Pligg spammers still a problem in v9.9.0

fat_spammer.png You probably thought pligg was getting better at dealing with spam entries, well you would be wrong pligg sites are a heaven for spammers and the developers haven’t even attempted the simple task in v9.9.0 of adding email verification to the registration process which would have helped greatly. First there was the PycURL SQL Injection spam, then there was India and SEO, now the latest would seem to be Australian IP’s spamming with bots and googlemail.com accounts.

We have had SQL vurnabilities in the user.php file that caused focused attacks only on pligg sites allowing bots to completely bypass the registration process and captcha to insert users and stories directly into the pligg database by using PycURL. Odds are most likely that the use of Google featured prominently here, or any of the master lists at pligg.com or PliggSites.com as a way to identify which sites were vulnerable to the SQL injection used to complete the attack.

An askimet module to combat spam was released but has been reported as slowing down the story submission process by up to 50 seconds on step_3 of the story submission. We tried the Askimet module for ourselves that comes bundled with v9.9.0 of pligg and it simply doesnt work, settings cannot be edited, spam not detected or undeletable etc? Even the module we applied a speed fix to and released still doesnt work correctly although it does solve the submission slowdown.

One of the ways suggested over at the pligg forum is the use of hack titled “Single step registration + Confirmation e-mail v0.1” unfortunately this hack will only work with v9.8.2 of pligg and not the current v9.9.0 release. Like so many time’s before at pligg the developers posted on the 15th January 2008 that a version for v9.9.0 of pligg would be released within a week, here we are over two months later and Ash has never replied again to the thread? And still an update has never been released. Not for the first time i may add this lets the pligg community down, we checked the Pligg Modules section of the forum, other threads as well as the SVN that dollar5 had hinted at to try and located the update Ash mentioned without any success.

This means your v9.9.0 site will still be vulnerable to be hit with PycURL attacks, any attackers emails will probably be blank@blank.com and we have had word from several webmasters running v9.9.0 that this is still happening and pretty frequently by the sounds of things.

Another type of spam we have been alerted to would seem to originate from Australia and be bot driven, users have been registering at pligg sites from AU Ip’s and googlemail.com or gmail.com accounts. The email accounts usually look similar to top.jewlery@googlemail.com all having . withing the user-names. A few weeks back googles gmail.com captcha process was broken by hackers allowing bots to register for gmail.com email accounts automatically. It looks like the PycURL spammers are also now utilizing this hack to gain gmail accounts for spamming purpose’s.

Why would they do this, well it just may be to get round the email confimation by automatically verifying the email address by bot although this hasn’t been confirmed. Another factor is it’s very unlikley that you will ever ban gmail.com, googlemail.com accounts from registering on your website because they are used by 1000′s of ligitimate members. The spammers know this hence they have started to use googlemail.com accounts.

Hopefuly the pligg developers will make improvments in the next version to combat this once and for all, we wouldnt hold out for that to happen though as past releases have usually proven to be a dissapointment breaking more than they fix. The main thing that is letting pligg down at the moment is poor support for modules by the developers and as far as we can tell not having a clear development path or project roadmap certainly dosent help things. The pligg community hear a lot of talk and see very little action even the developers taking a little time upgrading existing MoD’s to work with the latest release would at least be a start.

Share This Article
SubscribeBlinklistBloglinesBlogmarksDiggdel.icio.usFacebookFurlRedditStumbleUponTechnorati
If you enjoyed this post, make sure you subscribe to my RSS feed!

Article Details

#

Author: on March 28th, 2008

Category: Pligg

Tags: , , , ,

Related Articles

  1. Feydakin says:
    March 28, 2008 at 6:01 pm

    I was so excited when I installed pligg for the first time more than a year ago.. About 6 months ago I mothballed the whole project and haven’t looked at it since.. Yes, it’s open source.. Yes, it’s free.. And Yes, it doesn’t work unless you have some serious full time developers working for you to fix all the problems..

    Maybe I’ll tear it down and stick up a slashdot clone instead..

    Such potential, such waste..

  2. SEO Canada says:
    March 28, 2008 at 11:53 pm

    Rough, at least its open souce so it’ll be fixed faster then if it was closed source. One more reason I’ll stick with coding everything custom :)

  3. Daniel says:
    March 29, 2008 at 12:53 pm

    I have to agree with that fact the pligg provides vert little to no support at all, the pligg forums are jam packed with members asking for help on some pretty serious bugs that never get answered.

    OpenSource is great as long as it has contributors and pligg simply does not have any, a project on the slide in my eyes they need some serious management help, and as for selling the project for $150k they would be grateful to receive $150 dollars for the entire company today i would think.

    The pligg team looks to be like the keystone cops of open source after sifting through their forums lol

  4. pedrocharco says:
    March 29, 2008 at 2:50 pm

    I think your reply is harsh Daniel as apparently pligg has one developer Ashdigg doing the bulk of the work on the project, what he has achieved so far is pretty good.

    I can’t diagree with your support gripe as their forums are pretty bad for support compared to joomla, drupal etc but those two do have bigger communities. Pligg questions do have a tendency to go unanswered by developers for weeks and months however :(

  5. MattMan says:
    April 1, 2008 at 1:37 pm

    The pligg developers simply don’t give a damn about the community the have grown, questions go unanswered bugs go un-fixed and Lincioln pointed out in the article they didn’t even integrate registration validation emails into v9.9.0 when the code was already available.

    These guys seem to work to their own schedule and pay no attention to what the community is reporting as problems. Their token efforts of askimet spam simply doesnt work and poorly coded modules and templates that they have the audacity to call PRO lol yeah right.

    Personally i think the project should be taken up by another party who will have the time to place effort into it. I’m sick of hearing the overused excuse we don’t have the time as we all have full time jobs bullshit. The company must be making some money from selling products and services, what it comes down to though is the founding developer not believing in his product enough to bite the bullet and go full time. That’s why pligg will never be a major CMS system and to enter it for the Crunchies this year was a complete joke i think they came 120th out of 100 lol

  6. Pligg reader says:
    April 2, 2008 at 7:56 pm

    Your post about this at forums.pligg.com has been deleted! It is a shame. :-(

  7. Israel says:
    April 4, 2008 at 6:15 am

    do you have a solution for this?

  1. socialcmsbuzz.com
    March 28th, 2008 at 4:47 pm
  2. Pligg spammers
    March 28th, 2008 at 9:58 pm
  3. Pligg PYcURL spammers still a problem in v9.9.0 - Pligg Forum
    April 2nd, 2008 at 1:42 pm
  4. SocialCMSBuzz gets banned from the pligg forums for revealing PYcURL Security Vurnability | Social CMS Buzz
    April 3rd, 2008 at 1:09 pm

Leave a Reply

You must be logged in to post a comment.