Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flaw in the Snowball Effect allows spammers to bypass other checks #18

Open
GoogleCodeExporter opened this issue Mar 14, 2015 · 1 comment

Comments

@GoogleCodeExporter
Copy link

I'm running Spam Karma 2.3 rc4 on WordPress 2.9.2 and I just recently 
received a spam message which, despite having a bad Javascript payload and 
a Flash Gordon problem, had a karma of 48.67.

After examining the problem, I discovered that it was using a URL of 
http://myblog.com/?randomHexadecimalGibberish to trick the snowball plugin 
into overriding the rest of the plugins with an injection of 60 karma.

I'm not familiar with the internals of Spam Karma, but here are the two 
possibilities that came to mind:
- add a check that makes "self-link" karma conditional on the commenter 
being logged in
- modify SK so karma for logged-in and non-logged-in users are is tracked 
separately.

The temporary workaround I'll be trying is setting the snowball plugin to 
weak. If that fails, I'll just have to disable it.

Original issue reported on code.google.com by [email protected] on 23 Feb 2010 at 11:23

@GoogleCodeExporter
Copy link
Author

I think a fix for this might be that a bad URL should give negative karma, but 
a "good" URL should do nothing.  No positive karma for non-bad URLs.

Original comment by [email protected] on 28 May 2011 at 6:25

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant