Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[F] 10,000 PMs problem [C-Ryan Gordon]
#1
I just had a member last night send 10,000 PMs to my members. I woke up to see that. Now...I know officially this isn't a bug but imho it's a priority to stop spammers especially if they can write a script and have 10,000 PMs sent in minutes. This is a grave cause for concern. They could have flooded my server with 1,000,000 PMs and probably crashed the site, server or database.

I have max recipients set to just 1 for the registered group.

I will probably do a custom fix for now to prevent this but please mybb look into this. I exported the data from my logs. There is some really disturbing stuff if it can be repeated.

Sample logs:


Quote:59.93.176.72 - - [12/Nov/2008:04:46:37 -0500] "POST /private.php HTTP/1.1" 302 203 "http://www.hackforums.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
59.93.176.72 - - [12/Nov/2008:04:46:37 -0500] "POST /private.php HTTP/1.1" 302 203 "http://www.hackforums.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
59.93.176.72 - - [12/Nov/2008:04:46:38 -0500] "POST /private.php HTTP/1.1" 302 203 "http://www.hackforums.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
59.93.176.72 - - [12/Nov/2008:04:46:38 -0500] "POST /private.php HTTP/1.1" 302 203 "http://www.hackforums.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"


Appears to probably be using a firefox plugin that would automate the process for them. Hard to really tell for sure but that's how it looks to me. If the flood-control setting "postfloodsecs" can be applied to PM's...I think that's best solution.

Thank you.
#2
If this wasn't caused by a non-MyBB plugin/modification and is reproducable I'm happy of putting in place the postfloodsecs setting as a temporary fix and a better one can be made for 1.6.
#3
If you mean non-mybb modifcation as a plugin I have running on the site then no...that wasn't the cause. They simple set some script to just keep on sending PMs. I have the group set for only 1 recipient and that's what they did...one at a time use their script to send send send. The only thing I run that is effecting PMs is a minimum post count to send them.

I can PM you that code which is very minimal...

I am working on a temp fix because I am sure these spammers will be back if I don't plug this. I assume any fix you do would involve editing the datahandler pm.php file and adding similar code to what's in post.php.

Tell me what you need Ryan but I am sure you are aware this is possible since PMs do not have any type of flood control.
#4
Ok find in inc/datahandlers/pm.php

// Verify all PM assets.
$this->verify_subject();

add before

if(!$pm['savedraft'])
{
	$this->verify_pm_flooding();
}

Add this somewhere in the class:

/**
	* Verify that the user is not flooding the system.
	* Temporary fix until a better one can be made for 1.6
	*
	* @return boolean True
	*/
	function verify_pm_flooding()
	{
		global $mybb, $db;

		$pm = &$this->data;

		// Collect user permissions for the sender.
		$sender_permissions = user_permissions($pm['fromid']);

		// Check if post flooding is enabled within MyBB or if the admin override option is specified.
		if($mybb->settings['postfloodcheck'] == 1 && $pm['fromid'] != 0 && $this->admin_override == false)
		{
			// Fetch the senders profile data.
			$sender = get_user($pm['fromid']);
			
			// Calculate last post
			$query = $db->simple_select("privatemessages", "dateline", "fromid='".$db->escape_string($pm['fromid'])."'", array('order_by' => 'dateline', 'order_dir' => 'desc', 'limit' => 1));
			$sender['lastpm'] = $db->fetch_field($query, "dateline");

			// A little bit of calculation magic and moderator status checking.
			if(TIME_NOW-$sender['lastpm'] <= $mybb->settings['postfloodsecs'] && !is_moderator("", "", $pm['fromid']))
			{
				// Oops, user has been flooding - throw back error message.
				$time_to_wait = ($mybb->settings['postfloodsecs'] - (TIME_NOW-$sender['lastpm'])) + 1;
				if($time_to_wait == 1)
				{
					$this->set_error("pm_flooding_one_second");
				}
				else
				{
					$this->set_error("pm_flooding", array($time_to_wait));
				}
				return false;
			}
		}
		// All is well that ends well - return true.
		return true;
	}

In inc/languages/datahandler_pm.lang.php add these language strings:

$l['pmdata_pm_flooding'] = 'You are trying to send a message too quickly after sending a previous message. Please wait {1} more seconds.';
$l['pmdata_pm_flooding_one_second'] = 'You are trying to send a message too quickly after sending a previous message. Please wait 1 more second.';


All admins/super mods/mods can bypass this restriction with my temp. fix.
#5
Awesome thanks. I sort of made a quick similar plugin but I prefer your changes. Smile

Will they make it into 1.4.4? Curious as I want to know on update if I have to redo these changes.
#6
Yeh, it will be in 1.4.4. In 1.6, it will have it's own setting.
#7
Thank you for your bug report.

This bug has been fixed in our internal code repository. Please note that the problem will not be fixed here until these forums are updated.

With regards,
MyBB Group


Forum Jump:


Users browsing this thread: 1 Guest(s)