[chrishajer]

Has anyone seen profile spam like this? In the past couple days, I have been getting a different sort of spam registration. Instead of cramming just one link in their occupation and interests fields, they are cramming 4, 5 or 6 links in there. When you view their profile page, the links all appear there. If you go to edit their profile page (which is where I go to delete the user) you can’t see the links displayed in those fields, but the links do appear in the source of the page. Take a look here:

http://www.chrishajer.com/bbpress/profile.txt

This is the source of the user’s profile page (caution, porn links in there.)

http://www.chrishajer.com/bbpress/profile.png

That is the profile view showing the data they crammed into the occupation and interests fields.

http://www.chrishajer.com/bbpress/profile-edit.png

That is the view you get when you click the [Edit] tab link. The only data shown in the occupation and interests fields is “My lovely sites:”, but if you view the source, it’s all there.

When registering a new user, the max length is 140 and the display length is 30 for the occupation and interests fields. When viewing the profile, the field lengths are the same. But here are 577 characters in this spammer’s occupation and interests fields, but when viewing that page, all you see is “My lovely sites:”.

It’s trivial to get around a form’s field length restriction with something like the Web Developer Toolbar, or maybe they’re doing it in a different way. I have an integrated install so the value is held in the wp_usermeta table, and the field is defined as longtext, which is a LOT of characters.

Has anyone else seen this, and does anyone think there should be some validation done on the data that’s input to ensure that it’s less than 140 characters before inserting it into the database?

This was Firefox 2.0.0.14 on Windows XP SP2, running bbPress 1.0-alpha from around March 2007, PHP 5.2.5, MySQL 4.0.27, Apache 1.3.34.

Thanks for reading.

[howtogeek]

Same thing has been happening to me left and right. I’ve added in my own keyword-based spam filter, but it doesn’t catch everything.

I think there should be a heck of a lot more protection built in against spamming… there’s simply no reason to allow a URL in any field other than website.

I’ve been getting a really irritating spam lately, nothing but random characters, like 8-10 in each field.

[dampfire123]

Oh yeh?

[Sam Bauers]

Are those URLs actually turning into links on the profile page? That is not how trunk or the 0.9 branch behaves now. We don’t strip tags, we just turn them into entities instead. Is there possibly some plugin that is filtering your profile field text and turning those URLs into links?

[chrishajer]

Hi Sam.

They are actually links on the profile page (in the screenshot they are green and clickable.) I didn’t actually click any of them to be 100% certain, and I don’t have any now that I can check to be sure.

I have very few plugins installed, none for the profile I don’t think. Here is a screenshot of my plugin page.

http://www.chrishajer.com/bbpress/plugins.png

If one comes through again, I will make sure the links are clickable. It actually looks like they did some tricks escaping the quotes (backslash and space.) If none come through, I will try to recreate it, and if I can, I will try it with the 0.9.0.2 release.