As designed Contact Us form allows guests to flood

X

Xon

Well-known member
The Contact Us form uses the standard XenForo flood check.

Except this flood check doesn't work for guest users, which allows guests to spam the contact us form without respecting any flood check, while users do need to obey the flood check.

A quick look shows this is because XenForo uses the user_id as the primary key in the xf_flood_check table rather than something which would support a userid or an ip for guests.
 
The flood check is indeed designed for registered users. For guests, in general, we use a captcha for rate limiting. As such, I would call this expected/as designed.

The only place I can think of where we do IP-based rate limiting is with logins, and that can potentially just enable a captcha, if you desire. There is a possibility of a false positive with IP rate limiting--mostly due to NAT though also misconfigurations with reverse proxies--so it would be possible to break guest functionality unexpected with IP limiting.
 

Similar threads

Ozzy47
[OzzModz] Contact Us Form Redirect to Conversation
Replies
0
Views
432
Ozzy47
Ozzy47
R
  • Question Question
XF 2.1 Frustrating email problems - New account confirmation and Contact form
Replies
6
Views
619
Black Tiger
Black Tiger
smozgur
Contact Us form - SPAM management
Replies
2
Views
1K
Kirby
K
A
Contact Us Spam
2
Replies
26
Views
2K
ENF
ENF
A
  • Question Question
Contact Us Form Spam
Replies
13
Views
2K
Alfuzzy
A
Top Bottom