HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.

under attck!

edited September 2007 in Vanilla 1.0 Help
don't worry - it's not as if i'm being properly hacked or anything - touch wood I'm using Applicant email verification addon and Duplicate email check. Having banned someone i'm getting repeated attepts to create new account and few other interesting things. I hit deny and he just replies again using the same mail - so I'd quite like some quite of email black list thing - or even better an IP block one, he's not even bothering to use a proxy! An interesting trick he attempted it to try to log on as me and the reset my password. (A few times) Any suggestions about secruiry i'm a bit worried about the 777 conf folder


  • If you're worried about the conf folder then you can just drop the permissions to 444 until you need to make any administrative changes then put them back up as necessary. Depending what extensions you're running that probably wont cause any problems in the meantime.

    As for the other request, I guess you'll have to keep your fingers crossed someone decides to make an extension..
  • edited August 2007
    This may come in handy - Duplicate Email Check

    When a user tries to register another account with this add-on installed, they are presented with a friendly error message that an account already exists with that email address.
  • He's already got that by the looks of it :) Then again I'm not sure how the user keeps applying with the same email in that case..
  • Oops! I must've slipped the part he mentioned the extensions he's using. It was pretty late last night. Sorry! *blushes*
  • If you deny an applicant, the applicant info is deleted from the server, which would allow him to re-try with that same email address.

    If you set his banned account's email address to the one he is now using, duplicate email check would prevent him from using that email address again to register.

    Only problem is it will provide a not-so helpful error message--suggesting he reset his password.
  • Yes but it seems the only way round it is to approve him when he creates a new account and then immediately ban him so that his email is then logged as blacklisted.
  • Yeah. Why not do that? How come he's using a different email to the one he used for his banned account anyway?
  • You are really kind of up a creek. Banning an email does not really have an impact. I can spit out as many different email addresses as I need at any given time from my web server, or hell even gmail for that matter. IP banning also hits other users that may be sharing the same IP pool. I would say IP banning is a little more effective, while banning an email address is more of just a nuisance to the person, with an easy work around. The joys of administering a forum.
  • Your community must be really good if he likes it that much to keep on returning! :D
  • Let him join, then go in and change his password every time and blank out all of his posts. It's a pain for you but he will soon tire of it.

    Posted: Sunday, 2 September 2007 at 12:46PM

  • if he's not using a proxy (and if you are running apache), just add this to your .htaccess:
    order allow,deny deny from xxx.xxx.xxx.xxx allow from all
  • I actually used the human solution rather than the mechanical one - I got him to apologise to those whom had offended and then let him stay - though I've had to create a new role for him that doesn't let him post html. but that htaccess solution will definitly come in handy later - thanks
  • conradslater I salute you! You da man! That's the best way to handle such a situation. Only if it fails should we resort to the technology version of the Louisville Slugger. Well done mate.

    Posted: Monday, 3 September 2007 at 7:40AM

This discussion has been closed.