Jump to content

Message Spam


jay5r

Recommended Posts

Posted

I'm having a considerable problem with spammers using IP.Board's message system to spam with links I'm concerned lead to malware. I've disabled most URLs site-wide. And I've put a message before all new URLs saying "[think before following links]", but they continue to try to get my members to go to URLs. (Even putting "virus free!" after the URL, like anyone would believe that.)

On top of everything when you mark someone as a spammer I'm pretty sure the messages they've sent don't get disabled. I know when I actually delete their account their messages continue to exist in the `core_message_posts` table in MySQL (with the `msg_author_id` set to 0).

It just feels like IP.Board's message system is an enormous security hole. Here are things I think would help…

  1. Don't allow new members to post links anywhere on the site – messages, forum posts, etc.
  2. New members who try to send messages with URLs in them should have their messenger system turned off (or set to receive only). They should have to ask an admin to turn it back on. Clearly, a warning message would be needed telling them not to include URLs, so "good" members don't get tripped up accidentally.
  3. Any emails that go out notifying the recipient of the message should not contain the body of the message if it's sent from a new user. Otherwise the harmful link remains in their inbox after it's deleted in IP.Board.
  4. New users should be required to go through reCAPTCHA when they submit any type of content (messages, forum posts, etc.)

How "new users" are defined is up for debate. I use the community rating system and think that some threshold of points would be a decent definition of "new user", but there should also be a time limit – must have been a member for a month or two, or whatever. However, the system would need to be hardened so spammers with multiple accounts don't use their older accounts to give their new accounts ratings. And anyone who gives ratings to spammers should lose that amount of rating when the person they rate is marked as a spammer (which means ratings need to be able to go negative).

Basically I'd encourage you guys to get much much tougher on people who use IP.Board to spam and hack.

Posted

Hi,

There are several features available in the suite already to mitigate spam. Did you: 

- Enable IPS Spam Service? 

- Enabling Captcha?

- Enable Q&A challenge questions? 

- Enable email validation? 

- Define a new member group that prohibits personal messaging? 

 

Posted
17 hours ago, Joel R said:

Hi,

There are several features available in the suite already to mitigate spam. Did you: 

- Enable IPS Spam Service?

- Enabling Captcha?

- Enable Q&A challenge questions? 

- Enable email validation? 

- Define a new member group that prohibits personal messaging?

The only one of those I hadn't already done is defining a new member group. I'm unable to create new groups. When I click "Create New Group" I get the error:

TypeError: Argument 1 passed to IPS\membermap\extensions\core\ContentRouter\_MemberMarkers::__construct() must be an instance of IPS\Member or null, instance of IPS\Member\Group given, called in /web/sites/somedirectory/somedomain/public_html/system/Application/Application.php on line 858

I've had problems editing or creating groups for a while now. Never tried to fix it because it wasn't urgent – it doesn't seem to break anything other than creating and editing groups (which I haven't needed to do).

But having done nearly everything on the list, it's just not enough.

Posted
11 minutes ago, jay5r said:

The only one of those I hadn't already done is defining a new member group. I'm unable to create new groups. When I click "Create New Group" I get the error:

TypeError: Argument 1 passed to IPS\membermap\extensions\core\ContentRouter\_MemberMarkers::__construct() must be an instance of IPS\Member or null, instance of IPS\Member\Group given, called in /web/sites/somedirectory/somedomain/public_html/system/Application/Application.php on line 858

I've had problems editing or creating groups for a while now. Never tried to fix it because it wasn't urgent – it doesn't seem to break anything other than creating and editing groups (which I haven't needed to do).

But having done nearly everything on the list, it's just not enough.

That’s a bug in the membermaps 3rd party app 

Posted

Yes that's definitely a problem with that 3rd party app.

Re the spamming issue though, forums thrive on sharing links, I would definitely check and disable the less visible guest permissions for the Messages app via AdminCP > Applications > System > Messages > Guests

I've found in the past good its worthwhile to review guest permissions every few months as they can and do occasionally change after updates, weird.

Posted
19 hours ago, Martin A. said:

Which I fixed May 26, 2017...

@jay5r: Ever considered keeping your apps up to date?

AFAIK, I never received any type of notification saying there was an update available. I'm religious about doing updates promptly when Invision informs me an update is needed. When a Wordpress plug-in needs updating, you know about it. But it's crickets with IP.Board.

Bottom line I didn't really need member map, so I'll just keep it disabled. If people miss it and complain I'll think about putting it back.

Posted
20 hours ago, The Old Man said:

Re the spamming issue though, forums thrive on sharing links, I would definitely check and disable the less visible guest permissions for the Messages app via AdminCP > Applications > System > Messages > Guests

I've found in the past good its worthwhile to review guest permissions every few months as they can and do occasionally change after updates, weird.

I'm talking about registered members causing problems with the message system, not guests. But I did just check the permissions and guests can access the Messages module, but I'm not quite sure what that means since when I go to the site as a guest I can't seem to access or see anything related to messaging.

Posted

Guests cannot send messages in the messenger, regardless of the module permission.

Your best option is to not allow newly registered users to use the messenger, until they have proven themselves not a spammer. To do that, you disallow the regular member group from accessing the messenger, make a new group with all the same privileges who can access the messenger, then use the group promotion feature to automatically move users from the first group to the second either after a period of time (like a month after registering) or after so many approved posts.

Posted
3 hours ago, bfarber said:

Your best option is to not allow newly registered users to use the messenger, until they have proven themselves not a spammer. To do that, you disallow the regular member group from accessing the messenger, make a new group with all the same privileges who can access the messenger, then use the group promotion feature to automatically move users from the first group to the second either after a period of time (like a month after registering) or after so many approved posts.

I've set up additional groups (one for new users, one for trusted users). Hopefully that will do the trick.

One question though… When you set up criteria for promotion (or demotion), the criteria you list are all have to be met, correct? In other words it's Criteria 1 AND Criteria 2 AND Criteria 3, not Criteria 1 OR Criteria 2 OR Criteria 3, correct?

Which means if they have to meet multiple criteria to get promoted then you can do that all in one criteria set, but if meeting any of a few different criteria can get them demoted to a lower group, then that needs to happen each in a separate criteria set. Right?

Posted
7 hours ago, jay5r said:

AFAIK, I never received any type of notification saying there was an update available. I'm religious about doing updates promptly when Invision informs me an update is needed. When a Wordpress plug-in needs updating, you know about it. But it's crickets with IP.Board.

Bottom line I didn't really need member map, so I'll just keep it disabled. If people miss it and complain I'll think about putting it back.

The update checker for Member Map have been active since v3.1.5, and you should have had a badge next to the application in the list of installed apps in your ACP. Apart from following the file in the marketplace that's the only kind of notification you'll get.

Posted
19 hours ago, jay5r said:

I've set up additional groups (one for new users, one for trusted users). Hopefully that will do the trick.

One question though… When you set up criteria for promotion (or demotion), the criteria you list are all have to be met, correct? In other words it's Criteria 1 AND Criteria 2 AND Criteria 3, not Criteria 1 OR Criteria 2 OR Criteria 3, correct?

Which means if they have to meet multiple criteria to get promoted then you can do that all in one criteria set, but if meeting any of a few different criteria can get them demoted to a lower group, then that needs to happen each in a separate criteria set. Right?

Yes, group promotion rules require ALL criteria to be met.

Posted

So I implemented the whole New User scheme and there are issues…

According to my members "Conversations allowed to start per day" is misstated. It's actually "Messages allowed to send per day" which is a completely different concept. If you're trying to stop a spammer you need "Conversations allowed to start per day" not "Messages allowed to send per day". AND it makes no sense to include messages to the admin/moderation team in the caps (which they are, apparently). New members should be able to respond to any message they were sent, and send messages to the admin/moderation team. It's just they shouldn't be able to initiate more than X new conversation threads per day.

So basically controls to stop spammers using the message system create problems with the good users. In order to keep the good members I'm going to have to loosen the restrictions to the point where spammers can cause a bigger problem.

Posted

The IPS Suite is lacking the desired functionality to prevent spammers to post spam links, if you want to allow ALL users to use the messenger to a certain degree.

As a first recommendation, I'm using the following app (Restricted Messenger) to set accurate permissions / restrict messaging for each member group separately.

F.e.

  • new users group -> may only message to staff groups (admins/mods), NOT to other groups (so there is no danger, that new user could message to other user groups except for stuff)
  • users with 5 content count group -> may message to staff groups AND "top users" group (but NOT to new users)
  • top users -> are allowed to message to all groups, but limited by the IPS restrictions (top users are well known users, that have a high content count AND don't want to risk to get banned due to sending spam ads / spam links)
  • staff -> are able to message to all groups, almost no limitations

 

 

In my dreams, a perfect solution idea for restricting messages/message contents for new users AND users in higher user groups could be:

  1. use the regular IPS group promotion tool with higher permissions for higher user groups
  2. implement Restricted Messenger by @A Zayed
  3. maybe convince @TheJackal84 to implement a "pay points per message/conversation" option in the "Member Shop" app (so users have to pay for each message/receiver combination, users that dont own enough points, cant send messages, so messaging will be restricted by the content creation ability of the sender, and if there are many contents created, a sender wont risk to get his account banned by messaging annoying spam links to others). But this function isn't here yet.
  4. maybe convince @Adriano Faria to extend his app "Enhanced Links Moderation", so it might be used to restrict the messenger, too. But this function isn't here yet

 

Also have a look at this app by @Makoto ->

My recommendation: Ask the app authors for additional functionality in their apps

OR

post in the "IPS customer feedback" forum area, as this is the right area to let IPS know about missing logic and missing features in their software.

Good luck!

Posted
On 11/6/2019 at 11:35 AM, Cyboman said:

post in the "IPS customer feedback" forum area, as this is the right area to let IPS know about missing logic and missing features in their software.

This thread was originally posted in the feedback forum. IPS (presumably) moved it here. But yes, I agree – it doesn't seem to be a server management/optimization issue. Clearly IPS needs to make some improvements.

Today I added yet another level of groups. I had defined "New Member" too broadly and too many people were getting restricted, and hence frustrated, by it. So now I have two levels of reduced privilege – "New" and "Junior". I'm hoping that will be enough to keep my good members happy when they haven't quite met the threshold for full membership.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...