Skip to:
Content
Pages
Categories
Search
Top
Bottom

Best way to limit friend requests to avoid spam

  • @tifire

    Participant

    One new member of our site sent friend requests to almost all other members. Even though he may not be a spammer, this did get me nervous. A spammer could just do the same and send friend requests to hundreds of members and ruin the site quickly.

    To avoid spam, I would like to limit the number of friend requests a member can send per hour. I have a couple of questions and hope someone can help:
    1) what’s the best way to get the number of friend requests a member has already sent in given period. Is there a buddypress function to return the number of friend request, or shall I do a WP database query?
    2) After getting the number, the next step is to check if this is bigger than the maxium. The function friends_action_add_friend() seems to be the one that decides if a friend request can be sent, but I didn’t find any action there. Can someone tell me if friends_action_add_friend() is the correct function to look at?

    I would like to do the same to limit the number of updates, comments posted or groups created per hour. I hope similar method can be used.

    Thanks a lot.

Viewing 25 replies - 1 through 25 (of 31 total)
  • @tim_marston

    Participant

    I would love to know the answer to this one as well?

    @ubernaut

    Participant

    sounds like an interesting feature suggestion have you looked at trac to see if anyone else has already requested it?

    @tim_marston

    Participant

    What is trac?

    @ubernaut

    Participant

    thats where bugs feature suggestions and the like are kept track of:

    https://buddypress.trac.wordpress.org/

    @synaptic

    Participant

    This is a great idea and frankly I’m surprised that it has not been included already. And not just for friend requests but for pretty much all activity on the site: comments, forum posts, etc.

    As long as you limit the frequency to what is ‘human’ you are making spammers’ lives very difficult. The issue is to not make legitimate users upset by setting it too low. But that can be tweaked easily to perfection.

    @ubernaut

    Participant

    i think bbpress supports throttling i swear i read or heard that somewhere.

    @synaptic

    Participant

    yes it is right in the codex: https://codex.bbpress.org/forum-settings/

    but I don’t think BP has it

    @chouf1

    Participant

    @patricksaad

    Participant

    @Chouf1, that’s my blog you’re linking to. I am not sure if they added Throttling to the new Buddypress version. I opened a ticket months ago, the milestone has been set to: version 1.7 to Future Release https://buddypress.trac.wordpress.org/ticket/3732. This is a bit frustrating since Throttling makes for great spam control.


    @tifire
    Go to /bp-friends/bp-friends-functions.php in your Buddypress installation and change the friends_add_friend function to the following:

    function friends_add_friend( $initiator_userid, $friend_userid, $force_accept = false ) {
    	global $bp;
    
    	$friendship = new BP_Friends_Friendship;
    
    	if ( (int) $friendship->is_confirmed )
    		return true;
    
    	$friendship->initiator_user_id = $initiator_userid;
    	$friendship->friend_user_id    = $friend_userid;
    	$friendship->is_confirmed      = 0;
    	$friendship->is_limited        = 0;
    	$friendship->date_created      = bp_core_current_time();
    	
    	/**
    	 * BuddyPress Friend Request Throttling
    	 *
    	 * Set a throttle period for user friendship requests
    	 *
    	 * @author Patrick Saad
    	*/
    	
    	global $wpdb;
    	$qry = "SELECT date_created FROM wp_bp_friends where initiator_user_id = '".$initiator_userid."' order by date_created desc limit 1";
        $user_friend_requests = $wpdb->get_results( $qry );
    	
    	if ($user_friend_requests)
    	{
    		$latest_user_request = strtotime($user_friend_requests[0]->date_created, time());
    		$time_since_latest_request = time() - $latest_user_request;
    		
    		// that's 2 minutes
    		$throttle_period = 60 * 2;
    		
    		// if the last request was over 5 minutes ago, allow it
    		
    		if ($time_since_latest_request < $throttle_period)
    			return false;
    	}
    	// End of BuddyPress Friend Request Throttling //
    
    	if ( $force_accept )
    		$friendship->is_confirmed = 1;
    
    	if ( $friendship->save() ) {
    
    		if ( !$force_accept ) {
    			// Add the on screen notification
    			bp_core_add_notification( $friendship->initiator_user_id, $friendship->friend_user_id, $bp->friends->id, 'friendship_request' );
    
    			// Send the email notification
    			friends_notification_new_request( $friendship->id, $friendship->initiator_user_id, $friendship->friend_user_id );
    
    			do_action( 'friends_friendship_requested', $friendship->id, $friendship->initiator_user_id, $friendship->friend_user_id );
    		} else {
    			// Update friend totals
    			friends_update_friend_totals( $friendship->initiator_user_id, $friendship->friend_user_id, 'add' );
    
    			do_action( 'friends_friendship_accepted', $friendship->id, $friendship->initiator_user_id, $friendship->friend_user_id );
    		}
    
    		return true;
    	}
    
    	return false;
    }

    This will prevent a user from sending a friendship request to someone if their recent friendship request date was less than, say 2 minutes (change the $throttle_period variable to modify this time)

    Just gave this a fresh test, works in Buddypress 1.7.2. This same concept can be applied to comments, groups, etc, you just have to find the functions and play around.

    @chouf1

    Participant

    @patricksaad,
    apologize if i mentionned your blog, but it was the only place i found speaking about this problem.
    FYI, “throttling” is used in BP 1.7.2, but a minima. Should be extanded much more. I guess it’s preferably you open an ehancement ticket on the Trac.
    And thank you for sharing your code. 😉

    buddypress 1.7.2\bp-core\bp-core-moderation.php (6 hits)
    Line 24: * @uses current_user_can() To check if the current user can throttle
    Line 25: * @uses bp_get_option() To get the throttle time
    Line 32: if ( !$throttle_time = bp_get_option( ‘_bp_throttle_time’ ) )
    Line 32: if ( !$throttle_time = bp_get_option( ‘_bp_throttle_time’ ) )
    Line 40: if ( isset( $last_posted ) && ( time() < ( $last_posted + $throttle_time ) ) && !current_user_can( ‘throttle’ ) )
    Line 40: if ( isset( $last_posted ) && ( time() < ( $last_posted + $throttle_time ) ) && !current_user_can( ‘throttle’ ) )
    buddypress 1.7.2\bp-forums\bbpress\bb-admin\admin-ajax.php (6 hits)
    Line 160: if ( $throttle_time = bb_get_option( ‘throttle_time’ ) )
    Line 160: if ( $throttle_time = bb_get_option( ‘throttle_time’ ) )
    Line 161: if ( isset($bb_current_user->data->last_posted) && time() < $bb_current_user->data->last_posted + $throttle_time && !bb_current_user_can(‘throttle’) )
    Line 161: if ( isset($bb_current_user->data->last_posted) && time() < $bb_current_user->data->last_posted + $throttle_time && !bb_current_user_can(‘throttle’) )
    Line 162: $error = new WP_Error( ‘throttle-limit’, sprintf( __(‘Slow down! You can only post every %d seconds.’), $throttle_time );
    Line 162: $error = new WP_Error( ‘throttle-limit’, sprintf( __(‘Slow down! You can only post every %d seconds.’), $throttle_time );
    buddypress 1.7.2\bp-forums\bbpress\bb-admin\includes\functions.bb-admin.php (4 hits)
    Line 408: $user_meta[‘throttle’] = $_POST[‘throttle’];
    Line 408: $user_meta[‘throttle’] = $_POST[‘throttle’];
    Line 531: $user_meta[‘throttle’] = $edit_user->throttle;
    Line 531: $user_meta[‘throttle’] = $edit_user->throttle;
    buddypress 1.7.2\bp-forums\bbpress\bb-admin\options-writing.php (3 hits)
    Line 43: ‘throttle_time’ => array(
    Line 44: ‘title’ => __( ‘Throttle time’ ),
    Line 47: ‘note’ => __( ‘Users must wait this many seconds between posts. By default, moderators, administrators and keymasters are not throttled.’ )

    @synaptic

    Participant

    @chouf1 I believe patrick’s comment on that ticket is relevant:

    “The function bp_core_check_for_flood in bbp-core-moderation.php is not hooked to anything. No flood control on activity page.”


    @patricksaad
    could you pls submit a patch to trac?

    @patricksaad

    Participant

    @synaptic Will do asap, hopefully we’ll at least have Activity flooding control for Buddypress 1.8

    @synaptic

    Participant

    @patricksaad Thank you! Can it also be added for comments? friend requests, activity, etc. we know bbpress has it so everything else other than forum posts (via bbpress) would be helpful to have throttling

    @sooskriszta

    Participant

    Sending friend requests to folks you don’t know is an issue that all social networks, be they Facebook, Orkut, MySpace, Hi5, or even LinkedIn, have to contend with.

    That said, I wouldn’t call it the bane of social networking. What really does a purported “spammer” gain by sending friend requests? Annoyance for certain people that they have received a friend request? Unlikely – the text is preset…the spammer cant even include his/her fake links. Also, most folks are now pretty adept at ignoring such messages. And even if somebody accepts the friend request, what does the spammer gain? What does a “friendship” accomplish?

    Comments (WP), forums (bbP) and activity feeds do really really need spam protection. I’m not so sure about the necessity for friend requests.

    That being said, how do the big boys manage friend requests?
    1. LinkedIn: You can only friend people who are 2 degrees away from you OR whose email address you know. Plus, recipients can mark it as spam.
    2. Facebook: Members can control whether they want to receive friend requests at all. Plus recipients can mark requests as spam. Finally, temporary & permanent bans – based on proportion of requests marked as spam.

    Throttling is neat, cool and easily done – perhaps like bbP, site admin can define the throttling parameters for BP friend requests throttling.

    Much more importantly, an Akismet-like solution for activity spam would be nice. I would look for a 2 stage process on the manual “mark as spam” side of things:
    1. Member marks another member’s activity as spam (this is really a flag that puts the activity in a basket for admin to see)
    2. Admin looks through the basket and marks either as spam (in which case Akismet is notified) or not spam.

    @ubernaut

    Participant

    Well activity is already protected by akismet integration. Regarding the friend requests, one thing you can do now (and i have been forced to) to fight spam is only allow private messages to friends in that case the spammer gains the ability to send spam messages to these friends.

    @sooskriszta

    Participant

    Well activity is already protected by akismet integration.

    Except that there is no good way for members to flag activity.

    @ubernaut

    Participant

    giving members the ability to flag things as spam through akismet seems like a very sticky wicket to me probably something which would be better addressed as plugin. i for one would not want to give that ability to any user. i can barely get my staff to do that correctly under wordpress.

    @sooskriszta

    Participant

    Nope, flagging by members shouldnt be reported to Akismet directly. As mentioned above, it’s a two step process. Site/Group admin can’t be everywhere, so users should be able to flag items for their review. Site/Group admins should be the ones whose flags ultimately get reported to Akismet.

    @ubernaut

    Participant

    seems like major overhaul to the way aksimet works now but as i said before anything we can do to make spammers lives more difficult i’m basically for it.

    @sooskriszta

    Participant

    Doesn’t require any change in Akismet.

    Akismet plugin will need a little change – it will need to tie reporting to role.

    BuddyPress will need to incorporate the functionality of members/users flagging activity, the way users can report messages in software like phpBB.

    @bphelp

    Participant

    There is a new premium plugin out by BuddyDev called BuddyPress Limit Frienship check it out here:

    BuddyPress Limit Friendship


    This should help you folks out @tim_marston @ubernaut @sooskriszta . Another great job @sbrajesh !

    @ubernaut

    Participant

    neato!

    @sooskriszta

    Participant

    Thanks @bphelp

    The plugin seems like a terrible idea. I mean some particular installation somewhere in the BuddyPress world might need it, but I don’t like the idea of limiting BP’s functionality (potentially thwarting the value of the online community) for everyone to try and stop a few bad apples. What number will you limit the friends to so that spammers are blocked and the community is valuable? 5, 10, 50, 100, 500?

    Your original idea of throttling friend requests was far neater and remains superior to this plugin’s concept.

    @sbrajesh

    Participant

    @bphelp thanks Ben for the heads up.

    @sooskriszta

    You are right about the use case. It is not suitable for spammers protection and neither suitable for normal sites.

    I built it specifically for membership based sites where they wanted to limit the no. of friends and charge for increasing the limit(I had got that specific requirement from a client and they implemented it with s2 members plugin in their case).

    As far as Friendship request throttling is concerned, I am about to release a plugin today which does allows site admins to limit the no. of requests sent per minute(or you can set say 30 requests per 60 mins, that flexibility lies with the site admins).

    @patricksaad

    Participant

    @sooskriszta I agree that the plugin is a terrible idea. Throttling is one thing (telling the user “hey slow down a bit”) but setting an absolute limit for the number of friendships goes against the concept of a community.

    Going back to the ORIGINAL point of this topic, I said I will add throttling to the activity page and the friendship requests, but I ran into small trouble and thought maybe some of you people can help out. I opened another topic https://buddypress.org/support/topic/add-custom-setting-to-buddypress-settings/, I appreciate it if you can check it out and help out. @synaptic @sooskriszta

Viewing 25 replies - 1 through 25 (of 31 total)
  • The topic ‘Best way to limit friend requests to avoid spam’ is closed to new replies.
Skip to toolbar