Forums / General / how avoid tip a friend abuse?
Andre Felipe Machado
Tuesday 12 September 2006 4:20:52 am
Hello, I am trying to avoid "tip a friend" abuse. some spammers use this feature to send msg with their own spam comments.Installed the antispam captcha extension, but where is the tip a friend template?
Thanks.Andre Felipe
--- A Debian user never dies. Issues a last command: shutdown -h now http://www.techforce.com.br
Per-Espen Kindblad
Tuesday 12 September 2006 4:48:22 am
xx/design/standard/templates/content/tipafriend.tpl and code:xx/kernel/content/tipafriend.php
Tuesday 12 September 2006 10:58:10 am
Many thanks for your hint.
Now I am still having the same problems to enable Antispam captcha as at the comments at http://ez.no/community/contribs/datatypes/antispamAnyone got this extension working?
I have to disable the tip a friend feature of my site, because a spammer is trying to exploit it. I would like to re enable it with captcha (or another antispammer measure).
Regards.Andre Felipe
Thursday 14 September 2006 1:32:33 pm
Hello, The spammer managed to access the tip a friend kernel module directly and exploit it. I had to remove the file. The exploit ceased, as far as the logs show. Before, he/she tried many forms of the site, even the registration.I guess the tip a friend kernel module should be improved to avoid this kind of abuse.
Many thanks for the hints. Regards.Andre Felipe
Claudia Kosny
Thursday 14 September 2006 2:21:19 pm
Hello
Do you have any idea what the spammer might have done (maybe a log of the post data or so)?
Claudia
Friday 15 September 2006 4:57:28 am
Hello, please, see http://ez.no/bugs/view/9016 I will backup the site logs for forensics. I already have at home pc, some of the bounced msg. Regards.Andre Felipe
Georg Franz
Friday 15 September 2006 5:18:27 am
Hi,
I had the same problem, reported in http://ez.no/community/bugs/spammer_is_abusing_the_tipafriend_function
There is a tip how you can disable the the tip a friend function in site.ini.append
Best wishes,Georg.
Best wishes, Georg. -- http://www.schicksal.com Horoskop website which uses eZ Publish since 2004
Softriva .com
Friday 22 September 2006 12:50:48 am
Anybody from eZ System say something about this problem. I really don't want to disable this function (Tip a Friend). I need it for a client site.
Friday 22 September 2006 1:31:05 am
Hi there
Here are some of my ideas about of what might be useful to deter spammers like this. Unfortunately I am not to good with preventing exploits like this so I would like to have some input on whether implementing this would help at all or not.
- Log all IP addresses of people trying to send a form for the last 5 minutes or so. If someone sends more than 2 or 3 messages in this period, display a nice apologetic error message. - Add a javascript to the form which contains a unique variable that is set by EZ and maybe stored in the session. The Javascript executes onblur for the one of the required inputboxes and writes the value of this variable into a hidden formfield which is then posted together with the other stuff.EZ checks whether this variable was posted and is the same as in the session and deletes the corresponding session variable every time. Problem: The form will not work without javascript (which I think is ok for tipafriend but might be a problem for other, more important forms). - Add a captcha. This will cause problems with accessibility for vision impaired people.- A bit more restrictive: Limit tipafriend to registered users only.
Greetings from Luxembourg