Reset Password · YAF.NET Support Forum

Welcome Guest! To enable all features please Login or Register

Posted by: mika_soukhov - Wednesday, 17 October 2012 22:42:13
Is the any settings to turn on antispam feature for email or pm messages? How really simple bot can send to all users on a forum message. Just enumerate the number on url http://forum.yetanotherforum.net/yaf_pmessage.aspx?u=XXX where XXX=1...10000 or http://forum.yetanotherforum.net/yaf_im_email.aspx?u=XXX (btw, already disabled that feature and my suggestion to do that by default)

Posted by: mika_soukhov - Wednesday, 31 October 2012 13:38:16
So YAF can't protect from spam, right?

Posted by: squirrel - Thursday, 1 November 2012 05:02:17
[quote=mika_soukhov;56588]Is the any settings to turn on antispam feature for email or pm messages? How really simple bot can send to all users on a forum message. Just enumerate the number on url http://forum.yetanotherforum.net/yaf_pmessage.aspx?u=XXX where XXX=1...10000 or http://forum.yetanotherforum.net/yaf_im_email.aspx?u=XXX (btw, already disabled that feature and my suggestion to do that by default)[/quote] I tried both methods you describe against this forum and I get "Access Denied - You tried to access a page that is forbidden" - that means that the method you describe does not allow 'spamming' in the manner you explained. The closest thing I got was by being 'logged in' to these forums and using a user ID against the yaf_pmessage.aspx - but again - that user had to be logged in to do it - and in all reality, that's not a security hole... So if you are having issue here, you need to restrict your 'Is Start' role to not being able to send PMs until you verify the account. That's why most forum softwares allow option of new users not having ability to send PMs or emails until they've hit a certain post count -- spammers will get blocked within their first 10 posts on a forum (if not less) - so the possibility of users configured that way being able to spam the yaf_pmessage.aspx file would only be if you allow 'untrusted' members ability to send PMs or Emails...

Posted by: squirrel - Thursday, 1 November 2012 05:02:17

[quote=mika_soukhov;56588]Is the any settings to turn on antispam feature for email or pm messages? How really simple bot can send to all users on a forum message. Just enumerate the number on url http://forum.yetanotherforum.net/yaf_pmessage.aspx?u=XXX where XXX=1...10000 or http://forum.yetanotherforum.net/yaf_im_email.aspx?u=XXX (btw, already disabled that feature and my suggestion to do that by default)[/quote] I tried both methods you describe against this forum and I get "Access Denied - You tried to access a page that is forbidden" - that means that the method you describe does not allow 'spamming' in the manner you explained. The closest thing I got was by being 'logged in' to these forums and using a user ID against the yaf_pmessage.aspx - but again - that user had to be logged in to do it - and in all reality, that's not a security hole... So if you are having issue here, you need to restrict your 'Is Start' role to not being able to send PMs until you verify the account. That's why most forum softwares allow option of new users not having ability to send PMs or emails until they've hit a certain post count -- spammers will get blocked within their first 10 posts on a forum (if not less) - so the possibility of users configured that way being able to spam the yaf_pmessage.aspx file would only be if you allow 'untrusted' members ability to send PMs or Emails...

Posted by: mika_soukhov - Friday, 2 November 2012 21:25:06
[quote=squirrel;56735] That's why most forum softwares allow option of new users not having ability to send PMs or emails until they've hit a certain post count -- spammers will get blocked within their first 10 posts on a forum (if not less) - so the possibility of users configured that way being able to spam the yaf_pmessage.aspx file would only be if you allow 'untrusted' members ability to send PMs or Emails...[/quote] Well, I think would be more user friendly to create PM sending frequency (for exam allow to send 1 message per 10 min). Or 10 msg per day to different users. Manually approving absolutely can not prevent from spammers. If a forum has a few thousand users the spammer can make provide a fake activity as a usual user. Аfter he obtain an approval, he will make a spam in a short time.

Posted by: mika_soukhov - Friday, 2 November 2012 21:25:06

[quote=squirrel;56735] That's why most forum softwares allow option of new users not having ability to send PMs or emails until they've hit a certain post count -- spammers will get blocked within their first 10 posts on a forum (if not less) - so the possibility of users configured that way being able to spam the yaf_pmessage.aspx file would only be if you allow 'untrusted' members ability to send PMs or Emails...[/quote] Well, I think would be more user friendly to create PM sending frequency (for exam allow to send 1 message per 10 min). Or 10 msg per day to different users. Manually approving absolutely can not prevent from spammers. If a forum has a few thousand users the spammer can make provide a fake activity as a usual user. Аfter he obtain an approval, he will make a spam in a short time.

Posted by: Thantis - Sunday, 4 November 2012 15:43:42
I am pretty sure yaf already limits pm by roles.

Posted by: mika_soukhov - Monday, 5 November 2012 10:06:06
[quote=Thantis;56750]I am pretty sure yaf already limits pm by roles.[/quote] I'm afraid but not. Yaf limits total count (which is looks like absolutely useless), but spam protection requires frequency.

Posted by: mika_soukhov - Friday, 9 November 2012 10:09:02
[quote=mika_soukhov;56752][quote=Thantis;56750]I am pretty sure yaf already limits pm by roles.[/quote] I'm afraid but not. Yaf limits total count (which is looks like absolutely useless), but spam protection requires frequency.[/quote] Another one bug. I disabled PM feature on my board, and it disabled everything - history, contacts, sending.

Important Information: