One of my users just group messaged 100 other user with a spam offer

So, as written in the title, one of my users just group messaged 100 other user with a spam offer.

Is there a way to limit the number of users that can be added to a private conversation?

That is the limit, 100, even lower for new users. Check your site settings to make it more strict.

(Also 100 does seem high as a default for this, @techapj can you change this to 30 as I think that is a safer default anyways.)

Just to be sure, is this the setting you’re reffering to?

image.png1020×142 12 KB

Was it a group PM? So this spam account got to trust level 2 somehow? How old is the account?

Hmm yeah maybe it wasn’t regular public mentions. We should still cap how many recipients can be in a group PM, in addition to the stricter public mention limit.

I’ve put my DM to lvl 1 instead of lvl 2. He posted a couple of times, and when he got to lvl 1 he started sending direct messages to other users.

It was not automated spam. Just a user trying to promote unwanted product through my platform

Trust level 1 is not a safe setting to allow group PMs.

Regardless I support a lower cap on public mentions and group PM recipients.

@techapj can you check, I don’t see a site setting for max PM recipients, other than max notifications which is 100. If we are missing a limit setting here we need one.

Okay, I just created a PR to add new setting max_allowed_message_recipients with default value of 30. Some highlights:

• A (non-staff) user can send a message to maximum 30 recipients by default.
• If user adds a group as message recipient and if that group has more than 30 members, then this setting will come into action and an error will be generated.
• This setting will not come into action if a message was sent to a group via email.

I don’t think this is a goal here; if the group owner allows a group to be message-able then that is how it is. What we mainly want to prevent with this setting is actually entering 50+ recipients manually.

Okay, I removed the check on group message recipients. Now only user recipients will be checked and default limit of “max 30 recipients” will be applied. PR has been merged.