2008-11-12, 11:57 PM
I just had a member last night send 10,000 PMs to my members. I woke up to see that. Now...I know officially this isn't a bug but imho it's a priority to stop spammers especially if they can write a script and have 10,000 PMs sent in minutes. This is a grave cause for concern. They could have flooded my server with 1,000,000 PMs and probably crashed the site, server or database.
I have max recipients set to just 1 for the registered group.
I will probably do a custom fix for now to prevent this but please mybb look into this. I exported the data from my logs. There is some really disturbing stuff if it can be repeated.
Sample logs:
Appears to probably be using a firefox plugin that would automate the process for them. Hard to really tell for sure but that's how it looks to me. If the flood-control setting "postfloodsecs" can be applied to PM's...I think that's best solution.
Thank you.
I have max recipients set to just 1 for the registered group.
I will probably do a custom fix for now to prevent this but please mybb look into this. I exported the data from my logs. There is some really disturbing stuff if it can be repeated.
Sample logs:
Quote:59.93.176.72 - - [12/Nov/2008:04:46:37 -0500] "POST /private.php HTTP/1.1" 302 203 "http://www.hackforums.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
59.93.176.72 - - [12/Nov/2008:04:46:37 -0500] "POST /private.php HTTP/1.1" 302 203 "http://www.hackforums.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
59.93.176.72 - - [12/Nov/2008:04:46:38 -0500] "POST /private.php HTTP/1.1" 302 203 "http://www.hackforums.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
59.93.176.72 - - [12/Nov/2008:04:46:38 -0500] "POST /private.php HTTP/1.1" 302 203 "http://www.hackforums.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
Appears to probably be using a firefox plugin that would automate the process for them. Hard to really tell for sure but that's how it looks to me. If the flood-control setting "postfloodsecs" can be applied to PM's...I think that's best solution.
Thank you.