One of my users just group messaged 100 other user with a spam offer

Olivier_Lambert · July 4, 2017, 10:19pm

So, as written in the title, one of my users just group messaged 100 other user with a spam offer.

Is there a way to limit the number of users that can be added to a private conversation?

codinghorror · July 4, 2017, 10:29pm

That is the limit, 100, even lower for new users. Check your site settings to make it more strict.

(Also 100 does seem high as a default for this, @techapj can you change this to 30 as I think that is a safer default anyways.)

Olivier_Lambert · July 4, 2017, 10:41pm

Just to be sure, is this the setting you’re reffering to?

Falco · July 4, 2017, 10:53pm

Was it a group PM? So this spam account got to trust level 2 somehow? How old is the account?

codinghorror · July 4, 2017, 10:59pm

Hmm yeah maybe it wasn’t regular public mentions. We should still cap how many recipients can be in a group PM, in addition to the stricter public mention limit.

Olivier_Lambert · July 4, 2017, 11:09pm

I’ve put my DM to lvl 1 instead of lvl 2. He posted a couple of times, and when he got to lvl 1 he started sending direct messages to other users.

It was not automated spam. Just a user trying to promote unwanted product through my platform

codinghorror · July 4, 2017, 11:44pm

Trust level 1 is not a safe setting to allow group PMs.

Regardless I support a lower cap on public mentions and group PM recipients.

@techapj can you check, I don’t see a site setting for max PM recipients, other than max notifications which is 100. If we are missing a limit setting here we need one.

techAPJ · July 6, 2017, 6:00am

Okay, I just created a PR to add new setting max_allowed_message_recipients with default value of 30. Some highlights:

A (non-staff) user can send a message to maximum 30 recipients by default.
If user adds a group as message recipient and if that group has more than 30 members, then this setting will come into action and an error will be generated.
This setting will not come into action if a message was sent to a group via email.

https://github.com/discourse/discourse/pull/4956

codinghorror · July 6, 2017, 3:40pm

I don’t think this is a goal here; if the group owner allows a group to be message-able then that is how it is. What we mainly want to prevent with this setting is actually entering 50+ recipients manually.

techAPJ · July 6, 2017, 5:27pm

Okay, I removed the check on group message recipients. Now only user recipients will be checked and default limit of “max 30 recipients” will be applied. PR has been merged.

Topic		Replies	Views
Spam sent via public open groups by user with trust level 0 support	1	355	July 30, 2022
Limit group owners for addition of everyone to their group feature	6	612	July 16, 2018
Limits on personal messages vs topics bug	11	1138	November 7, 2020
Group Requests not sent to all Group Owners feature	2	365	May 18, 2021
Prevent adding additional users to personal messages? feature personal-messages	19	792	September 16, 2023

One of my users just group messaged 100 other user with a spam offer

Related Topics