Fixed profile post comment not inside recent activity

Adam Howard

Well-known member
Cliffs: 200+ profile post spammed, but no way of knowing it because it did not show up in recent activity. I'd call this a bug (or spam exploit / vulnerability ). Because there is virtually no way to monitor the activity on people's profiles.

edit: Profile comments (I still count those as post)


Details:

So we had a spammer slowly crawl over 200 profile. They couldn't post any links because I have an add-on preventing newbie without X amount of post from posting links (http://xenforo.com/community/resources/sonnb-stop-spam-here.1086/) and thank God for that, because after posting on over 200 profiles I'd still call that successful & can only image how much worst it could have been.

This was a human spammer. Since they made comment in relation to other people. I can only image what a bot would have done.

So I started asking myself, how did I not notice him crawling all over the site, posting on people's profiles. The answer is that the recent activity does not seem to count profile post. And so it seems to be a free range way of basically having at it.
 
Last edited:
Profile Post Comments aren't in recent activity
Profile Post Comments won't be found with the search
Profile Post Comments can't be reported
Profile Post Comments can't be edited
Profile Post Comments can't be soft deleted

I wouldn't even call them halfbaked:P
 
I just found out one of my competitors had been slowly spamming my site. He was posting links like such

m y s i t e D O T c o m

Anyone know sql command to remove all profile post and comments?
 
the same problem happens also with the IMO stupid implemention of the RM reviews & review comments... (just replace "Profile Post Comments" with "Resource Manager Review & Resource Manager Review Comments") in
Profile Post Comments won't be found with the search
Profile Post Comments can't be reported
Profile Post Comments can't be edited
Profile Post Comments can't be soft deleted
 
NO.

I'm not happy that this got pushed back to a "future fix". Because as it stands right now, I could spam the living hell out of XenForo.com or any other XenForo type site and you'd be clueless of me doing it unless someone finally reported it.

THIS NEEDS TO BE ADDRESSED.
 
I've never seen it used for spam. Presumably XenForo hasn't either.

Personally I would have put money on this one being "As Designed".

They obviously consider it a potential but not active risk.

Best thing to do is not scream, shout and stamp your feet like a child. I'm sure it won't make much of a difference to the decision as it stands.
 
NO.

I'm not happy that this got pushed back to a "future fix". Because as it stands right now, I could spam the living hell out of XenForo.com or any other XenForo type site and you'd be clueless of me doing it unless someone finally reported it.

THIS NEEDS TO BE ADDRESSED.
Bumping a bug report in this manner is not necessary.
Demanding that it "NEEDS TO BE ADDRESSED" isn't going to make any difference and is frankly not for you to make that claim.

The developers will deal with it as and when they see fit.
 
I've never seen it used for spam. Presumably XenForo hasn't either.

Personally I would have put money on this one being "As Designed".

They obviously consider it a potential but not active risk.

Best thing to do is not scream, shout and stamp your feet like a child. I'm sure it won't make much of a difference to the decision as it stands.
I've been hit by this type of attack 4x now on my site. Each time with over a few hundred replies. One attacker managed to do this on EVERY members profile (all 700 members).

And frankly, yes, I am upset that this got into the "future fix" because it seems like things "future fixes" remind me of vBulletin in that they sit here forever. I love XenForo, but I really do not want this to become a "thing".

You are right and I am sorry, if my tone is high strung on this. I've said my peace.
 
Now that you mentioned it, it struck me as pretty odd for profile post comments to be unreportable.

An addon to "upgrade" profile posts comments to profile posts quality should be pretty easy, but it might be better to just upgrade profile posts comments to profile posts (so you can have n-depth comments).

EDIT: @Adam Howard, I tested the current system, and it seems like profile post comments are also subject to global post timers, so if you have that on and it is set to a reasonable time, it should discourage the human from abusing.

Otherwise, you can't report the comment - that's it. Note that the spam cleaner also automatically deals with profile post comments but it seems like there's no option checking whether you want this behaviour or not, maybe @Mike or @Kier can look into it.
 
Last edited:
Back
Top Bottom