search

strider72 / spam-karma

A flexible and modular anti-spam plugin for WordPress
GNU General Public License v2.0
3 stars 3 forks source link

Flaw in the Snowball Effect allows spammers to bypass other checks #18

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
I'm running Spam Karma 2.3 rc4 on WordPress 2.9.2 and I just recently 
received a spam message which, despite having a bad Javascript payload and 
a Flash Gordon problem, had a karma of 48.67.

After examining the problem, I discovered that it was using a URL of 
http://myblog.com/?randomHexadecimalGibberish to trick the snowball plugin 
into overriding the rest of the plugins with an injection of 60 karma.

I'm not familiar with the internals of Spam Karma, but here are the two 
possibilities that came to mind:
- add a check that makes "self-link" karma conditional on the commenter 
being logged in
- modify SK so karma for logged-in and non-logged-in users are is tracked 
separately.

The temporary workaround I'll be trying is setting the snowball plugin to 
weak. If that fails, I'll just have to disable it.

Original issue reported on code.google.com by stephan....@gmail.com on 23 Feb 2010 at 11:23

GoogleCodeExporter commented 9 years ago 
I think a fix for this might be that a bad URL should give negative karma, but 
a "good" URL should do nothing.  No positive karma for non-bad URLs.

Original comment by stephen....@gmail.com on 28 May 2011 at 6:25