HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Question about using the Recommend feature and spamming

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#81679 (In Topic #16791)
Avatar

Community saint

It's just one of those crazy ideas that passes between my 2 ears occasionaly. Could someone use the Recommend feature to create a spam mailing? I noticed it says "Instead of manually specifying details, you can upload a CSV file of contacts. These can be exported from most e-mail software and social networking websites. We have instructions available."

So could someone compose a spam message with this feature and use it to mail out SPAM? and would it then have some afiliation with your website?


Art and Imagination
of David L Friend

http://davidlfriend.com

  My Art Gallery
powered by ocPortal
Back to the top
 
Posted
Rating:
#81685
Avatar

It's a good point.

It has a CAPTCHA for Guests so it's not that bad. But you've prompted me to tune this a bit.

I'm going to say that Guests can't do the CSV feature, and they can only target one destination e-mail at a time.

Therefore to do a mass-mailing they would actually need to signup, or to continually break new CAPTCHAs (one per e-mail).

I don't think any spammer is going to signup, through a CAPTCHA, and login, just to use a mass mailer somewhere else on the site. Especially when it's really poor quality spam because it is all framed inside a recommendation e-mail that is clearly identified as such.
If they did go to that kind of effort, there's not much protection, because they could always find ways to get mails out to people, even if it is just flooding repeat requests to the recommend form (okay, theoretically we could throttle that too). I just don't think any spammer would, they wouldn't gain from it, so it's just the inevitable possibility of vandalism at that point, and you can't protect against that at the end of the day because there are undefendable forms of it.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#81692
Avatar

Community saint

Sounds like a good solution to me. Spammers are all about volume and this removed that possibility.

Bob
Back to the top
 
Posted
Rating:
#81696
Avatar

Community saint

Chris Graham said

I don't think any spammer is going to signup, through a CAPTCHA, and login, just to use a mass mailer somewhere else on the site.
If you'd have made that statement about 2 months ago I would have agreed with you 100%, but alas I got hit by a particularly stubborn spammer about then so I now only agree with you 99% :( .

This spammer created two accounts, used one to make a few friends, and used another to spam most of my members one at a time (some of them up to 3 times) using the "E-mail member" feature.

Thinking out loud, but what do people think about:

1) Configurable hard-limit, with staff notified when triggered, for the number of emails that could be sent through the Recommend feature.

2) Configurable warning-threshold, with staff notified when triggered, when any given user (including guest) sends too many emails via the Recommend+E-Mail member features in a 24 hour period.

 

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#81698
Avatar

Community saint

Temp-

Option 1 seems like it could be problematic for really busy sites that might have big swings in the amount of times the Recommend feature is used day-to-day.

I like option two. I think I would prefer that the limits be tied to usergroups so that long-time members in good standing are not held to the same threshold as a Guest. I think another improvement would be for the site operator to be able to specify the interval as I think that 24 hours could be too long for some sites.

Bob
Back to the top
 
Posted
Rating:
#81699
Avatar

Community saint

BobS said

Option 1 seems like it could be problematic for really busy sites that might have big swings in the amount of times the Recommend feature is used day-to-day.
As it will only be available to members, it can be a limit per member. That was more what I was thinking anyway.
I like option two. I think I would prefer that the limits be tied to usergroups so that long-time members in good standing are not held to the same threshold as a Guest.
I was thinking that the guests would be cumulative, say 5 guests would share a 50 threshold, while one member would have the 50 threshold all to themselves, so regular members would have an advantage over guests.

This is where busy sites can get tricky. If a site has 10,000 users. A per member limit might be 100, which would probably be plenty, but sharing 100 amongst all guests may not be enough. So maybe guests don't share and guest becomes per ip address. We end up back to your concern about good standing having a higher threshold then guests, but would you really want/expect a good standing member so send out more then 100?

Remember that this is not about assigning privileges, but rather preventing potential abuse.
 I think another improvement would be for the site operator to be able to specify the interval as I think that 24 hours could be too long for some sites.
I thought about that, but 24 hours I think reduces pressure on staff by allowing them to just check in daily for abuse rather then potentially multiple time per day or on an odd schedule.

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#81715
Avatar

Reading this with interest.

It's of note that in v8 the admin mail logging module has become official and linked from the menus (previously it was hidden but is there). You can check that to get a feel for what emails the system sends out.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#81990
Avatar

Community saint

Good points, as usual, temp. You are right that a member in good standing is not likely to be sending out hoards of invites.

I do think that for  busy sites, Guests would need to be tracked by IP rather than just a common pool.

I have mixed feelings about the timeframe but you are probably right that 24 hours makes things more manageable for admins.

Bob


Last edit: by BobS
Back to the top
 
Posted
Rating:
#81992
Avatar

Community saint

I had some months ago several hacks that try to use the recommment as spam mailer. After I set a server block to some country's and removed the recommend option its done.


http://digiflash.nl Photo community  (dutch)
Back to the top
 
Posted
Rating:
#82026
Avatar

Community saint

Harry-S said

I had some months ago several hacks that try to use the recommment as spam mailer. After I set a server block to some country's and removed the recommend option its done.
That's a good reactive response and hopefully we'll get some good feature to help minimise the impact of those initial attacks as a result of these discussions.

Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: