Skip to:

User / messaging exploit? Causing spam

  • Seobrien


    I have a user on the site that isn’t registered or otherwise exist. They somehow created a profile page, though blank, and sent spam to all the other users. To be clear, they exist on the site, I can pull up their profile page, but they don’t exist in the admin and list of users. There is no one to delete, mark as spam, etc.

    Known exploit or bug? Anything that can be done?

Viewing 12 replies - 26 through 37 (of 37 total)

  • Jeff Sayre


    @Harry (a.k.a. stripedsquirrel)

    I think a very good start is that you can only message your friends. Thought that this would be already ths case, that is why I wondered how we could get spammed?

    See this discussion:

    Basically, the autocomplete message recipient list only autofills from your friends list. However, anyone can message any other individual via the “Send Message” button on user’s profile screen. All that is needed for a user to send a PM is that they have a member account and that they are logged in to the system.

    On a related note, my Privacy Component does have an option to filter out the “Send Message” button, making it only visible to those you choose.



    received this 4hrs ago from babyzin, a day after hakam’s, and i do look quite ok:

    My dear

    how are you,

    i hope that all is ok, as is my pleasure to contact you after viewing your profile at ( which really interest me in having communication with you if you will have the desire with me ,

    here is my email as i will be waiting to hear from you,

    yours linda



    @DJ PAul & Jeff.

    DJ Paul: Agree that a user should be able to choose whether he wants PM from strangers or only from friends.

    Jeff, not sure if this is what you mean, but does the Privacy Component allow you to define this setting as just described? Do you have any update about whether your work might be added to core or if it is considered a plugin?

    You know you’ve made it when… LOL :)

    I would highly recommend against closing off the private messaging system or even allowing it as an option. Being able to message someone you are not friends with is a HUGE use case in my opinion. Crucial even. I wouldn’t give users the option to set it to friends only. Or at least… I would like the site admin to have the ability to disable that option.

    Personally… I despise CAPTHCA. Don’t pass your problems off on your users. Like websites that say “Best viewed in” or “Set your screen size to”… etc. Any solution must be invisible to users. I’ve heard of people using javascript events (mouse click for instance) as an alternative. Sounds good to me. Here’s something I found with a quick Google search.

    Alternately… you could use a simple math question… like as in example. LOL

    Jeff Sayre



    Yes, my Privacy Component works just as I described. It is an advanced beta available for testing. See this thread for more details:


    I wouldn’t give users the option to set it to friends only. Or at least… I would like the site admin to have the ability to disable that option.

    In my Privacy Component, the site admin can choose to disable this feature.

    But, to get back on topic, I agree that the best solution is the one that requires the brunt of the filtering to be accomplished through invisible, behind-the-scenes techniques. Requiring users to prove that they are members and not bots should not be the first line of defense. I think it is okay, even necessary for registration purposes. But that is a one time occurrence. After that, the system should do more of the policing.

    Concerning your second link above, perhaps we could create a new CAPTCHA that could harness the collective intelligence of site members to solve the Unified Field theory.

    closing pm system have to be like anyother privacy… i think we have a great coder here who started something like that somewhere, i don’t remember his name or the tool….

    /me is low brainer.



    global to all users

    global to all blogs

    per user switch on/off

    @Jeff. I don’t know… anyone who could solve the Unified Field Theory is not quite human in my books. LOL :P We could call it CAPTCGA (Completely Automated Public Turing test to tell Computers and Geeks Apart)

    Please, please, please – we don’t really need to see these spam message contents are they are pretty much identical, and we certainly don’t need email address or URLs posted as they help the spammers’ cause.

    What we need, is a spam bin. I has an ideas. Let me mock it up.



    Why not just restrict emails so they can only be sent to one user at a time? Non-bot PM spammers probably won’t want to bother having to spam step by step.

    Any code for this in the meantime?

    I’ve given up trying to add gmail-style folder tagging to the messages system in BP at the moment via a plugin; there’s not enough hooks to filter some queries. Might hack the core and do a patch



    Spam bin for –: nancybaby

Viewing 12 replies - 26 through 37 (of 37 total)
  • The topic ‘User / messaging exploit? Causing spam’ is closed to new replies.
Skip to toolbar