Pligg Spammers And Using Google to Find Pligg V1.0.0 Sites

Pligg Security Vulnerability
Last week we decided to run a live install of Pligg v1.0.0 RC5 as a test to see if the usual spammers would come to visit it, lo and behold we were not disappointed with around ten spam registrations per day and over 100 spam submissions to date. We enabled the few so called spam prevention features available to Pligg including Email Validation, Recaptcha and Submit Antispam Addon, none of these methods were effective against the spammers though and after only one week the site became spam ridden.

Pligg has been a spam magnet for as long as it has been in existence with each new version doing little to nothing thats effective to combat the problem. Every website on the Internet today that is based on the Pligg platform has trouble with spam and spam is the leading contributor to owners closing down their Pligg sites when spam completely over shadows genuine submitted content.

Readers that were expecting Pligg v1.0.0 to address these issues and actually provide the features necessary for managing users and spam effectively will be greatly disappointed.

What Pligg v1.0.0 Can Actually Do With Spam

The features listed below is what pligg can actually do to help stop spammers accessing your website, most in fact simply cause the spammer a little hassle and nothing else, most spammers will put up with these measures for a backlink.

Email Validation
Users are required to validate their email address on registration, no real deterrent as we seen.

Recaptcha
Places a combination of words that must be typed and verified by the user before it allows registration, again no real deterrent.

Submit Antispam Addon
Create user authorizations to submit certain number of new stories based on quality of recent user submissions. In other words a new user can only submit one story in any 24 hour period to your site, not a solution but a damage limitation control measure. What we found though was multiple accounts from the same IP being registered to bypass this module features. Also the fact you need to limit the content submitted to your site is less than social and will indeed harm your user experience.

KillSpam User
Killspam deletes all a users submissions and comments along with adding -killspam to the end of their email and changing their password to well “password”? This is intebded to stop that particular username logging into your site again, it doesn’t ban by IP so they tend to always simply register again.

What Pligg v1.0.0 Can Not Do With Spam

Delete Users From The Database
There is no way within the pligg sytem to completely delete the user from your database, all users and profiles will remain in your site forever and show in the to users section etc. Killspam users are the same and cannot ever be deleted from the database.

Ban User By IP
Plig g provides no way to ban users by IP address which can prove to be the most effective way to deter spammers that originate from the same IP’s all the time. Pligg claim to have a blacklist module and another module that allows you to ban by IP, both of these rely on you messing about with FTP files and provide no way of simply clicking a button in a users profile titled “Ban By IP” like most other systems.

Askimet
Truth of the matter is this module never worked and looks like it never will even although it’s still distributed with the pligg core it’s useless, no spam is caught and there is no way to set any options, all in all they would be better simply providing a bunch of blank files in it’s place as they carry out the same function.

First Submission Approval
Unlike Social Web CMS Pligg provides no way to manually approve a members first submission to the site, this method cuts out spam almost completely and has been a fantastic success within the Social Web CMS system. After submission approval users can submit articles as normal to the site.

In actual fact the only thing to change with v1.0.0 of pligg relating to spam is the way spammers will find your site, with v9.9.5 a google search for “powered by Pligg” was the favoured way to find Pligg sites to spam. With v1.0.0 of Pligg the google search string that seems to be preferred by spammers has changed to “* Published News * Upcoming News * Submit a New Story * Groups * Create a Group“.

Don’t take our word for it setup a Pligg v1.0.0 site today and watch the spam flood in.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Article Details

#

Author: on May 25th, 2009

Category: Pligg

Tags: , ,

  1. Geoserv says:

    The only way to combat spam with Pligg is to add reCaptcha to the submission process. Spammers will register, then use bots for the submissions, thats why the reCaptcha on registration is useless.

    But bots can’t can’t by the reCaptcha on submission, therefore no spam.

    I have been using the reCaptcha on step1 of the submission process and I get maybe 1 spam submission every 3 weeks or so.

    This module was not released by Pligg nor adopted into their core files for the recent release, no surprise.

  2. bbrian0176 says:

    I had that mod working but it was affecting the EVB option that comes with pligg!

    Seems it’s a catch 22!

    I’m now running live with social web cms so pligg mods are no longer usable I think…

  3. 布里斯班 says:

    Spammers always find way to do it.

  4. Another idea is to only let god/admins posts stories and only allow users to vote and comment without links.

  5. dUNNo says:

    @Geoserv – Nope, v4 of APD now includes manual re-captcha form or use of decapther.com service 🙂