@nexia
Haha! Yes, I told my wife about it and she said go ahead.
Seriously though, it is amazing that this is the first spam exploit that has hit our PM system. I get so many of these pathetic attempts via email each day that I was surprised this morning when I checked my email and saw that one had been sent via the BP PMing system.
if you have no wife and no problem with the police, you’re safe Jeff…
I actually responded to her email. Was I not supposed to? She seemed so nice. 
Opened up the same message myself a few minutes ago. Thanks.
I got the same dummy message 2 hours ago. Marked as spam? Good
User has been marked as spam.
This is my third Post here within 24 hours and I feel I am spamming the forums already – so sorry about this!
I want to add a class to the member links in the activity stream so I can direct the output to an ajax layer rather than reloading the page.
I am making progress in changing existing classes of links to my own (unfortunately the member link does not have any class so I will have to fiddle around with my preg_replace a bit futher)..
This Code:
<?php
add_filter( 'bp_get_activity_content', 'add_ajax_class', 1 );
function add_ajax_class( $content ) {
$content = preg_replace('/class="([^"]*)"/i', 'class='AjaxDivBox_Link'', $content);
return $content;
}
?>
is what does it for me in the bp-customs.php in the mu-plugins directory however the code changes the link on the FULL site and not only in the activity content.. Is there something I overlooked??
I’m aware of the hakam00 thing. If akismet looked at BP private messages to see if they were spam, we’d also need to build in an area for people to go and ‘unspam’ the messages.
actually as private messages were not in WordPress, there is no akismet filter on its content, compared to posts and comments… maybe someone can add this to the posting actions ?!… it’s just 2 lines of code.
Is there not a way for users to mark spammers and draw them to the admins attention as such?
The user hakam00 in this website is a desperate spammer … how many desperate lonely geeks does “Tina” think “she” will scam on this site?
Presumably “Tina” comes from Romania or Nigeria?
See below:
Subject: Hello.
“Hello.
My Name is Tina I was impressed when i saw your profile buddypress.org and i will like you to email me back to my inbox so that i can send you my picture for you to know who i am.i believe we can establish a long lasting relationship with you.
In addition,i will like you to reply me through my
private e mail box for more introduction
Thanks,waiting to hear from you soonest.
Tina.
Please write to my inbox so that i can send you my picture.”
i know Andy, i mistyped my comment, it was not toward your own request, but globally… 
Signup questions and codes are a good supplement to the other methods but are also ultimately fallible. In the same way that Captcha is rendered ineffective by human relay attack, so to are questions; it will just take time for spammers to catch on.
It seems to me that the way forward is to incrementally roll out new defences, only presenting new defences when the old ones have been broken. As soon as lots of sites use a defence, that defence will probably soon be doomed to failure: spammers will only take the time to develop new exploits when a particular method of defence becomes popular. I believe this is the only reason why the hidden fields method currently works: its not sufficiently popular to bother coding an exploit for it (even though such a task would take about five minutes).
nexia: That’s not the way the system works, if you find a bug you need to report it. Mentioning it on the forums isn’t going to highlight it to the developers.
@Andy.. never ask ” me ” to submit a ticket, please… that’s just a way to avoid people to submit their bugs when they are not usually involved in development… you already have my report… …
and yes @Seobrien, this is general behavior inside WPMU.
I’m on 2.8.6 and 1.1.2
Thanks both, reading the wordpress posts and your thoughts Nexia, I’m sure the cause is general security and not versioning
nexia – please submit a ticket on trac.mu.wordpress.org so the problem is at least highlighted.
this is an easy hacking technique, i’ve done that 3 times yesterday when trying to create users/blogs…
you can delete these users by going in the _signups table… the problem is that WordPress is not taking into consideration the registrations that are not completed, they store them in the signups table and they can not be reached when you check for users… so when a user create an account with a blog, the whole process is created but not verified… you can then visit the site without being logged in and without a trace.
WP 3.0 is different in that technique… but i suppose we could find a tweak right now.
Sounds like someone exploited a WordPress vulnerability on your site.
Are you using the latest version of WPMU / BuddyPress?
If so, did you upgrade?
You might want to read these posts:
https://wordpress.org/development/2009/09/keep-wordpress-secure/
https://codex.wordpress.org/FAQ_My_site_was_hacked
I have a user on the site that isn’t registered or otherwise exist. They somehow created a profile page, though blank, and sent spam to all the other users. To be clear, they exist on the site, I can pull up their profile page, but they don’t exist in the admin and list of users. There is no one to delete, mark as spam, etc.
Known exploit or bug? Anything that can be done?
stwc’s summary of methods does seem to stop a lot of spam, but I’ve still been having some. I tried SI Capthca (https://wordpress.org/extend/plugins/si-captcha-for-wordpress) but that seemed completely ineffective.
My latest weapon in the war has been to modify Invisible Defender (https://wordpress.org/extend/plugins/invisible-defender) firstly to make it work with the buddypress registration page and secondly obfuscate its hidden fields by giving them random names and values:
http://bcbc.co.uk/mu/blog/2009/12/11/wordpress-registration-spam/
I think I ended up commenting out the email notification before first activation on a live site. I then added it back. If I remember correctly you also have your activity stream somewhat spammed so that might be another thing to look at
PHP Warning is generated when /wp-signup.php is accessed (mostly by spam bots). No white space outside of php closing tags in header.php. Should /wp-signup.php result in an blank page or the registration form (or redirect to /register)? I could delete /wp-signup to remove the errors but I’d like to understand how bp is designed to work. Is it a config file issue? What is the fix? Thanks!
PHP Warning: Cannot modify header information - headers already sent by (output started at xxxx/bp-sn-parent/header.php:3) in xxxx/wp-includes/pluggable.php on line 865
See PHP warning and display of Registration Form:
http://ttacconnect.org/wp-signup.php
http://memomu.com/wp-signup.php
See no Warning and no Registration Form (blank page). I believe is the proper default behavior:
http://nourishnetwork.com/wp-signup.php
http://morgansjourney.org/wp-signup.php
http://poetrypress.org/wp-signup.php
wpmu 2.8.6 with active plugins on main bp site:
bp 1.1.3, bp-groupblog, auto group join, Group Forum Subscripton, bad behavior, google analytics
@Andy Peatling
Ah…sorry to spam you somewhat but I was also wondering if there were any plans to enable easy “quoting” within the forums with this theme/BP version (or a future theme/etc). We’ve finally convinced ourselves that flat forums are good but I think we’re definitely going to have to get some sort of quoting mechanism working.
edit:
I’ve just seen this post: http://testbp.org/groups/buddypress-testers-614548248//forum/topic/forum-or-wire-with-comments/
Hopefully I’ll be able to get that sorted as a plugin sometime soon.
I’ve determined that the warning is generated when /wp-signup.php is accessed (mostly by spam bots). Can’t find white spaces anywhere. Is /wp-signup.php supposed to redirect to /register or to a blank page?
My site and the other listed both display the Registration Form and the PHP Warning: Cannot Modify Headers:
http://ttacconnect.org/wp-signup.php
http://memomu.com/wp-signup.php
These sites result in an blank to semi-blank page:
http://startupweekend.org/wp-signup.php
http://nourishnetwork.com/wp-signup.php
http://morgansjourney.org/wp-signup.php
http://poetrypress.org/wp-signup.php
Should /wp-signup.php result in an blank page or the registration form? Will resulting blank page eliminate the ‘Cannot Modify Headers’ Warnings in error_log? What is the fix? Thanks!
