http://www.rossputin.com/blog/index.php/a?disp=msgform&recipient_id=3&post_id=1350&redirect_to=http%3A%2F%2Frossputin.com%2Fblog%2F%3Fblog%3D2%26amp%3Bpage%3D1

that thing?

If you dont want to recieve spam via that contact form, then you need to do some work. Here are a couple suggestions:

1. do you restrict commenting to registered users only? If so do the same for that form. Only display the link if theyre logged in, ONLY let them access the form itself if theyre logged in.

2. Only allow referers that come from your domain access the form itself.. etc..

3. Have mod_security available? use it to check post payloads.

Nearly ALL contact forms of that type are wide open for spam. Youre inviting mail after all -- and without any sort of checks and balances, well, youre going to get mail, and some of it migh be unwelcome.

It is possible to secure contact forms, but it takes a little work.

Try the Captcha Images plugin: http://manual.b2evolution.net/Plugins/Captcha_img

i havent tested it blueyed, but are you confident that the form cant be called remotely (assuming the variables are known) via a simple http_post? A captcha wouldnt help in that case.

I spose I could test and see, I already have a remote form submission page coded.

whoo, of course, just like the regular comment form, it can be called by http_post. But that would also require to submit the valid captcha code.. :)

mm, yeah youre right, thx :P (brain fart, I should have known that)

I've been receiving lots of these too, and what's worse is so has anyone who's left their email and commented.

This feature should be able to be turned off. In the meantime, I've just hacked it as follows. Look for the following code in inc/MODEL/comments/_comment.class.php:

        function get_author_email()^M
        {^M
                if( $this->get_author_User() )^M
                { // Author is a user^M
                        return $this->author_User->get('email');^M
                }^M
                else^M
                {^M
                        return $this->author_email;^M
                }^M
        }^M

And change it to:

        function get_author_email()^M
        {^M
                if( $this->get_author_User() )^M
                { // Author is a user^M
                        return $this->author_User->get('email');^M
                }^M
                else^M
                {^M
                        //return $this->author_email;^M
                        return $nadanothing;
                }^M
        }^M

Clicking on the email icon next to a comment now brings up:

No recipient specified!

http://forums.b2evolution.net/viewtopic.php?t=9698 will run the message through the antispam table before it gets sent. http://forums.b2evolution.net/viewtopic.php?t=10980 will stop bots from using the message system in, effectively, the same way a captcha does.

Is there a good way to block these using .htaccess? Here's what one looks like from the stats page:

[mydomain]/Blogs/index.php?disp=msgform&recipient_id=1&post_id=332&redirect_to=http://[mydomain]/Blogs/index.php?blog=2&page=1

Here's what they look like in the server log:

220.52.120.106 - - [04/Mar/2007:08:38:52 -0600] "GET /Blogs/index.php?disp=msgform&recipient_id=3&post_id=330&redirect_to=[mydomain]/Blogs/index.php?blog=2&page=1 HTTP/1.0" 200 26215 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
220.52.120.106 - - [04/Mar/2007:08:38:54 -0600] "POST /Blogs/htsrv/message_send.php HTTP/1.0" 200 378 "[mydomain]/Blogs/index.php?disp=msgform&recipient_id=3&post_id=330&redirect_to=[mydomain]/Blogs/index.php?blog=2&page=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

hello all,

what's the best way to disable the messaging system so there are no more spam-bot emails coming from it?

thanks,
ross

Each user can decide if they want to receive messages. It's in User Settings.

Captcha has pretty much taken care of all of my Spam problems!

Storm_Law wrote:

Captcha has pretty much taken care of all of my Spam problems!

Ditto!

Add Am_Extra_Comments to your protection lists ;) very useful.

I am having trouble with this now. I am running version 1.6. Is there a way to fix this with a hack or something besides Captcha or the TuringTest (I tried to install that plugin and got errors, so I'm guessing it doesn't work with 1.6)... Or do I need to install the latest B2E version and use Captcha or TuringTest?

My web host thinks the problem is this: http://forums.b2evolution.net/viewtopic.php?t=9734&highlight=comment+notifications and that people are getting notifications. However, they all started on the same day, they are all on VERY old comments, and the emails they get say that they are from the messaging system on my blog. I don't think I have notification enabled (if it's even something version 1.6 offers) as I have commented on another computer as a visitor and there is no notification pop-up box.

Any help would be very much appreciated. I'm a bit out of my league with this one.

How can that thread describe your problem? It's just a feature request. I recommend upgrading to the current version.

personman wrote:

How can that thread describe your problem? It's just a feature request. I recommend upgrading to the current version.

I think she thought that feature was causing the problem. I'm not sure. I thought the problem was more along the lines of what this thread is about, which is why I posted it here. Thanks.

You really REALLY need to upgrade. 1.6 was dead on arrival. Upgrade to 1.9.3 (extremely stable by the way) and enjoy the benefits of either captcha or turingtest to cure these problems.