protected by akismet integration.

    Except that there is no good way for members to flag activity.

    Avatar of @ubernaut
    Ben Hansen
    Participant

    @ubernaut

    giving members the ability to flag things as spam through akismet seems like a very sticky wicket to me probably something which would be better addressed as plugin. i for one would not want to give that ability to any user. i can barely get my staff to do that correctly under wordpress.

    Avatar of OC2PS
    OC2PS
    Participant

    @sooskriszta

    Nope, flagging by members shouldnt be reported to Akismet directly. As mentioned above, it’s a two step process. Site/Group admin can’t be everywhere, so users should be able to flag items for their review. Site/Group admins should be the ones whose flags ultimately get reported to Akismet.

    Avatar of @ubernaut
    Ben Hansen
    Participant

    @ubernaut

    seems like major overhaul to the way aksimet works now but as i said before anything we can do to make spammers lives more difficult i’m basically for it.

    Avatar of OC2PS
    OC2PS
    Participant

    @sooskriszta

    Doesn’t require any change in Akismet.

    Akismet plugin will need a little change – it will need to tie reporting to role.

    BuddyPress will need to incorporate the functionality of members/users flagging activity, the way users can report messages in software like phpBB.

    Avatar of bp-help
    bp-help
    Participant

    @bphelp

    There is a new premium plugin out by BuddyDev called BuddyPress Limit Frienship check it out here:

    http://buddydev.com/plugins/bp-limit-friendship/

    This should help you folks out @tim_marston @ubernaut @sooskriszta . Another great job @sbrajesh !

    Avatar of @ubernaut
    Ben Hansen
    Participant

    @ubernaut

    neato!

    Avatar of OC2PS
    OC2PS
    Participant

    @sooskriszta

    Thanks @bphelp

    The plugin seems like a terrible idea. I mean some particular installation somewhere in the BuddyPress world might need it, but I don’t like the idea of limiting BP’s functionality (potentially thwarting the value of the online community) for everyone to try and stop a few bad apples. What number will you limit the friends to so that spammers are blocked and the community is valuable? 5, 10, 50, 100, 500?

    Your original idea of throttling friend requests was far neater and remains superior to this plugin’s concept.

    Avatar of Brajesh Singh
    Brajesh Singh
    Participant

    @sbrajesh

    @bphelp thanks Ben for the heads up.
    @sooskriszta
    You are right about the use case. It is not suitable for spammers protection and neither suitable for normal sites.

    I built it specifically for membership based sites where they wanted to limit the no. of friends and charge for increasing the limit(I had got that specific requirement from a client and they implemented it with s2 members plugin in their case).

    As far as Friendship request throttling is concerned, I am about to release a plugin today which does allows site admins to limit the no. of requests sent per minute(or you can set say 30 requests per 60 mins, that flexibility lies with the site admins).

    Avatar of P
    P
    Participant

    @patricksaad

    @sooskriszta I agree that the plugin is a terrible idea. Throttling is one thing (telling the user “hey slow down a bit”) but setting an absolute limit for the number of friendships goes against the concept of a community.

    Going back to the ORIGINAL point of this topic, I said I will add throttling to the activity page and the friendship requests, but I ran into small trouble and thought maybe some of you people can help out. I opened another topic http://buddypress.org/support/topic/add-custom-setting-to-buddypress-settings/, I appreciate it if you can check it out and help out. @synaptic @sooskriszta

Viewing 25 replies - 1 through 25 (of 31 total)

You must be logged in to reply to this topic.