Hello Manos,

It's not really a security hole but I am just guessing that you need to configure your ACL in EasyBlog to only allow trusted Joomla user groups permissions to post and publish posts on the site.

How do I configure the Access Control List?

I have no idea. Please give me exact instructions on where to go in Admin panel, what to click etc.

Hello Manos,

I am sorry for the delay of this reply.

You can find the configuration from your joomla backend > easyblog > ACL > registered > set the write/publish blog to "No". Refer screenshot here, http://screen.stackideas.com/2015-03-24_1307.png

As my colleague mentioned above, you can assigned your trusted blogger to another access group level and enable them to write/publish the blog.

Ok got it. That won't do because I want all registered users to blog instantly.
The problem is that bots don't post in either JomSocial, or Kunena forum. They only post on Easyblog! So there is a script or something that allows them to do.

How can I add a captcha verification for every blog post?

Hello Manos,

That won't do because I want all registered users to blog instantly.

If that the case all of your user regardless on where they are from as long they are able to register on your site they can post and publish the blog post. So it's really not a security loop hole or whatsoever. Unfortunately at this moment we do not have captcha verification for every blog post with the current system.

The best possible way is for you to configure the ACL level of easyblog or restricted the user to sign up into your site and manually approve the user for each registration.

Ok how can I manually approve blogs? Also, do I get a notification email when someone blogs?

And finally, in which version are you planning to add captcha?

Thank you.

Hello Manos,

You can manually approve the blogs from your backend > easyblog > pending, http://screen.stackideas.com/2015-04-03_2040.png . The administrator will get email notification for each blog entry submitted by the bloggers and you directly approve or reject the blog post via email.

Regarding on your captcha inquiry, currently we do not have any planning to integrate the recaptcha in easyblog.

Hi,
I have the same problem, Polish spammers can log in without being approved and blog. I am afraid I do not understand how "to configure the ACL level of easyblog or restricted the user to sign up into your site and manually approve the user for each registration. " I want every registered user to be able to blog. Through Easyblog - so it seems - they can register without notification and approval and post their spam - I do not receive any notification of their registration but one when they post their spamblog.
On the ACL page I can configure that all registered users can post but not save this configuration (no save button) - something wrong with my installation (latest Easyblog version)? As long as it is possible to unauthorised blog on my site without a build in captcha I do need the opportunity to check whether it is a real blog or just spam before it gets published.

Sorry, the image should appear attached to my posting, but I deleted it since there was a real email of one of my users on it which I removed. It seems it needs a new posting to upload the image again

Hello Dirk,

May I know are you using Community Builder component to control the registration of the new user onto your site? If yes perhaps you can consult with CB developer regarding on the user registration issue on your site as they know best about their components.

By the way if you are using native joomla registration you can change the registration behavior from your backend > global configuration > user manager, http://screen.stackideas.com/2015-04-10_1123.png

Hope these help

Ezrul Fazwan wrote:
You can find the configuration from your joomla backend > easyblog > ACL > registered > set the write/publish blog to "No". Refer screenshot here, http://screen.stackideas.com/2015-03-24_1307.png

As my colleague mentioned above, you can assigned your trusted blogger to another access group level and enable them to write/publish the blog.

Please take a look at the attached screenshot - looks very much different from yours. And no save button, so the whole page does nothing. Any idea how to get rid of these spammers? Thank you very much
best wishes
Dirk

Hello Dirk,

I am really sorry for the delay of this reply as it is a weekend for us here. You need to click on the group and only then you'll be able to set the ACL rules for the group

Ezrul Fazwan wrote:
May I know are you using Community Builder component to control the registration of the new user onto your site? If yes perhaps you can consult with CB developer regarding on the user registration issue on your site as they know best about their components.

Yes, I do use CB to log in. I found that in Easyblog's backend the normal Joomla login was chosen and thought that may be it. Fixed it and tonight a new spamblog was posted:(
I am going to ask in the CB forum, but still believe the problem is with Easyblog since no other component has been used to post spam (no forum, comments, guestbook entries).
Anyway thanks for replying. Hopefully I can solve the problem it's very annoying.
Best wishes
Dirk

Hello Dirk,

Take a look at my reply above, you need to only allow trusted users to post blog posts by configuring ACL in the group. You need to read from the start of this thread as we have advised the thread starter about this initially

Mark wrote:
I am really sorry for the delay of this reply as it is a weekend for us here.

No problem, here too:)

You need to click on the group and only then you'll be able to set the ACL rules for the group

I am afraid that changes nothing. There is no chance to save this configuration, it does neither automatically save it. The only possibility is click "home", then return and see that still no option is marked:(

Mark wrote:
Take a look at my reply above, you need to only allow trusted users to post blog posts by configuring ACL in the group. You need to read from the start of this thread as we have advised the thread starter about this initially

Sorry for my stupidity, but I read from the first posting here and still do not get it. How do I allow only trusted users to post?

Hello Dirk,

I am really sorry for the delay of this reply as it is a weekend for us here. For instance, take this scenario, if you have userA and userB and you want to only allow userB to publish blog posts on your site. In the Joomla users' manager, assign userB into the "Author" group.

Then, proceed to the ACL section at the back end of EasyBlog, click on the "Author" group and give them permissions to write and publish post. Disable these permissions on the rest of the groups.

If you want me to configure this for you, please provide us with the back end access and let me know which is the trusted group

Hi Mark,
Thanks for helping!
Meanwhile I asked in the CB forum and they suggested some modifications in the Joomla configuration. I hope this will fix the problem, time will tell. Anyway thanks again for being patient and supportive.
Best wishes
Dirk

Hello Dirk,

Not a problem at all. Hope your issue will be resolved soon. Thanks for the heads up

Ok, right now, because you don't want to put Captcha, I was forced to create a category named "Bloggers" in User Levels, and told my users to ask for permission by sending me email.

When are you going to offer an OPTIONAL field so that we can add CAPTCHA. I will PAY for it as a donation! I can't afford so many hours per day to moderate blogs, or moderate people in the bloggers list, just to avoid stupid spambots from all over the world, because you don't want to add such a simple feature!

And also, tell me how should I know when someone posts a blog that waits for moderation! I don't see any notification for this.

Hello Manos,

Putting a captcha will not solve your issues. Spammers these days are mostly generated by real humans behind computers How would you avoid that then?

1)90% of bots are NOT humans. I own this website since 2005 and I know very well how Joomla works in these cases. If you put a Captcha we will avoid most of them.

2)Until you do so, at least tell me how to block a whole country using Plugin "Domain restriction"
http://extensions.joomla.org/extension/domainrestriction
When I configure it through Plugin Manager, I have put .pl and *.pl to block Poland. But it doesn't work. At least this can do the job for 19/20 of spammers. Because 19/20 are from the same company from Poland and 1/10 was a random Gmail account!

3)If I put in ACL:
Write Entry: No
Publich Entry: No
...for registered users, then they can't even create a new blog! When they click to create a new blog they are redirected to their Dashboard! So they can't even post something so that I can moderate it!

How are new registered users supposed to know that they have to ask access for Blogs? Does this sound logic to you? For a website of 34.000 registered users like mine that doesn't get spammed like most of your clients, it doesn't sound logic at all!

Less than half of them will care to send email and ask me for access. Most of them will think that the site is corrupted and they will leave! So fix a captcha there which will take you less than 1-3 hours, which will be entirely OPTIONAL for Admins and let us work.

EasyBlog is the only module today that allows that particular Polish spammer to login and post! Which means that there is probably a hole in the module, with which they registered and post instantly using spambots. There is no other hole like this in either Kunena or JomSocial.

Hello Manos,

I am sorry for the delay of this reply.

1)90% of bots are NOT humans. I own this website since 2005 and I know very well how Joomla works in these cases. If you put a Captcha we will avoid most of them.

I agreed with you but for most cases the real work is done by the human itself. However we will take this into consideration and see whether there is actually a loop hole in our easyblog component. By the way easyblog does not handle the registration algorithm of user into your joomla site as it entirely controlled by the joomla.

2)Until you do so, at least tell me how to block a whole country using Plugin "Domain restriction"
http://extensions.joomla.org/extension/domainrestriction
When I configure it through Plugin Manager, I have put .pl and *.pl to block Poland. But it doesn't work. At least this can do the job for 19/20 of spammers. Because 19/20 are from the same company from Poland and 1/10 was a random Gmail account!

To be honest we have no idea how the plugins work as it is not developed by us. Perhaps you can get in touch with domain restriction developer for your inquiry

3)If I put in ACL: Write Entry: No and Publich Entry: No for registered users, then they can't even create a new blog! When they click to create a new blog they are redirected to their Dashboard! So they can't even post something so that I can moderate it!

The best possible way is for you to set Write entry to Yes and Publish entry to No so that you can filter the blog posted by your user and identify if its appropriate for your site or not. You can filter the blog post from your backend > easyblog > pending.

By the thanks for the great feedback that you gave. We will see if we can improve our security features in easyblog component in the next future release. Thank you and have a nice day

If I set Write entry to Yes and Publish entry to No, how am I supposed to get notified on when to Accept a blog entry?

The only place I see for notifications is inside the Administration panel! Is this practical? Do I have to remember to login every day there and check if there are new blogs?

I have 34.000 members, how am I supposed to know how many of my users have sent Blog entries?

Please reply asap because there is the contest of the month running. I need to get notified via email!

Thank you.

ps. Apply the CAPTCHA asap. The fact that most of the Admins are not spammed doesn't mean that there is not a problem. Did you ever have a site with 100.000 unique monthly visitors, placed in 60.000+ position in Alexa? Guess what, that's me, and I have 1 spam blog every 24 hours. I can't work like this!

I already have a security question in registration which is in greek language! And the answer is also in greek!
How they are supposed to know the answer?? Bots wouldn't find it.

That is why I insist to put Captcha on EasyBlog!

Hello Manos,

Noted, we'll consider this.

You still didn't reply one question:
How Am I supposed to get notified via email when someone posts a blog for Pending?

Shall I remember to refresh the page in the Admin page? That's symply infeasible! I have 4 jobs, and only the 1 of those is retaining my site with daily articles, reviews, handling the marketing, organizing events, moderating, video editing, replying to 100 emails per day etc.

How am I supposed to remember to refresh the "Pending" page in the Backend?

This is a dead end! Either put the Captcha, or send a notification via email when someone posts a blog!

Rejected blogs
I've rejected ONLY ONE blog post in Backend, which was spam, and suddently the system rejected all 12 pending blog posts!

Where are they? I hope that they are not vanished!
I need details on how to recover them!

ps. I have also installed this as 3/4 spam bots have .pl emails.
http://extensions.joomla.org/extension/user-mail-restriction
But I need a solution for the remaining 1/4. I can donate it, I don't care. I have been drawn to work and I can't go on devoting time to such stupid spam issues, neither me, nor you.

So implement the Captcha, optional through Backend, and tell me how it costs.
This is serious beta testing to a website of 34.000 users, not to small websites.

Hello Manos,

I am sorry for the delay of this reply.

You still didn't reply one question:
How Am I supposed to get notified via email when someone posts a blog for Pending?

By right the admin should get notified via email if there any new blog post that is under moderation as you can see from the screenshot here, http://screen.stackideas.com/2015-05-05_1608.png . Perhaps you have disabled the "notify admin on a new blog post" from backend > easyblog > settings > notification? If everything checks out and the problem still persist, perhaps you can provide us with your joomla backend and FTP access so we can help you with the issue directly.

I've rejected ONLY ONE blog post in Backend, which was spam, and suddently the system rejected all 12 pending blog posts!

It seems like it was a bug in our end. Can you download the attachment below and place it inside your /administrator/components/com_easyblog/views/pending/tmpl folder and see how it goes?
Unfortunately it is not possible to retrieve back the rejected post . You can only checked the record of the rejected post from your database #__easyblog_post_rejected table.

1) Notify

By right the admin should get notified via email if there any new blog post that is under moderation as you can see from the screenshot here, http://screen.stackideas.com/2015-05-05_1608.png . 

"Notify admin on new entries" is Yes but I never got any emails.

About the rejected post, I was lucky that this user re-posted his article after getting a "Rejected" email.

But I can't find the folder you mentioned to put the attachment:
http://tinypic.com/view.php?pic=350rwg4&s=8#.VU_bs_mqpBc

"/administrator/components/com_easyblog/views/pending/tmpl"

No "pending" folder.

2)
New issue: How is it possible that my main Admin account is spammed?
http://oi59.tinypic.com/20tqah5.jpg
No new user registrations! Just spam! Did I prove you now that these Polish guys are exploiting your module? Not only you need a Captcha, but you need a solution here! It's impossible that my Admin account posts Polish blogs!

Hello Manos,

"Notify admin on new entries" is Yes but I never got any emails.

Perhaps you can provide us with your joomla backend and FTP access so we can test the issue directly on your site as I am not able to replicate the issue in my local instance. Please advise.

I can't find the folder you mentioned to put the attachment:
http://tinypic.com/view.php?pic=350rwg4&s=8#.VU_bs_mqpBc

"/administrator/components/com_easyblog/views/pending/tmpl"

No "pending" folder.

From the screenshot, you actually go to the site folder, not administrator folder. /administrator/components/com_easyblog/views/pending/tmpl. Hope these help

New issue: How is it possible that my main Admin account is spammed?
http://oi59.tinypic.com/20tqah5.jpg
No new user registrations! Just spam! Did I prove you now that these Polish guys are exploiting your module? Not only you need a Captcha, but you need a solution here! It's impossible that my Admin account posts Polish blogs!

If you you allow me to check directly on your site maybe I can figure something out on how the issue happened. Please advise

Hello I can't find ". /administrator/components/com_easyblog/views/pending/tmpl. "

Also I can't contact you. Please add me on Skype : hardcoregr@yahoo.com

Thank you.

Hello Manos,

I would love to have you on Skype, but unfortunately we do not provide any support on Skype. It would be best if we proceed via our ticketing system instead.

By the way you can refer to my video link here regarding on the file path location, http://screen.stackideas.com/2015-05-13_1857.swf

Hope these help

Manos Gryparis wrote:

EasyBlog is the only module that has spam issues.

1)I get spammed by polish users all the time. Somehow, they manage to login and post. Maybe there is a hole in the Easyblog system? Please check this out!

I have version 3.9.19775

2)If I choose to "Update" to latest version is this issue going to be fixed? Iam a bit worried about the previous blog entries being lost because I have hundreads of them.

Thank you.

Manos Gryparis wrote:

If I set Write entry to Yes and Publish entry to No, how am I supposed to get notified on when to Accept a blog entry?

The only place I see for notifications is inside the Administration panel! Is this practical? Do I have to remember to login every day there and check if there are new blogs?

I have 34.000 members, how am I supposed to know how many of my users have sent Blog entries?

Please reply asap because there is the contest of the month running. I need to get notified via email!

Thank you.

ps. Apply the CAPTCHA asap. The fact that most of the Admins are not spammed doesn't mean that there is not a problem. Did you ever have a site with 100.000 unique monthly visitors, placed in 60.000+ position in Alexa? Guess what, that's me, and I have 1 spam blog every 24 hours. I can't work like this!

I agree........I too am getting spammed by polish users. There needs to me a quick way to stop this. Very sad.

Bruce

Hi Bruce Williams ,

Perhaps you can try who publish the blog post, the blog post will under moderation, so those blog post must approve from admin then only publish on your site. Hope this help.

Once again Rejecting a Blog post automatically Rejects all of them!

I had 7 Blogs, the 1 was spam, the other 6 were normal. I lost 6 blog post entries unless my users decide to re-post them!

Is this solved in version 5? Iam surprised that you don't test your component in large websites like mine. These are VERY serious issues, ALL connected with each other.

1)Polish users spam.
2)Can't get email for notification to blogs.
3)Rejecting a blog post rejects all of them!

I really can't work like this. Iam beta testing like I already do all these years.

Are all these solved in RC5 or not?

hi Manos Gryparis,

I'm really sorry that delayed of this reply and make you inconvenience on this,

It seems like you haven't replace the file as my colleague attached the fix file in previous reply.

Because that file should fix this issues.

By the way, can i have your Joomla backend and FTP access so that we can directly check on your site regarding this following issues?
1)Polish users spam.
2)Can't get email for notification to blogs.
3)Rejecting a blog post rejects all of them!

Looking forward of your response.

Reading through this I didn't see it mentioned, so I thought I'd ask... Are you hiding any publishing URLs via CSS (display:none)?

If spam posts are being generated without new user registration, what user ID are the blog posts under? Existing "Registered" user, or higher ACL level?

Is everyone having this problem on J!2.5 or does it also happen in J!3.x?

I wonder if there's an easy way to hack into the template some meta info that gets posted into the blog what URL was used when the post was generated; it could give a clue where the hole is at.

Send me an email to manos [at] gameworld.gr because I can't find the tickets link and I can't find how to contact you via PM!
Even the Forum/Profile system here is hard to learn.

There is no PM system. The only private communication is with SI via crm.stackideas.com.

Hi Manos Gryparis,

Sorry for late reply to this,

Yes, you can send your site access in our helpdesk via crm.stackideas.com as David suggested.

By the way, I already sent an email to your email address.

Looking forward of your response.

Hi Manos Gryparis,

I'm really sorry that missed up your email,

I already applied the fix in this file ( JoomlaFolder\administrator\components\com_easyblog\views\pending\tmpl\default.php ) as my colleague provided at above reply, can you give it a try now? Because it should work fine now, it will not automatically reject all the post in one time.

By the way, I already checked in your site, it seems like you didn't enable this email notification send to your custom email, check my screenshot ;: http://screen.stackideas.com/2015-06-19_1049.png , and I also suspected you didn't setup your cronjob in your site, so it will not automatically process the email send to your user. now you only configured "Send emails on page load", what this purpose is only when the user load your Easyblog page, then the system only process send the email, if no user visit your Easyblog page, so it will not get trigger this.

If you can provide us with your Cpanel access so we can help you configure this cronjob in your site.

Also I already help you disabled this "Publish entry" option from your backend > Easyblog > ACL > Registered user (Check my screenshot : http://screen.stackideas.com/2015-06-19_1052.png )

Keep us updated then.

Ok it seems that it works for the following:

1)Polish users spam: Not tested yet, but I had some spam blog posts from random .com domains. I will try to change the security question in my website and let you know. It's a greek security question and they will have no hope.
2)Can't get email for notification to blogs. -> Fixed. Now email arrives.
3)Rejecting a blog post rejects all of them! -> Also fixed.

Thanks for helping. I will update you if the Polish users spam is fixed.

Also add those fixes to your next update patch! Many users still have those issues! This will save time. For all of us!

Thank you!

Hi Manos Gryparis,

Yes, we will include this fix in next release version.

By the way, I already help you fix this issues, it should working now for the submit for review and location.

But I noticed you already changed back ACL > registered user > publish entry - yes?

Because you should set to NO and prevent this happening "Polish users spam".

keep us updated then if you found out some issues.

Hi, I also confirm that as of today I received traffic and blog submissions by polish spambots. I am running version 3.4.3 and EasyBlog version 3.9.24862. I had to delete the spammy blog entries and also enforce the explicit aprobation from an administrator for all blog entries as per suggested on this thread. Our blog is not very big, so it's not a big deal, but I can understand users that have EasyBlog with thousands of users and bloggers. Hope to see a fix soon.

HI Gregorio Aristizabal,

Sorry for late reply to this,

If your site is allowed registered user have create new blog permission, you have to disable their `publish entry` permission from your backend > Easyblog > ACL > registered user group > publish entry - NO, when the registered user submit their new blog in your site, that post will be under moderation, so your site admin or moderator will receive the email notification, you can approve/reject the post from the email or backend > Easyblog > pending

In other word, you can avoid the blog spam publish in your site. Hope this help.

By the way, I would personally prefer that you start a new thread instead if you have other question for this.

The situation has gone out of hand!

We have 40 spam accounts being registered per day! Each account posts 1-2 blog posts pending for moderation.
Our account system has a security question, which is bypassed through Easyblog.

Even if we moderate the blogs, we have to:
A)Click to ban each user through the User Manager.
B)Check and Reject the Spam blog posts.

This takes several hours each day which means loss of work!
When are you going to fix this bug and the hole in the code? We've been waiting for months. Is there a fix in the newest version? Have you tested that the fix actually works?

Iam asking because I use version 3.9.19775
If this issue is fixed in the newest version and you have tested that it works, only then I will upgrade. Also, how can I upgrade? By just installing the extension at the top of the old one?

Thanks.

I can't edit my previous post. When I click the Edit button it says "Unable to load Composer".

Even if we moderate the blogs, we have to:
A)Click to ban each user through the User Manager.
B)Check and Reject the Spam blog posts.
C)Get our mail inbox spammed every day by 40 emails that say that "A new blog post was posted". After a few days we have hundreads of emails caused by spammers. Because we need to get notified for new blog posts, whether they are valid or not!

Hey Manos,

I am sorry for the delay of this reply,

May I know what `New User Account Activation` you set from your Joomla? (check my attached screenshot 1)

And can you temporarily turn off following these few options which user can register on your site? So that we can isolate how the spam user register on your site.
#1. Go to backend > Easyblog > settings > workflow > subscriptions > Allow registrations during subscription - NO
#2. Go to backend > Easyblog > settings > comments > General > Allow registrations during commenting - NO
*Attached Screenshot 2 and 3.

After you turn if off these settings, then try check again and see is it still got new spammer register on your site.

Attached screenshot 2 and 3.

#1. Was already "No".
#2. It was set to "Yes" and now I've set it to "No".

Everything is set as you wish now.

I will inform you about potential spammers within 2-3 days.

If number 2 was the issue we should have known it for one year now and most important you have to set these as default so that noone has issues.

My site has huge traffic and is a permanent target for spammers, so you have to focus in the long-term for everyone.

Hi Manos,

I am really sorry for the delay of this reply.

Yes we have already set options 2 set to "No" for every fresh installation of easyblog 5 to prevent this issue from happening in the future. However it is not possible to change this value if you upgrading your easyblog 3.9 to easyblog 5 since it will messed up their ACL settings from easyblog 3.9.

Hope you understand and keep us updated.

Still the same thing.

Nothing changed.

This is the daily spam. This happens EVERY day!

And these are my settings.
Your component causes us big trouble! There is definitely a port in the system which is vulnerable and allows registration + blog posting. You better find out the issue as soon as possible!

It's been 6 months since we started experiencing this issue and the spam is growing up fast during the last month!

http://oi64.tinypic.com/2uq24hc.jpg
http://oi63.tinypic.com/2lbizch.jpg
http://oi67.tinypic.com/35hi6ah.jpg
http://oi67.tinypic.com/208vcc8.jpg
http://oi67.tinypic.com/2i8tyz4.jpg

Hey there,

I am really sorry for the delay of this reply as it is a weekend for us here.

The reason why you getting a lot of pending review post is because you allow new user register in your site without admin approval, so new user able to submit a lot of spam post in your site.

Can you temporary block all the spammer user account from your site and set `New User Account Activation` to `Administrator` from backend user manager option page? (screenshot : http://screencast.com/t/9vS6RxfA8aBv )

Then re-check again and see is it still getting a lot of spam pending post?

If still getting a lot of spam pending post after today, can you assign this user account `Wong` user account to have Superadmin privileges so that I can able to login in your Joomla backend and take a look of this?

"The reason why you getting a lot of pending review post is because you allow new user register in your site without admin approval, "

Seriously?
- I Use Joomla for 6 years and I was always accepting new users when they register, just because this happens to 99% of websites in the world! People will leave a website if they can't register with validation.
- ALL of my components, modules and plugins never had any issues with spam! Only yours has issues! Why don't we have users posting in Kunena Forum or in their Jomsocial profile? Let me tell you why. Because EasyBlog is VULNERABLE. So forward this to your developers or hire new developers to fix it.
- I have 37.000 registered users in 10 years! This means 3.700 registered users per year so 10 new users per day. I have news to write, reviews to write, videos to edit for our youtube channel (we upload one per day), and 100 emails to answer. Why should I moderate new registrations? Why should I spend more time because your component has a vulnerable port?

I didn't exchange 20 emails with you just to tell me to approve new users manually! I could to this bymyself from the first place without wasting so many months of time!

Hey there,

I am really sorry that delay of this reply, I believe I didn't explain very well in my previous reply so causing this misunderstanding.

What my previous reply main point is trying to find out these user who submit post in your site is it real person or that is a robot system controlling this.

Hmm, it seems like you are not acceptable my suggested that ideas in my previous reply, so I can't able to verify that is real person or robot system submit spam post in your site yet.

Can you try download my attached file and replace into JoomlaFolder\components\com_easyblog\themes\dashboard\system\dashboard.write.php and see how it goes? (Note : Remember backup your original file.)

I've put the file there. Same thing. More spam posts!

Let me clear that my website has a security question in which only greeks know the answer! So we never had spam accounts registering and commenting in news items and Kunena forum. The only spam posts are posted on Easyblog! So this mean that there is a vulnerable port in your component which has to be fixed.

Iam expecting what your next point is. Just look at the starting date of this thread.

Hi Manos Gryparis,

I am sorry for the delay of this reply.

Currently in EasyBlog there are 4 possible way of adding blog posts.

1. Via EasyBlog frontend under dashboard page,
2. EasyBlog remote email republising,
3. Feed importer, and
4. Using XMLRPC client such as WindowLiveWritter.

I believe your site did not use the method 2 and 3. Method 4 is enabled by default and, method 1 is where user login to your site and write new blog post.

So what I am about to do on your site is to disable the xmlrpc feature from EasyBlog so that we can isolate as where is the spamming coming from. To do this, can you tell me where is your directory path to your Joomla installation? You can edit your original post and provide us the directory path in 'site details' section. Also, please provide us your Joomla backend admin access as well as the previous account that you provided no longer work for me.

If disable the xmlrpc from EasyBlog still dont help, I will consider to add the captcha into your EasyBlog.
Please advise.

Hope this help and have a nice day!

Hello
For some time (almost one year) our website is facing same issue - 1 to 5 new spam or bot users daily. Most of them have polish email address.
We are using JomSocial for handling user registrations. Registered and activated (via activation mail) users can post blogs.
I tried 2 plugins to prevent registration from specified domains but it seems that users are completely bypasing Joomla and Jomsocial registration system.

What's even more curious, non activated users are able to post EasyBlog posts.
And all their blogs are dated with year 2013.

Also, last visit date for spam users is always "Never"

It seems that spammers are using EasyBLog to register and post blogs.
They NEVER post comments via Komento

Regards

Hi Krx,

Thanks for the sharing this with us. Currently there are two way for a guest to register with EasyBlog,

1. You enable the 'Allow Registration When Posting Comments' from your EasyBlog comment setting, and
2. you enable the 'Registration During Subscription' option from your EasyBlog's subscription setting.

Is your EasyBlog enabled one of these setting from the above?

Also, 'What's even more curious, non activated users are able to post EasyBlog posts. ' is not suppose to happen. User need to be logged into your site in order to create blog posts. Are you using the latest EasyBlog 5.0.x? Did you allow all your users from 'registered' Joomla group to create blog post? Anyway, I've added the extra checking in EasyBlog so that any users that is not activated will not be able to create blog posts. This fix will be added into next release of EasyBlog 5.0

Thanks again for your feedback on this matter.
Have a nice day!

I have added the Joomla installation path.

Also I have added my Skype email. It has been 9 months and still no issue fix!

The spam situation has gone right OUT OF CONTROL! 80% of my emails are spam blog posts, so notifications as well! Because if I didn't get notification I couldn't tememver refreshing the app every day to see the real blog posts.

I don't care but this has set to be AAA priority and you should test it by yourself!

Manos Gryparis wrote:
Let me clear that my website has a security question in which only greeks know the answer!

I didn't come across one. It was very easy for me to register and post.

Interesting. If I use the EasyBlog register link it provides this URL:
http://www.gameworld.gr/login?view=registration



I assume you were wanting this URL:
http://www.gameworld.gr/community/register



Two solutions:

• Remove the login box in the EasyBlog Bar
  
• Remove the EasyBlog Bar all together for non-logged in users.
  

By the way, Google Translate works pretty well in bypassing your question. Another option would be something dynamic. Captcha, as you recommended. You could have a two-part question. A captcha and a "click on the correct picture" random question.

Hi David,

Thanks for heads up on this one.

Interesting. If I use the EasyBlog register link it provides this URL:
http://www.gameworld.gr/login?view=registration

The reason you are seeing this because EasyBlog do not handle user registration process. What EasyBlog does it simple provide the link that link the user to your Joomla's user registration page

Hi Manos Gryparis,

I have added the Joomla installation path.

Also I have added my Skype email. It has been 9 months and still no issue fix!

The spam situation has gone right OUT OF CONTROL! 80% of my emails are spam blog posts, so notifications as well! Because if I didn't get notification I couldn't tememver refreshing the app every day to see the real blog posts.

I don't care but this has set to be AAA priority and you should test it by yourself!

Thanks. I wil be adding the captcha to your EasyBlog and once i done, I will update you again. Also, we do not provide support via Skype. Forum is the only support channel we use for now

Thanks.

Hi Manos Gryparis,

When I attempt to login to your Joomla backend admin with the account you provided, I get the following error message:

"You do not have access to the administrator section of this site."

Can you give admin access to the user account that you've provided us so that I can check your EasyBlog settings before I can add the captcha into your site.

Please advise.

Hello,

Sorry for that.
Now you have access with the username and password provided.

I'll wait for your feedback. Also my Skype is hardcoregr [ατ] yahoo.com

Thank you.

ps. As David Montoya said:
A)Replace the EasyBlog login box with site's default login box (in my case it's JomSocial)

B)As he said, this registration link should be inactive because it doesn't have a Security Question!
http://www.gameworld.gr/login?view=registration

The only registration link available should be this:
http://www.gameworld.gr/community/register


So make both changes in order to be sure, and implement both in the next Easyblog version!

Thank you.

Hi Manos Gryparis,

I've added the captcha into your EasyBlog the write blog page. Below are the files I've modified.

JOOMLA/components/com_easyblog/themes/dashboard/system/dashboard.write.php
JOOMLA/components/com_easyblog/controllers/dashboard.php
JOOMLA/components/com_easyblog/views/dashboard/view.html.php

I've tested the captcha and it is working correctly at your site. Please see http://screencast.com/t/zXb63GTJoq

ps. As David Montoya said:
A)Replace the EasyBlog login box with site's default login box (in my case it's JomSocial)

B)As he said, this registration link should be inactive because it doesn't have a Security Question!
http://www.gameworld.gr/login?view=registration

The only registration link available should be this:
http://www.gameworld.gr/community/register

You can configure your EasyBlog to link the 'registration' link to JomSocial. You can find this setting at EasyBlog backend under settings -> workflow -> general -> users -> login provider. I've configure for you to use JomSocial instead of Joomla.

So make both changes in order to be sure, and implement both in the next Easyblog version!

This is a customisation that I did to your site. Currently we do not have the plan to implement captcha into EasyBlog 5.0.x as this should be control under ACL for your Joomla user groups.

Also, please understand that your license for EasyBlog subscription is already expired and if you require further support from us on your EasyBlog, please consider to renew your EasyBlog subscriptions

Thank you and have a nice day!

Sam wrote:
Currently we do not have the plan to implement captcha into EasyBlog 5.0.x as this should be control under ACL for your Joomla user groups.
!

Hello
My 5 cents:

- I think that captcha should be activated by default for first X* of posts?
I see this on many forums and it's reasonable "hassle" for newcommers, which will go away for ppl which sticks in.

- Also new option could (Imho should) be involved:
Is user is new (0 blog posts), for their first X* posts:
- do not sent new blog notification to subscribers for whole website
- do not auto publish
- notify admin
- if admin approoves it, send notification(s) and publish blog

*X is set in config area

I think that above would improve blog administration a lot. Option to manually set regged users to special user group which is able to post is just hassle for admins, and needs someone 24/7 for monitoring. Also regged users don't want to wait a lot to be approved to do something. We are happy if someone (regular) registers at all. There is so many other websites and blogging platforms around, so users are bored to do anything.

What do you think?

Regards

Hi Krx,

- I think that captcha should be activated by default for first X* of posts?
I see this on many forums and it's reasonable "hassle" for newcommers, which will go away for ppl which sticks in.

For a forum, yes, i do agree with you we need the captcha to avoid spam posts. But for a blogging system, it kinda 'turn off' where author have to key in the captcha everytime the author update his/her blog content. But again, it depends on how you open up the blogging ability to your site users.

I've talked to the team and maybe we can include an option to use captcha or not when writing blog, and we will see if we can implement this into EasyBlog 5.1 since we want to revamp on blog writing area

Anyway, thanks again for your feedback and your suggestion.

But for a blogging system, it kinda 'turn off' where author have to key in the captcha everytime the author update his/her blog content.

Hello

I agree that captcha would be hassle for regular blog users.
I'm saying that captcha could be activated for lets say: first 3 posts only. after that it's not shown any more. An appropriate message would be there: "Sorry for captcha, but it will go away after 3 posts" or something.
Every blogger would understand this.

Regards

Finally, after 9 months. Let's see if the spammers' issue will be solved.

"This is a customisation that I did to your site. Currently we do not have the plan to implement captcha into EasyBlog 5.0.x as this should be control under ACL for your Joomla user groups."

By default, the registration system should point to Joomla, JomSocial, whaterver. There is no point in having your own registration system, when everyone can register via Yahoo emails (that's what they do in my case, no SMS validation!) and spam whole sites! You havent' experienced this issue for 9 months because you don't have a portal with 38.000 registered users which is one of the best targets for spammers!


About license I have a partnership with Stackideas, send me an email for more info, I can't send you PM.

Thank you.

Krx wrote:

But for a blogging system, it kinda 'turn off' where author have to key in the captcha everytime the author update his/her blog content.

Hello

I agree that captcha would be hassle for regular blog users.
I'm saying that captcha could be activated for lets say: first 3 posts only. after that it's not shown any more. An appropriate message would be there: "Sorry for captcha, but it will go away after 3 posts" or something.
Every blogger would understand this.

Regards

We are planning to add this probably in 5.1 when we revamp the composer. The new composer seems to draw quite a bit of negative feedback especially with the usability. With the revamped composer, it will be much easier to insert a captcha

Manos Gryparis wrote:

Finally, after 9 months. Let's see if the spammers' issue will be solved.

"This is a customisation that I did to your site. Currently we do not have the plan to implement captcha into EasyBlog 5.0.x as this should be control under ACL for your Joomla user groups."

By default, the registration system should point to Joomla, JomSocial, whaterver. There is no point in having your own registration system, when everyone can register via Yahoo emails (that's what they do in my case, no SMS validation!) and spam whole sites! You havent' experienced this issue for 9 months because you don't have a portal with 38.000 registered users which is one of the best targets for spammers!


About license I have a partnership with Stackideas, send me an email for more info, I can't send you PM.

Thank you.

The license that you have obtained is for a link share but I don't seem to see any links on your site which points back to us.

Manos Gryparis wrote:By default, the registration system should point to Joomla, JomSocial, whaterver.

Wasn't the issue that it pointed to Joomla's registration by default? While it is SI's job to patch security holes its yours to ensure your site is configured properly. I'm honestly surprised in 9 months you hadn't tried breaking your own site like I did. Do you not have an offline development platform to test before deployment? If you're making edits to a live website you're gambling with a fix-on-fail situation like this.

Hi David,

Thanks for the heads up on this one

Hi
I'm still curious how is this possible?
In Capture1.jpg post year is always 2013
In Capture2.jpg Last Visit Date is always Never

- Registration handler is JomSocial (All required JomSocial fields are filled by spammers)
- I installed redirect script to bypass default Joomla registration urls and to point em to JomSocial
- I installed plugin to block pl domains, but it seems that it doesn't work with Jomsocial, it handles only Joomla registration
- EasyBlog login box is hidden

Spammers are getting smarter each day and I think you need to check your redirection scripts. There could be a possibility that they are doing a direct "POST" request to com_users or com_community to create the account.

Try EasySocial

Mark wrote:
Try EasySocial

This is not funny!

I'm asking, how is it possible that they are able to create EasyBlog post without being logged as Joomla user?
Also, how come that year for created blog is always 2013?

I believe they are actually using a "script" to automate blog postings. Hm, it is not possible for them to create / publish a blog post without being logged into the site.

If you look at the author column, they are actually created by real users on your site and they probably script-ed the entire login process without being really logged in. Imagine a crawler but for spam purpose

If you were supposed to have fixed the problem then why did this user register today?

If you allow any registered users to post on your site, then anyone that registers on your site will be able to post a blog post. If you only want to allow trusted users, then do not allow "Registered Users" group to post a blog post on your site.

Captcha is only a prevention and it does not 100% block spammers from posting blog post unless you configure your ACL