News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

who's online shows bots sending emails to another user...

Started by shadav, August 01, 2020, 02:01:43 PM

Previous topic - Next topic

shadav

 :o a bit concerned with that one....

noticed that it says they are sending emails to another user in the who's online
as well as reporting a topic to moderator

both of which bots can not do
emails aren't even displayed (except on their profile, which bots and guests can not access)

2.0.17 heavily modified with custom theme based off of default curve

Arantor

Just because it's reporting them doing it doesn't mean it was successful. No record is added of error messages shown to these people (fixed in 2.1)

shadav

hm...ok....
it's still a bit strange
as bots do not have access to users emails or the report functions

guests do not either other than to send topic to friend, but they do have access to the report function

so how they even came across that is odd

I've removed the email code from everywhere but the profile template

but thank you for curbing my concern there

last thing I need is some bot scrapping user's emails or using the site to spam members

and this dang bot in particular practically lives on my site

in the past 2 hours alone i've had 200 bot visits and it's all this one (except for maybe 20)

i've put a Crawl-Delay: 40 into my robots.txt trying to at least slow them down a bit, but doesn't seem to help

a10

Maybe robots.txt, but some trash bots does not respect it.
Try out this in htaccess, add or delete sites, keep the lot if many hits from cn.
Have used it for a long time, miraclecure against many plagues.

RewriteEngine On
RewriteCond %{QUERY_STRING} .
RewriteCond %{HTTP_USER_AGENT} Ahrefs|Baiduspider|bingbot|BLEXBot|Grapeshot|heritrix|Kinza|LieBaoFast|Linguee|Mb2345Browser|MegaIndex|MicroMessenger|MJ12bot|PiplBot|Riddler|Seekport|SemanticScholarBot|SemrushBot|serpstatbot|Siteimprove.com|trendictionbot|UCBrowser|MQQBrowser|Vagabondo|AspiegelBot|zh_CN|OPPO\sA33|zh-CN|YandexBot [NC]
RewriteRule ^.* - [F,L]
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

digger

You have "Send this topic" enabled for spammmers guests.

shadav

yeah I allow guests to use that but not bots, but maybe I'll remove that permission....lmfao who really uses the send to friend button anymore instead of using social network sharing buttons....

Arantor

Um, bots show up as guests as far as the system is generally concerned... and even if you tweaked the search engine settings appropriately (bad idea), they still have it indexed from before you did it and just try it anyway.

Even if it doesn't succeed, the attempt is still recorded.

Try it yourself: open an incognito browser, go to a topic that is private that a guest couldn't go to. See what the online kit then says - it says the user went there, because it only logs the attempt, not whether it was successful or not.

efk

Is that mod that displays bot name on Who's Online and can it be control who can see it (I mean administrator and maybe others with permission to see it and not everyone)?

shadav


a10

I see 2 different who's online results for guests\bots accessing links.

Directed to a login\reg page like
"You are not allowed to moderate this forum. Please login below or register an account"
"Only registered members are allowed to access this section. Please login below or register an account"
Who's online shows these as "Viewing the board index"

Or a detailed who's entry like
"Sending email to another member"
while guests\bots gets:
"An Error Has Occurred! You are not allowed to access this section"
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Kindred

yes, and that is based on the URL they are calling.

The Who's Online will show the URL that they have attempted to reach as the action.

period.

that's it.

If your permissions are correct, they won't SEE any data at that URL... but if it's called, that's what you see.

I'm not sure what's so confusing about this that the conversation is still going on.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

This has been the case for 10 years, I made a mod to fix it 10 years ago and a variation of it made it into 2.1 to report that 'the user tried to go here but they see an error message while trying.'

(I may have been motivated by the then-lead developer telling me it was 'impossible' to do this. I did it in an afternoon. No I don't still have the mod, even if I did it would need updating.)

Kindred

of course it's POSSIBLE...   heck, I can think of the code logic off the top of my head (even if I couldn't necessarily WRITE the mod)

Personally, I don't think it's worth the time to implement (even if it was just an afternoon for you) - LOL
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor


Kindred

yup, I saw that part of the comment.... :)
I stand by my statement. :P
::) :-X
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

How many times has this confused people over the years? Instead of having to explain it every time, make the software better!

shadav

yeah it was a bit confusing....i mean it makes sense i guess....kind of would have figured it'd say something more around the lines of attempted to or denied said action bla bla bla due to permissions....

but as long as they aren't actually doing it, it's all good  :P
i'm just leary of the "send email to user" bit was all....ug I hate spam, don't need some rogue bot collecting user info to spam them

:laugh: funnier part is stupid idiots that sell my info online or had a "breach"....yeah shadav isn't my legal name dumb###  :laugh: but sure go ahead and give shadav up to $2,000 credit card  :laugh:  8)

on that note, i can guarantee you that citibank sells people's information (it's the only place I listed someone as living at my address and now I get junk mail for them)

Kindred

Even when someone sends an email to another user from the forum, the target user's email is not exposed
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: