XF 2.2 Users can still submit new threads if already in the moderation queue, allowing to bypass spam-detection/cleaner limits


We configured "Maximum messages to check for spam" to 15, as with that amount of valid messages (i.e., not hanging in the approval queue) its highly unlikely that a user starts spamming, so the "Spam cleaner user criteria" setting was also set to 15 for similar reasons and because we hard-delete everything and want some basic safeguard against triggering it for very engaged users.

A spammer this weekend just continued to submit new posts until they went beyond those limits at which time their posts showed up directly, without being checked for spam anymore, and further, the spam cleaner button was disabled making it a lot of more work for the moderators online over the weekend (which have no admin access to change that setting) to clean up.

IMO this is a clear bug in the anti-spam architecture, posts pending approval must not count towards the total post counts, as that allows bad actors to disable the spam checker and or cleaner by, well, spamming.
posts pending approval must not count towards the total post counts
They don't.

We only increment the user's message_count for posts that have a valid message state which are contained within a thread that has a valid discussion state.

I have my maximum messages to check set to 5.


Everything I create is checked for spam and still moderated accordingly.

So this now really comes down to what spam detection measures you have in place. If the spammer is able to create a number of messages that aren't picked up by your spam measures, then they'll eventually meet the criteria for no longer checking any messages for spam.

So generally it's just going to be a case of figuring out which messages specifically passed your spam checks and whether or not they could have been detected as spammy through using different spam measures such as "spam phrases" or similar.
Top Bottom