BuddyPress.org

Spam is generally only a problem if you have blog registrations on, spammers only care about creating and spamming on blogs. I think some work will be done on this, but it’s not going to be on the BuddyPress side.

Word. Patch it!

I’ve been having sign up spams (arguably a different issue) on my BP install, and just shut all signups down until I could figure out what to do about it.

Scouring the WordPress MU forums has made me realize three things:

1. Spamming is a huge problem for WordPress MU users

2. I’m betting that BuddyPress will/might have even larger problems due to the very nature of the beast (it’s all about users, right? Which is where the bots/spammers gravitate)

3. There are no sure-fire methods for preventing spammers

…well, there’s a fourth, too…

4. Many of the old hats on the WordPress MU forums are getting tired of explaining how to defend against so-called “splog” signup bots and spammers.

Just some observations, as BP just received its first official spammer. (Yes, I got the email too, and saw the small twitter firestorm this morning over it.)

@Seobrien, can you confirm that you were looking at the site users and not the blog users?

It’s a common mistake to think that users don’t exist because at first you naturally check “settings->users” instead of “site admin->users”. The first is only showing you users on the blog you’re looking at, the second will show you users on your site.

I can’t think of a circumstance where a user could somehow function through-out the site without a user account. Even if there’s a misalignment of data between BP and WP, if there’s no WP account, they can’t login. Also, they cannot login simply with an incomplete registration in WPMU (wp_signups), since the login page checks only the (wp_users) table.

@nexia, if you are duplicate this phantom registration method on any WPMU or BP installation, I’d love for you to PM me the steps so we can help patch the issue.

I’ve spammed the user – please don’t re-post the messages in the forums since that sort of aids their cause.

I am sure Linda is a very pretty girl

edit: These errors fixed as of rev 2174. I’ll stop spamming you now Andy

edit again: There’s still no “My Blogs” adminbar item though.

Oohh.. Time to spam F5 on the trac methinks

I posted this elsewhere but it now belongs as part of this discussion: When using Buddypress, should /wp-signup.php result in an blank page or the registration form (or redirect to /register)? If the issue described here exists, how do you get the proper default buddypress behavior?

see: http://ttacconnect.org/wp-signup.php

I could delete /wp-signup to remove the errors but I’d like to understand how bp and wpmu is designed to work (are there any consequences for deleting wp-signup.php?).

I know BuddyPress is using /register.php and not /wp-signup.php. But when /wp-signup.php is hit (typically by spam bots) a PHP Warning is generated. No white space outside of php closing tags in header.php. I’m not too concerned about that as I figure if it’s working as it should (no registration form), then the php warning will take care of itself (and not be generated). So what needs to change to get /wp-signup.php to result in a blank page?

PHP Warning: Cannot modify header information – headers already sent by (output started at xxxx/bp-sn-parent/header.php:3) in xxxx/wp-includes/pluggable.php on line 865

See no Warning and no Registration Form (blank page). Is this the proper default buddypress/wpmu behavior?

http://nourishnetwork.com/wp-signup.php

Here /wp-signup.php was deleted and results in a page not found:

http://memomu.com/wp-signup.php

wpmu 2.8.6 with active plugins on main bp site:

bp 1.1.3, bp-groupblog, auto group join, Group Forum Subscripton, bad behavior

I don’t think it’s spam as she clearly picked only the handsome guys.

Still waiting for her picture though…

@nexia

Haha! Yes, I told my wife about it and she said go ahead.

Seriously though, it is amazing that this is the first spam exploit that has hit our PM system. I get so many of these pathetic attempts via email each day that I was surprised this morning when I checked my email and saw that one had been sent via the BP PMing system.

if you have no wife and no problem with the police, you’re safe Jeff…

I actually responded to her email. Was I not supposed to? She seemed so nice.

Opened up the same message myself a few minutes ago. Thanks.

I got the same dummy message 2 hours ago. Marked as spam? Good

User has been marked as spam.

I’m aware of the hakam00 thing. If akismet looked at BP private messages to see if they were spam, we’d also need to build in an area for people to go and ‘unspam’ the messages.

actually as private messages were not in WordPress, there is no akismet filter on its content, compared to posts and comments… maybe someone can add this to the posting actions ?!… it’s just 2 lines of code.

Is there not a way for users to mark spammers and draw them to the admins attention as such?

The user hakam00 in this website is a desperate spammer … how many desperate lonely geeks does “Tina” think “she” will scam on this site?

Presumably “Tina” comes from Romania or Nigeria?

See below:

Subject: Hello.

“Hello.

My Name is Tina I was impressed when i saw your profile buddypress.org and i will like you to email me back to my inbox so that i can send you my picture for you to know who i am.i believe we can establish a long lasting relationship with you.

In addition,i will like you to reply me through my

private e mail box for more introduction

Thanks,waiting to hear from you soonest.

Tina.

Please write to my inbox so that i can send you my picture.”

i know Andy, i mistyped my comment, it was not toward your own request, but globally…

Signup questions and codes are a good supplement to the other methods but are also ultimately fallible. In the same way that Captcha is rendered ineffective by human relay attack, so to are questions; it will just take time for spammers to catch on.

It seems to me that the way forward is to incrementally roll out new defences, only presenting new defences when the old ones have been broken. As soon as lots of sites use a defence, that defence will probably soon be doomed to failure: spammers will only take the time to develop new exploits when a particular method of defence becomes popular. I believe this is the only reason why the hidden fields method currently works: its not sufficiently popular to bother coding an exploit for it (even though such a task would take about five minutes).

nexia: That’s not the way the system works, if you find a bug you need to report it. Mentioning it on the forums isn’t going to highlight it to the developers.

@Andy.. never ask ” me ” to submit a ticket, please… that’s just a way to avoid people to submit their bugs when they are not usually involved in development… you already have my report… …

and yes @Seobrien, this is general behavior inside WPMU.

nexia – please submit a ticket on trac.mu.wordpress.org so the problem is at least highlighted.