georgelew
Gold Membership
Ventrian Master
Posts:488
 |
| 6/05/2009 6:20 AM |
|
Hi Scott,
One of my portal has users able to send message to few hundreds of message 'inviting' people.
However, I use another account to sign in and tested many different way and still can't figure it out how did he do that.
I suspect is that, in the "Send To User:" field, it is possible to send to user using some regex?
I haven't had the time to test it out..being busy blocking attackers....
Thanks. |
|
Thanks,
George
Looking for Invite Friends Module? |
|
|
Scott McCulloch
Administrators
Ventrian Master
Posts:17204
|
| 6/05/2009 6:34 AM |
|
| Do you have it open to send to groups? Are you using the latest? |
|
Scott McCulloch
Site Administrator |
|
|
Scott McCulloch
Administrators
Ventrian Master
Posts:17204
|
| 6/05/2009 6:47 AM |
|
| I do have some integration with smart thinker groups, are you using it? |
|
Scott McCulloch
Site Administrator |
|
|
georgelew
Gold Membership
Ventrian Master
Posts:488
|
| 6/05/2009 6:55 AM |
|
I am using the latest, the message is sent from the PM, the smart think modules only able to send to friend only. The spammer have not join and group or event.
I really can't think of a way that he can send few hundred of emails within 3 minutes. |
|
Thanks,
George
Looking for Invite Friends Module? |
|
|
georgelew
Gold Membership
Ventrian Master
Posts:488
|
| 6/05/2009 6:58 AM |
|
I'm sure all setting is limited. I created a member account is test it on all ST modules already. Now I have no choice but to disallow any message being sent.
PM cannot send to group, Smart thinker modules only able to send message to group member and friend. |
|
Thanks,
George
Looking for Invite Friends Module? |
|
|
Scott McCulloch
Administrators
Ventrian Master
Posts:17204
|
| 6/05/2009 7:03 AM |
|
| The only way I can really think that it might be sending is through the smart thinker integration, but if that's locked down, i'm not sure. |
|
Scott McCulloch
Site Administrator |
|
|
georgelew
Gold Membership
Ventrian Master
Posts:488
|
| 6/05/2009 7:09 AM |
|
At first I also think it is the Group Module but member only able to invite friends. And he has no friend so it is impossible to send that much of messages.
Another possible is he change the user ID in the url:
/Private-Message/pmType/Compose/sendto/2.aspx
But then even he copy and paste the email content, it is impossible to send hundreds email in 3 minutes. |
|
Thanks,
George
Looking for Invite Friends Module? |
|
|
georgelew
Gold Membership
Ventrian Master
Posts:488
|
| 6/05/2009 7:11 AM |
|
No matter what other module link to Private Message, user still will be redirected to PM module and need manually click send....so I think it is the PM module. |
|
Thanks,
George
Looking for Invite Friends Module? |
|
|
Scott McCulloch
Administrators
Ventrian Master
Posts:17204
|
| 6/05/2009 7:12 AM |
|
Posted By georgelew on 6/05/2009 7:11 AM
No matter what other module link to Private Message, user still will be redirected to PM module and need manually click send....so I think it is the PM module.
No, this is not correct, there is special integration for smart thinker to send to multiple people at once.
Everything else is 1 item at a time. |
|
Scott McCulloch
Site Administrator |
|
|
Scott McCulloch
Administrators
Ventrian Master
Posts:17204
|
| 6/05/2009 7:13 AM |
|
Posted By georgelew on 6/05/2009 7:09 AM
At first I also think it is the Group Module but member only able to invite friends. And he has no friend so it is impossible to send that much of messages.
Another possible is he change the user ID in the url:
/Private-Message/pmType/Compose/sendto/2.aspx
But then even he copy and paste the email content, it is impossible to send hundreds email in 3 minutes.
Yes, you can change the url, but you still need to paste in the content and press send.
|
|
Scott McCulloch
Site Administrator |
|
|
georgelew
Gold Membership
Ventrian Master
Posts:488
|
| 6/05/2009 7:25 AM |
|
Posted By Scott McCulloch on 6/05/2009 7:12 AM
Posted By georgelew on 6/05/2009 7:11 AM
No matter what other module link to Private Message, user still will be redirected to PM module and need manually click send....so I think it is the PM module.
No, this is not correct, there is special integration for smart thinker to send to multiple people at once.
Everything else is 1 item at a time.
For ST Modules, there are few options to Invite Members but that has nothing to do with PM module.
The only PM integration I can find to send to multiple peple is the Group Message:
Private-Message/pmtype/Compose/SessionLoad/1.aspx and the send to group there shown group name that cannot be edited. So I think not that one.
I'll try my best to look for the leak...thanks.
|
|
Thanks,
George
Looking for Invite Friends Module? |
|
|
georgelew
Gold Membership
Ventrian Master
Posts:488
|
| 6/16/2009 7:50 PM |
|
Hi Scott,
I believe there is an issue on this module. This is the 3rd time our website being used by spammer to sent spam message.
I'm sure it is not sent using the functions from Smart-thinker module.
Is it possible to add in Send Message limit or a captcha for this module?
Thanks.
George. |
|
Thanks,
George
Looking for Invite Friends Module? |
|
|
Scott McCulloch
Administrators
Ventrian Master
Posts:17204
|
| 6/16/2009 9:15 PM |
|
If I put a send message limit that in might break where you legitamitely try to send to that many people.
I'm not an expert on smart-thinker, but I added the integration based on Rodney's feedback to allow the send to smart-thinker group functionality.
I can add a config option which disables it - this might solve it for you. |
|
Scott McCulloch
Site Administrator |
|
|
georgelew
Gold Membership
Ventrian Master
Posts:488
|
| 6/17/2009 12:23 AM |
|
From the spammer sent email box, email sent was from A-Z (username)
I guess maybe he came out with a way to send it automatically.
I suspect it is the userID in the url make him able to do that. Could it be replaced by the username?
Smart-thinker only can send message to group members which will not send to all members in the portal. |
|
Thanks,
George
Looking for Invite Friends Module? |
|
|
Scott McCulloch
Administrators
Ventrian Master
Posts:17204
|
| 6/17/2009 7:36 AM |
|
Yes, you can send by username in the url, you still have to fill in the message and subject.
I thought you were saying the guy is spamming via a group message? If he is doing 1 person at a time - anyone can go through the site and spam if they have permissions to send a message.. most message systems might allow this.
If they are using an automated script, captcha might be the only way to block. You should probably look at the message date times to determine if they are manually doing it or an automated script. |
|
Scott McCulloch
Site Administrator |
|
|
georgelew
Gold Membership
Ventrian Master
Posts:488
|
| 6/17/2009 7:26 PM |
|
I just did a test yesterday.
I temporary block all the function in ST modules and the spam still came in. I'm pretty sure he is using PM module only.
I believe he is using automated script as every times he create another account to spam, he send from A again and he did it very fast, impossible to do it manually. few Hundreds of it in 3 minutes....
It would great if there a captcha for it.
|
|
Thanks,
George
Looking for Invite Friends Module? |
|
|
Scott McCulloch
Administrators
Ventrian Master
Posts:17204
|
| 6/18/2009 8:49 PM |
|
| I've put in the downloads an updated build with captcha support. Let me know if it works out. It's disabled by default. |
|
Scott McCulloch
Site Administrator |
|
|
Scott McCulloch
Administrators
Ventrian Master
Posts:17204
|
| 6/19/2009 7:34 AM |
|
| Just made the announcement too. |
|
Scott McCulloch
Site Administrator |
|
|
georgelew
Gold Membership
Ventrian Master
Posts:488
|
| 6/20/2009 4:05 AM |
|
Great! I've installed it and will keep an eye on my mail server from now.
Thank you. I really appreciate this quick fix. |
|
Thanks,
George
Looking for Invite Friends Module? |
|
|