1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Conversation Bomb / Denial of Service / Spam Attack

Discussion in 'General XenForo Discussion and Feedback' started by Kent, Aug 2, 2011.

  1. Kent

    Kent Active Member

    Read this first: the problem occurred because a moderator invited several users to a conversation, and the users then proceeded to spam. Although this is a limited situation, it could be troublesome if a moderator did this on your board for any reason (legitimate or just being immature.)

    -------------------------
    Okay, recently a few members of our community thought it'd be funny to make a giant conversation, invite everyone they can, spam like crazy posting pornography and various other things that are highly against our rules.

    That itself is just a bother, but it seems administrators cannot close/delete conversations. To make matters worse, every single reply to that conversation sent out an email to every participant and used up a ton of CPU with MySQL. The only choice I had was to ban a few key spammers and manually edit every reply until I could get in contact with the conversation starter and make him close it. There were about 100 participants and 150 replies, which caused the site to load rather slow.

    To prevent the email spam, assuming you've setup a new board:
    Default Registration Values: "Receive email when a new conversation message is received" in admin.php?options/list/usersAndRegistration
    If your board is already setup, run this query to manually set all users to not receive emails on conversations:
    Code:
    UPDATE `xf_database`.`xf_user_option`
    SET `email_on_conversation` = 0;
    Unfortunately that's just a quick-fix. If someone were intentionally trying to spam/DoS your board, they could enable it again on several accounts and continue spamming.

    I believe administrators should be able to close and delete others' conversations/replies, and read conversations they've not been invited to. Although that is a bit much to ask for, admins or at least the main admin should be allowed to do it via XenForo, rather than a plugin/coding something to read the database.
     
  2. Divvens

    Divvens Well-Known Member

    A report button on personal conversation would solve the problem. You can limit the max number of conversation recipients as well.
     
    ankurs and Digital Doctor like this.
  3. Digital Doctor

    Digital Doctor Well-Known Member

    I'm not sure the members would like this.
    Why not limit the Conversation Participants to something reasonable, like 10.
     
  4. Kent

    Kent Active Member

    Report button does make sense, although if it went unreported or was a conversation between many accounts of the same person it'd go unnoticed unless they decided to add others.

    Limiting maximum conversation recipients does help, although ours was set to 5.
    The number of people involved caused it to boom, along with a request by the conversation starter to invite as many people as possible.

    Edit: perhaps this limit is hard set by the conversation starter? I'll test this in a bit.
     
  5. Digital Doctor

    Digital Doctor Well-Known Member

    ?
     
  6. Kent

    Kent Active Member

    Thanks for pointing that out, I just realised what happened.
    A moderator was the one who added several people, which means this is for the most part limit to bad configurations and staff.
     
  7. Divvens

    Divvens Well-Known Member

    Ah, well giving global moderators unlimited recipients is not a bad idea. But yeah selecting the right staff members is important.
     

Share This Page