Wordspew shoutbox getting spammed even though it is only for reg members

  • I have been using Jalenack’s wordspew plugin for quite some time…Till a few days back I had kept it only for registered users. But I opened it for the public and within a day it got spammed to its limit. I closed it again. But a problem has arised . Even though its closed now , i.e., only for registered users, the spammers who had commented while it was open can still comment. I have tried emptying the sql table from phpmyadmin but no use. And I have also installed the bad behaviour plugin . But still the shoutbox is getting spammed…

    plz suggest

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter raasm007

    (@raasm007)

    plz…i need help !!!

    here is the problem with that plugin.. correct me if I am wrong, as I am unwilling to create an account just to doublecheck this:

    The form used to send info to the shoutbox is only viewable if you are logged in.

    Correct? (No need to answer, Im looking at the plugin source, I already see that I am correct)

    Thats all well and fine, however that doesnt protect “the guts”, how it works..

    In other words, just because I cannot see the form on the page, doesnt mean I cannot send an http_post to it. If I know the variables to use, its quite easy.

    http_post is very basic, and can even be done remotely.

    There are a cpl things that can be done. For starters, I would take a look at your server logs, and see if the http_posts are being done remotely, as is often the case. If so, you can deter some of it by forcing the referer to come from your domain.

    If the refering hit is coming from your domain, then its a little more tricky but you can fix that as well.

    Essentially though, it ought to be up the plugin writer to address this. Its a well-known shortcoming of anything using http_post

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Wordspew shoutbox getting spammed even though it is only for reg members’ is closed to new replies.