User / messaging exploit? Causing spam
I have a user on the site that isn’t registered or otherwise exist. They somehow created a profile page, though blank, and sent spam to all the other users. To be clear, they exist on the site, I can pull up their profile page, but they don’t exist in the admin and list of users. There is no one to delete, mark as spam, etc.
Known exploit or bug? Anything that can be done?
Sounds like someone exploited a WordPress vulnerability on your site.
Are you using the latest version of WPMU / BuddyPress?
If so, did you upgrade?
You might want to read these posts:
this is an easy hacking technique, i’ve done that 3 times yesterday when trying to create users/blogs…
you can delete these users by going in the _signups table… the problem is that WordPress is not taking into consideration the registrations that are not completed, they store them in the signups table and they can not be reached when you check for users… so when a user create an account with a blog, the whole process is created but not verified… you can then visit the site without being logged in and without a trace.
WP 3.0 is different in that technique… but i suppose we could find a tweak right now.
nexia – please submit a ticket on trac.mu.wordpress.org so the problem is at least highlighted.
I’m on 2.8.6 and 1.1.2
Thanks both, reading the wordpress posts and your thoughts Nexia, I’m sure the cause is general security and not versioning
nexia: That’s not the way the system works, if you find a bug you need to report it. Mentioning it on the forums isn’t going to highlight it to the developers.
i know Andy, i mistyped my comment, it was not toward your own request, but globally…
Is there not a way for users to mark spammers and draw them to the admins attention as such?
The user hakam00 in this website is a desperate spammer … how many desperate lonely geeks does “Tina” think “she” will scam on this site?
Presumably “Tina” comes from Romania or Nigeria?
My Name is Tina I was impressed when i saw your profile buddypress.org and i will like you to email me back to my inbox so that i can send you my picture for you to know who i am.i believe we can establish a long lasting relationship with you.
In addition,i will like you to reply me through my
private e mail box for more introduction
Thanks,waiting to hear from you soonest.
Please write to my inbox so that i can send you my picture.”
actually as private messages were not in WordPress, there is no akismet filter on its content, compared to posts and comments… maybe someone can add this to the posting actions ?!… it’s just 2 lines of code.
I’m aware of the hakam00 thing. If akismet looked at BP private messages to see if they were spam, we’d also need to build in an area for people to go and ‘unspam’ the messages.
I got the same dummy message 2 hours ago. Marked as spam? Good
Opened up the same message myself a few minutes ago. Thanks.
I actually responded to her email. Was I not supposed to? She seemed so nice.
if you have no wife and no problem with the police, you’re safe Jeff…
Haha! Yes, I told my wife about it and she said go ahead.
Seriously though, it is amazing that this is the first spam exploit that has hit our PM system. I get so many of these pathetic attempts via email each day that I was surprised this morning when I checked my email and saw that one had been sent via the BP PMing system.
I don’t think it’s spam as she clearly picked only the handsome guys.
Still waiting for her picture though…
I suppose I should take it as a good sign that my site got hit with the spam first?
@Seobrien, can you confirm that you were looking at the site users and not the blog users?
It’s a common mistake to think that users don’t exist because at first you naturally check “settings->users” instead of “site admin->users”. The first is only showing you users on the blog you’re looking at, the second will show you users on your site.
I can’t think of a circumstance where a user could somehow function through-out the site without a user account. Even if there’s a misalignment of data between BP and WP, if there’s no WP account, they can’t login. Also, they cannot login simply with an incomplete registration in WPMU (wp_signups), since the login page checks only the (wp_users) table.
@nexia, if you are duplicate this phantom registration method on any WPMU or BP installation, I’d love for you to PM me the steps so we can help patch the issue.
Word. Patch it!
I’ve been having sign up spams (arguably a different issue) on my BP install, and just shut all signups down until I could figure out what to do about it.
Scouring the WordPress MU forums has made me realize three things:
1. Spamming is a huge problem for WordPress MU users
2. I’m betting that BuddyPress will/might have even larger problems due to the very nature of the beast (it’s all about users, right? Which is where the bots/spammers gravitate)
3. There are no sure-fire methods for preventing spammers
…well, there’s a fourth, too…
4. Many of the old hats on the WordPress MU forums are getting tired of explaining how to defend against so-called “splog” signup bots and spammers.
Just some observations, as BP just received its first official spammer. (Yes, I got the email too, and saw the small twitter firestorm this morning over it.)
Spam is generally only a problem if you have blog registrations on, spammers only care about creating and spamming on blogs. I think some work will be done on this, but it’s not going to be on the BuddyPress side.
Hi Andy, I think you are incorrect there. Spammers like to send spam. I am sure you get some in your email?
What is easier to get into a nice big community (without having to create a blog) and easily (?) send spam PM to all members of the community? You don’t even have to infect computers, as you can use the internal messaging system and you know most users will get the message as an email as well.
Hey, it saves them from email harvesting or buying ‘5 billion email addreses’ dbases as the community has already done this.
So, no, apparently (and this example that started this topic has proven this), it is possible on BuddyPress and it serves the spammers purpose, so disabling blog registration will not stop this. You can disable blog and user registration, but it might be hard to start a community that way..
Rather than complaining that the sky is falling, how would you propose we resolve this issue? A captcha on the Messages screen (or at least making sure hooks are in to allow a plugin dev to add this)? Messages sent only to friends?
Hi DJ Paul.
as far as I can see, nobody is complaining that the sky is falling, that would be a quite silly thing to do. Well I guess technically it is, but at least the earth is stopping it from doing so
Just pointing out an inaccuracy in thinking, I am sure that this is allowed without immediately posting PHP to fix it?
Back on topic; the question should also be: how could this spammer get access to all the usernames automatically? Of course everybody is listed, but somehow the were harvested and added to the pm list.
- Anyway, I think a very good start is that you can only message your friends. Thought that this would be already ths case, that is why I wondered how we could get spammed?
- Additionally: a maximum of PM’s per user per x amount of time (seems that 1/minute should be enough, + 50 per day. of course this should be optional and configurable with error notification (site options or plugin?)
- Maybe a maximum mailbox size, which included sent messages. So that at least spammers have to clean out their sent box before being able to send new messages.
- Also a maximum of adressees per PM, else the other 2 are useless
- maybe a minimum age of user (meaning time since registration), before he can send out PM at all?
Of course, any of these can be worked around, but at least it might slow spam down, at least from strangers..
– Anyway, I think a very good start is that you can only message your friends. Thought that this would be already ths case, that is why I wondered how we could get spammed?
In my case, I need to be able to receive messages from anyone. Such a thing needs to be a per-person decision/setting.
- The topic ‘User / messaging exploit? Causing spam’ is closed to new replies.