Monday, October 12, 2009

Spam, spam, spam, fitess, and spam?

As I was casually perusing this nomic’s fine list of recently registered players, I found myself quite intrigued by the number of new player who all had full, often strange names, each with a startling lack of posts and an email containing some iteration of the word “fitness”. I also noted a common use of the last names “Hudgens”, “Brown”, “Waller”, and “Simmons”. Seeking some other connection between these entities, I examined the IP addresses for each. While not identical, I found each strikingly similar to the others’. As a confirmation of my misgivings, I soon discovered that each’s profile contained an inordinate amount of links to sites completely unrelated to our own. Recalling how our wiki was once used as spam for links to similar sites, I began to realize the improper intentions these entities had. It thus has become my intention to delete all such accounts. Any player with misgivings about this action should post as such in the next 24 hours, else I will proceed in the fashion which I have just alluded to.

EDIT: I believe that I have asertained the weakness in our site which has allowed this spam—The correct code for one image captcha will work for ANY captcha. I have tested this without creating a new account; please do not create a new account by testing this—we do not need the spam.

As for the title? I feel rather Python-ish today. The speach? A mixture of fatigue and watching too much Angel. Ah, Westley, you will simply never replace Doyle… he was just too awesome.

Comments

Ienpw III:

10-12-2009 06:30:08 UTC

for  for  for  for

Kevan:

10-12-2009 09:01:48 UTC

Good catch. I don’t know if we’re using ExpressionEngine’s default captcha or not - if we are, someone should raise this with EE. Either way, it looks like there are some alternative captcha extensions out there.

Can you actually delete accounts, by the way? I created a test account - Spamtest - to verify this bug, but I’m being told that I’m “not authorized” to delete user accounts.

ais523:

10-12-2009 10:00:13 UTC

arrow

Excalabur:

10-12-2009 12:09:13 UTC

75th trombone is the man that knows things.  as this is a fresh install, we’re likely using the default captcha code. 

As this is his install/server/etc., he should be informed.

Good catch, Wak

Wakukee:

10-12-2009 23:29:33 UTC

@ Kev: No, apparently I can not. I had never tried, since there was no need, so I had just assumed that we could.

Excalabur:

10-13-2009 01:24:06 UTC

Wak: I think only the superadmins can, but I thought Kevan was one.  Am now confused.

Kevan:

10-13-2009 13:01:44 UTC

I am not a superadmin.