Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Silent comment spam
tkan wrote #308868:
Now, the comment spam is not triggering an email notification leading me to the assumption that the spammers 1) have access to my DB, 2) have access to my txp-installation or 3) use some injection technique.
Has anyone had similar experiences?
Yes, me. I had a Gmail account as the destination for comment alerts, and Gmail was tagging the email alert as spam, and I never saw them. I added a rule to not mark them as spam (based on the title), and problem solved.
Edit: I still have that rule – my rule checks the subject for ] comment received: and never marks as spam. Done.
Last edited by gaekwad (2018-01-26 11:31:53)
Offline
Re: Silent comment spam
etc wrote #308900:
I haven’t delved into comments processing, but I would wright a script that … Hope it’s not that easy :-)
It is that easy.
But the point is, you still have to post twice. You can’t bypass it (“injection”) or post once unless you’re supremely lucky to create a nonce that matches one from another user. And if you don’t include a comment_message_input box you don’t get a nonce created anyway so that’s a pre-requisite to your script. And once the nonce is used, it gets flagged and can’t be reused, then deleted when the next comment comes in after 10 minutes, so you can’t keep using the same value either way.
You could certainly post a fake md5 value first time, but it still won’t match one in the DB so it’ll just get rejected and you’ll be given a new one in the response.
I think the system works. Yes it’s scriptable if you double-post, but in order for the comment to be posted at all, it has to go through the process of creating a nonce, and then notifying the user on submission.
Another long shot: the spam comment is triggering the comment email, but the OP’s mail system is detecting it’s spam and filtering it out :-)
EDIT: Pete got there first with my last sentence.
Last edited by Bloke (2018-01-26 11:30:33)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#15 2018-01-26 11:48:02
- tkan
- New Member
- Registered: 2018-01-25
- Posts: 5
Re: Silent comment spam
Bloke and gaekwad had my heart pumping for a bit, thinking I caused all of this commotion for not checking my spam folder, but … there’s nothing in there – so truly silent for me.
Thanks for all the input, gave me a lot of more insight in how the commenting works. In case there’s no freakish email f*up and the messages somehow disappear from my email server, I’ll hope to shed some light with logging the POST requests on the matter. (I’m on a geeky managed hosting plan, so I have to ask the admins a pretty please first)
Only thing from looking at my current logs: there is no one trying to brute force nonces with the comments.
EDIT: And to add even more mystery, I found a notification email from a post which had a couple of silent spam comments. So, that one time, I was notified while no notification came upon receiving the other spam. This is quite puzzling.
Last edited by tkan (2018-01-26 11:51:50)
Offline
Re: Silent comment spam
Could perhaps the notification mail sending routine be choking on something?
TXP Builders – finely-crafted code, design and txp
Offline
Re: Silent comment spam
jakob wrote #308922:
Could perhaps the notification mail sending routine be choking on something?
Actually, that’s a good point – hosting company or destination email hosting might have outgoing/incoming spam detection of some sort that’s grabbing it.
Offline
Re: Silent comment spam
gaekwad wrote #308923:
Actually, that’s a good point – hosting company or destination email hosting might have outgoing/incoming spam detection of some sort that’s grabbing it.
Indeed, I was going to raise the same point. If the OP is using the email service provided by his hosting service, check that the messages are whitelisted in their anti-spam settings, and it is probably helpful to verify that TXP preferences > Admin > SMTP envelope sender address is set (correctly).
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: Silent comment spam
phiw13 wrote #308925:
Indeed, I was going to raise the same point. If the OP is using the email service provided by his hosting service, check that the messages are whitelisted in their anti-spam settings, and it is probably helpful to verify that TXP preferences > Admin > SMTP envelope sender address is set (correctly).
…and SPF & DKIM include the web host IP.
(I am reminded that external SMTP server transport in Textpattern would be super.)
Offline
Re: Silent comment spam
gaekwad wrote #308926:
(I am reminded that external SMTP server transport in Textpattern would be super.)
I consider myself reminded. Didn’t we have an Issue to explore this somewhere? Can’t find it…
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Silent comment spam
Bloke wrote #308927:
I consider myself reminded. Didn’t we have an Issue to explore this somewhere? Can’t find it…
Five minutes, Turkish.
Offline
Re: Silent comment spam
Bloke wrote #308927:
I consider myself reminded. Didn’t we have an Issue to explore this somewhere? Can’t find it…
github.com/textpattern/textpattern/issues/1133
Last edited by gaekwad (2018-01-26 14:26:10)
Offline
Re: Silent comment spam
Much obliged, Sir. Even though it was two minutes five minutes ago.
Added a comment, as I found the thread where we talked about it before.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
Re: Silent comment spam
I was thinking (perhaps naively) of something simpler, like something illegal in the comment / commenter’s address that causes the sending of the email to abort but not the database entry of the comment.
TXP Builders – finely-crafted code, design and txp
Offline