Re: User / messaging exploit? Causing spam
@Harry (a.k.a. stripedsquirrel)
I think a very good start is that you can only message your friends. Thought that this would be already ths case, that is why I wondered how we could get spammed?
See this discussion: https://buddypress.org/forums/topic/compose-message-send-to-username
Basically, the autocomplete message recipient list only autofills from your friends list. However, anyone can message any other individual via the “Send Message” button on user’s profile screen. All that is needed for a user to send a PM is that they have a member account and that they are logged in to the system.
On a related note, my Privacy Component does have an option to filter out the “Send Message” button, making it only visible to those you choose.