Welcome to Geeklog, Anonymous Thursday, November 28 2024 @ 01:55 pm EST
Geeklog Forums
Email security problem
I am getting spam.
And come to find out, other people on my site is also.
I started playing with it.
And the IP is from my server.
Can you all do something. (this is long but well eliminate all spam from the GL email system)
1. Put a place in the Config file for a dummy/auto reply email.
2. Put in the Config file, a place to change the name of an email.
2A. Example. "E-mail from mysite"
3. With users not logged in. they can still put there name and email.
But how it is sent to the user well be deferent.
3A.The email Addy and name is the Dummy Email and the name is
E-mail from my site
3B.The Subject and body can be changed by the person emailing.
3c. Also it well get the IP of the user sending the E-mail.
3d. Thin make the email sent to use looks something like this.
From E-mail: Dummy Email
Subject: what ever they put.
Body of email: This email was sent from (name of site) By someone not logged in. They submitted the name (what they put in the from box) And they put a reply Email: (There Email addy they submitted)
There IP is: (Put the IP of the sender here). If this is SPAM, contact a Administrator from (Site name here) There Website is at (The URL not in HTML) Here is there message to you: (Body text)
4. For people Logged in.
4a. It wont ask who it's from or there email.
4b.Subject and body box the same.
4c.the person getting the email well see.
From E-mail: Dummy Email
Subject: what ever they put.
Body of email: This email was sent from (name of site) By someone logged in with the user name:(put in the user name).
Theree Contact informashin is (Put the url to there profile)
There IP is: (Put the submitters IP addy here)
If this is SPAM, contact a Administrate from (Site name here) There Website is at (The URL not in HTML) Here is there message to you:
(Body text)
This way it well stop spam.
And we can configure our email at home to only take email from the name and Email of the site.
That well be GREAT for Admins with high traffic sites.
To me, this is a huge security hole in GL.
It's real easy and easy to do it massively with free stuff to spam GL.
let me show you.
Download a free browser called Slim Browser. (mind you I use this)
This browser can open many predefined pages and has a nifty auto filler belt in.
Not hard at all to tie together.
And they can even make it happen when they open the browser so they can do it with 1 click.
With a day of taking the time of just verifying
addyes like so.
http://www.your site.com/profiles.php?uid=2
http://www.your site.com/profiles.php?uid=3
http://www.your site.com/profiles.php?uid=4
and putting them in the browser and pasting in the auto filler.
from:sexy
Body:come to my site cuz the site your going to allows spamers like me!
Also in the Config.
Put a place to turn off emails from people not logged for Admins.
And a separate on for users.
That way, even if we may be forced still do deal with it for problems. Like someone can't log in.
The other users don't.
I know thay can in there prefs.
But when your getting spam site wide like me.
I need to have a way to stop it for them.
And keep it open for me, the admin.
please, this well help a lot of problems for me.
And come to find out, other people on my site is also.
I started playing with it.
And the IP is from my server.
Can you all do something. (this is long but well eliminate all spam from the GL email system)
1. Put a place in the Config file for a dummy/auto reply email.
2. Put in the Config file, a place to change the name of an email.
2A. Example. "E-mail from mysite"
3. With users not logged in. they can still put there name and email.
But how it is sent to the user well be deferent.
3A.The email Addy and name is the Dummy Email and the name is
E-mail from my site
3B.The Subject and body can be changed by the person emailing.
3c. Also it well get the IP of the user sending the E-mail.
3d. Thin make the email sent to use looks something like this.
Text Formatted Code
From name: E-mail from my siteFrom E-mail: Dummy Email
Subject: what ever they put.
Body of email: This email was sent from (name of site) By someone not logged in. They submitted the name (what they put in the from box) And they put a reply Email: (There Email addy they submitted)
There IP is: (Put the IP of the sender here). If this is SPAM, contact a Administrator from (Site name here) There Website is at (The URL not in HTML) Here is there message to you: (Body text)
4. For people Logged in.
4a. It wont ask who it's from or there email.
4b.Subject and body box the same.
4c.the person getting the email well see.
Text Formatted Code
From name: E-mail from my siteFrom E-mail: Dummy Email
Subject: what ever they put.
Body of email: This email was sent from (name of site) By someone logged in with the user name:(put in the user name).
Theree Contact informashin is (Put the url to there profile)
There IP is: (Put the submitters IP addy here)
If this is SPAM, contact a Administrate from (Site name here) There Website is at (The URL not in HTML) Here is there message to you:
(Body text)
This way it well stop spam.
And we can configure our email at home to only take email from the name and Email of the site.
That well be GREAT for Admins with high traffic sites.
To me, this is a huge security hole in GL.
It's real easy and easy to do it massively with free stuff to spam GL.
let me show you.
Download a free browser called Slim Browser. (mind you I use this)
This browser can open many predefined pages and has a nifty auto filler belt in.
Not hard at all to tie together.
And they can even make it happen when they open the browser so they can do it with 1 click.
With a day of taking the time of just verifying
addyes like so.
http://www.your site.com/profiles.php?uid=2
http://www.your site.com/profiles.php?uid=3
http://www.your site.com/profiles.php?uid=4
and putting them in the browser and pasting in the auto filler.
from:sexy
Body:come to my site cuz the site your going to allows spamers like me!
Also in the Config.
Put a place to turn off emails from people not logged for Admins.
And a separate on for users.
That way, even if we may be forced still do deal with it for problems. Like someone can't log in.
The other users don't.
I know thay can in there prefs.
But when your getting spam site wide like me.
I need to have a way to stop it for them.
And keep it open for me, the admin.
please, this well help a lot of problems for me.
10
12
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
I have to admit that I understood less than half of your post ...
Anyway, if you see your users getting spammed via the "send email" or "send story to a friend" forms, why not disable anoynmous access for them?
$_CONF['emailstoryloginrequired'] = 1;
You can even disable the "send story to a friend" option entirely:
Furthermore, both email options use the speed limit, so you may want to increase that to make it less attractive to spam that way:
(note that this speed limit also applies for story, link, and event submissions - I guess we should really have a separate email speed limit)
HTH
bye, Dirk
Anyway, if you see your users getting spammed via the "send email" or "send story to a friend" forms, why not disable anoynmous access for them?
Text Formatted Code
$_CONF['emailuserloginrequired'] = 1;$_CONF['emailstoryloginrequired'] = 1;
You can even disable the "send story to a friend" option entirely:
Text Formatted Code
$_CONF['hideemailicon'] = 0; // If 1, hide "email story" optionFurthermore, both email options use the speed limit, so you may want to increase that to make it less attractive to spam that way:
Text Formatted Code
$_CONF['speedlimit'] = 45; // in seconds(note that this speed limit also applies for story, link, and event submissions - I guess we should really have a separate email speed limit)
HTH
bye, Dirk
9
11
Quote
Status: offline
Mikez
Forum User
Regular Poster
Registered: 06/17/05
Posts: 87
What I put well fix a lot of problems.
At least for me.
Read it slowly. lol
I tried to be as detail as possible.
The reason I don't just turn off anonymous access, because it disables it for the Admins.
And also I don't like the idea of people losing fetchers because of spamers.
I rather stop the spamer with out stopping the real user.
The sit up I put well do a few things to help stop it.
1. I use 1 Email account to get email from the site.
But I have to leave it open to anyone sending me email, because you can change the "from" name and email address.
2. if there using the site.
How do we ban them?
We have no information, like there IP.
The only way I was able to stop someone was because they was doing it so much. I found them in my web stats from hy server.
They was hitting my site more thin me.
And thats hard to do for someone that never logged in. lol
I don't know why the time limit is not deterring them.
Well it stop it if it's at exactly the same time.
The example I just showed you well do it alll at the same time.
Bring up and submit all pages at the same time.
At least for me.
Read it slowly. lol
I tried to be as detail as possible.
The reason I don't just turn off anonymous access, because it disables it for the Admins.
And also I don't like the idea of people losing fetchers because of spamers.
I rather stop the spamer with out stopping the real user.
The sit up I put well do a few things to help stop it.
1. I use 1 Email account to get email from the site.
But I have to leave it open to anyone sending me email, because you can change the "from" name and email address.
2. if there using the site.
How do we ban them?
We have no information, like there IP.
The only way I was able to stop someone was because they was doing it so much. I found them in my web stats from hy server.
They was hitting my site more thin me.
And thats hard to do for someone that never logged in. lol
I don't know why the time limit is not deterring them.
Well it stop it if it's at exactly the same time.
The example I just showed you well do it alll at the same time.
Bring up and submit all pages at the same time.
13
10
Quote
All times are EST. The time is now 01:55 pm.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content