Lack of interest Throttle reactions for registered members

[Jawsh]

A user has set up a bot on my website which is currently liking every profile post ever made simply by spamming this request:

[06/Apr/2021:17:04:44 +0000] "POST /profile-posts/214749/react HTTP/1.1" 303 0 "/profile-posts/145466/react?reaction_id=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36"

Then profile post ID + 1 and resubmitting. This is allowed to occur as fast as your webserver and database allow it to. The end result is a flood of notifications. If you had a profile set up with links to commercial services (i.e. spam) this would be a great way to deliver your URL to every user on the site.

I'm not sure if this applies to other reactions, but profile posts are likely the most ideal target as they rarely get deleted and are almost always available to registered users without any special permissions.

 

[Chris D]

This isn't something we're progressing in terms of a bug report though the concept of rate limiting reactions might be worth considering, though it will take a reasonable amount of effort to do so, so this will be something we consider in the future.

Flood checking reactions (like we do with posts) may have little effect versus a system that prevents more than X reactions in Y time as this will generally target actual abusers rather than normal users just trying to react to content.

Worth noting that once you have identified the user, it is of course trivial to discipline them and delete the reactions (and the alerts they generated) from the edit user page in the Admin CP.