Closed timwhite closed 4 years ago
The-Compiler
commented
5 years ago You could:
apikey in the config, so that it's required to post via the APIapikey, enable soft_api, and set blocked_words (if the spam wave I see is the same you see, block ※, №1). That way, the API is still open, but if the blocked word filter triggers, the apikey is required to override it.disable_api
timwhite
commented
5 years ago @The-Compiler I've been going through the logs, and all the requests are POSTs to /. Can the API be posted to at the root URL? I was under the impression at API requests should be to /api/create
Assuming these aren't API requests, I'm guessing that means that are probably solving the ReCaptcha's with people or bots?
Edit: For the short term, I've taken my pastebin down, as the volume of spam is too much for me to manage.
claudehohl
commented
4 years ago Welcome to the shiny world of PHP! Hell yeah, I can paste by simply omitting the "captcha=" post parameter. If it's not even there, it doesn't get checked.
Fixed. https://github.com/claudehohl/Stikked/commit/fe75336691a9aec57ca49ee85f35f557b021de31
I have a pastebin that is getting a high volume of spam, started in the last few days. I updated to the latest master branch of stikked yesterday, to make sure there wasn't some bug that was already fixed allowing ReCaptcha bypass.
I'm guessing, reading older bugs, that this is still the issue of the API allowing bypass of ReCaptcha.
The /spamadmin interface is also still broken, so that I have to resort to SQL to delete spam posts.
What can we do to reduce the spam?