A severe influx of spam attempts using the recommend addon prompted me to disable it for guests

Hello,

It has come to my attention that a bunch of spammers have been trying to use the recommend site feature to send spam links to other people's emails. Often it will get blocked by Composr / trigger a hack attack.

To prevent this, you are now required to log in to your account to use the recommend feature. Furthermore, members on probation also cannot use the addon (which includes members who failed the antispam question on registration).

Thank you for your understanding in our attempts to cut back on spam.

Hi, I assume you mean they are changing the text of the email. Maybe making it so it cannot be altered (for Guests and Probation) would be a solution? I like this feature on my site so if it's open to abuse I might have to disable it myself, which would be a shame because it's quite useful.

Yes that's what I was hinting at… Guests and Probation would only be able to send the recommendation using the default message (which of course can be modified by using Translate / Rephrase Composr and finding the language string)

Ohhh wait a minute you're not talking about the issue I created, my bad.

For clarification: As a quick fix, the recommended addon will require login (on compo.sr). But I also created an issue tracker for v11. Create a new privilege that allows groups to send their own custom message. Denied by default for guests and probation.

If anyone else is having issues with spammers abusing the addon, just go into the permission tree editor and restrict view access to the recommend module for both guests and probation. That's the quick fix. In v11 I'm hoping to introduce the above new privilege.

Do note: Composr seems to be doing a pretty good job at triggering hack attacks when someone tries to send spam links via the addon. But it's of course not fool-proof. Someone could still bypass the spam system by not posting a link but rather just advertisement text (or even an obfuscated "link"). People have been trying to do that on the forums in the past before we significantly locked them down.

I don't know if there's any rate limiting on Recommends, can't recall seeing that option but that may also help?

There is an "invites per day" setting. I'll have to look and see if that applies to recommendations.

Edit: It is used by the addon but does not limit its use.