As designed Contact Us form allows guests to flood


Well-known member
The Contact Us form uses the standard XenForo flood check.

Except this flood check doesn't work for guest users, which allows guests to spam the contact us form without respecting any flood check, while users do need to obey the flood check.

A quick look shows this is because XenForo uses the user_id as the primary key in the xf_flood_check table rather than something which would support a userid or an ip for guests.


XenForo developer
Staff member
The flood check is indeed designed for registered users. For guests, in general, we use a captcha for rate limiting. As such, I would call this expected/as designed.

The only place I can think of where we do IP-based rate limiting is with logins, and that can potentially just enable a captcha, if you desire. There is a possibility of a false positive with IP rate limiting--mostly due to NAT though also misconfigurations with reverse proxies--so it would be possible to break guest functionality unexpected with IP limiting.