Geeklog Forums

In the last few days, I've been receiving some weird "spam" email via the "Contact" link on my site, which allows visitors to email me via "profiles.php?uid=2". The mail is weird, strange subject lines and messages like "I love this site", not trying to sell me anything, but obviously bot-driven. I don't know what they're trying to do, but it makes me nervous.

I don't think it's a "hole" in Geeklog, because I wanted anonymous users to be able to contact me, even if it means an occasional "spam". I don't think bots are going to abuse it to flood me with email, since there's not much point in that. But I decided to double-check and make sure it's not going to let them spam other users, and now I'm confused.

I thought I had it set up so that anonymous users could only email me, and users had to logon to email other users. But when I looked at my config file, I saw:

$_CONF['profileloginrequired'] = 1;
$_CONF['emailuserloginrequired'] = 0;

So it looks like somebody would have to logon to view a user's profile, which contains the "email to user" link. But if somebody (or somebot) calls "profiles.php?uid=n" directly, it might work.

That scared me. So I set emailuserloginrequired =1. Now anonymous users can not email anybody, even me.

In profiles.php, within the contactemail function, I see
if (empty ($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['emailuserloginrequired'] == 1))
&& ($uid != 2)) {
return COM_refresh ($_CONF['site_url'] . '/index.php';

That looks like it should do what I wanted: forbid email to any user except uid 2 if emailuserloginrequired is 1. But it looks like setting it to 1 blocks email to everbody including uid 2, and setting it to 0 allows anonymous bots to spam any registered user. Am I missing something?

I think this bug report discusses the same thing.

bye, Dirk

I don't think that bug report describes what I was talking about, so I guess I didn't explain my problem very clearly. And I don't know if my problem is really a "bug", or just Geeklog's normal function not doing what I want.

The bug report seems to describe a situation where site owners want anonymous users to be able to send email to registered users, but not display their profiles, and set

_CONF['profileloginrequired'] = 1 - user profile only for logged in users
_CONF['emailuserloginrequired'] = 0 - anonymous user can post comments directly to story author

and then _CONF['profileloginrequired'] = 1 prevents anonymous users from being able to display the contact form, so they can't email users even if _CONF['emailuserloginrequired'] = 0.

My problem is that I don't want anonymous users to be able to display profiles, and I also don't want them to be able to email other users. So presumably I should set both switches to 1. But I DO want anonymous users to be able to email me, and only me (uid =2).

There seems to be logic in function contactemail to allow that:

// check for correct $_CONF permission
if (empty ($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['emailuserloginrequired'] == 1))
&& ($uid != 2)) {
return COM_refresh ($_CONF['site_url'] . '/index.php';
}

but it wasn't working. Then I looked a little farther down and found contactform had:

if (empty ($_USER['username']) &&
(($_CONF['loginrequired'] == 1) || ($_CONF['emailuserloginrequired'] == 1))) {


I added && ($uid != 2)) to the check in contactform, and now I think it's working the way I want.

And I'm still getting those silly little spams, so maybe I need to upgrade to 1.4.1 and use captcha for that function. I'm still not sure what the spams are trying to do, since they don't contain any "sales" talk. Maybe they're trying to send me spam with the sales BS in images that are getting thrown away before I get the message.