Date   

locked Re: Temporarily disabled group creation

Maria
 

This is likely a bad idea but I'll share anyway. What about a credit card transaction like other sites use to verify identity? Does nextdoor do that? Or paypal when you set up an account and link it to a bank account? Do they take $1 and then reimburse it...? It's been a while since i needed to set one up.

Not ideal, and no idea if it would help.

Maria


locked Re: Temporarily disabled group creation

christopher hallsworth <challsworth2@...>
 

Mark

How about some kind of challenge like a captcha but instead of typing characters in an image or numbers in an audio file ask questions only we humans know the answer to and not both humans and bots. A good example is a masths question.

On 28 Sep 2016, at 17:51, Mark Fletcher <markf@corp.groups.io> wrote:

Hi All,

I just temporarily disabled new group creation (you can still create subgroups). I did this because there's at least one persistent spammer creating new spam groups faster than I can delete them. You can look at the newest groups list right now to see a bit of the cesspool.

I need to clean out all the spam groups and put in place a system to prevent new ones. I'm thinking something like I need to approve a group before it appears in the search directory. Other suggestions are appreciated.

Thanks,
Mark


locked Re: Temporarily disabled group creation

Joseph Hudson <jhud7789@...>
 

Oh no Mark, this is not good. I agree. Definitely needs to be a system to approve groups before they're made available to the public. I will go ahead and do the same for subgroups just in case an owner or a moderator of another group, decides to start making spam subgroups on top of the parent group just to be on the safe side.

On Sep 28, 2016, at 11:51 AM, Mark Fletcher <markf@corp.groups.io> wrote:

Hi All,

I just temporarily disabled new group creation (you can still create subgroups). I did this because there's at least one persistent spammer creating new spam groups faster than I can delete them. You can look at the newest groups list right now to see a bit of the cesspool. 

I need to clean out all the spam groups and put in place a system to prevent new ones. I'm thinking something like I need to approve a group before it appears in the search directory. Other suggestions are appreciated.

Thanks,
Mark


locked Re: Temporarily disabled group creation

 

Mark,

I need to clean out all the spam groups and put in place a system to
prevent new ones. I'm thinking something like I need to approve a
group before it appears in the search directory. Other suggestions
are appreciated.
Victim of your own success. Alas.

If the spammers are using the group home page to promote something then keeping them out of the directory makes sense, but it may not be enough to discourage them from creating the groups. They may be posting links to those groups wherever they can.

And if their primary purpose is to use the group to send email spam it won't likely have much impact on them at all. But you have insight into what they're doing that I don't (I seem to have missed the "right now" window).

Spammers with botnets were the beginning of the end for Y!Groups, I recall when Gordon Strause mentioned that the bots were creating new accounts and new groups by the millions per day (not exaggeration). The CAPTCHA they had had in place had been cracked -- first by mechanical turk, then by automation. I sure hope you can find better ways of coping with the onslaught than Yahoo did.

Shal


On 9/28/2016 9:51 AM, Mark Fletcher wrote:
Hi All,

I just temporarily disabled new group creation (you can still create
subgroups). I did this because there's at least one persistent spammer
creating new spam groups faster than I can delete them. You can look at
the newest groups list right now to see a bit of the cesspool.

I need to clean out all the spam groups and put in place a system to
prevent new ones. I'm thinking something like I need to approve a group
before it appears in the search directory. Other suggestions are
appreciated.

Thanks,
Mark
--
Shal
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


locked Temporarily disabled group creation

 

Hi All,

I just temporarily disabled new group creation (you can still create subgroups). I did this because there's at least one persistent spammer creating new spam groups faster than I can delete them. You can look at the newest groups list right now to see a bit of the cesspool. 

I need to clean out all the spam groups and put in place a system to prevent new ones. I'm thinking something like I need to approve a group before it appears in the search directory. Other suggestions are appreciated.

Thanks,
Mark


locked Re: Unsubscribing others... this seems to be possible

Jeff Powell <jrpstonecarver@...>
 

On Tue, Sep 27, 2016 at 10:43 am, Mark Fletcher wrote:
Hi Jeff,

On Mon, Sep 26, 2016 at 11:16 PM, Jeff Powell <jrpstonecarver@...> wrote:

Here's one that wasn't defanged as we did our testing of this issue:

https://groups.io/g/95033test/message/29?p=Created,0,,100,2,0,6828005&offset=0

I know it wasn't defanged because at Sanjay's request I clicked on it and he was removed.  :)


If you look at the source of the message, or the URL itself, it has been defanged. Clicking on that link would not have unsubscribed Sanjay, it would have (and does) return a 404 error.  So, unfortunately I'm not sure what happened to get Sanjay unsubscribed in this case. All I can see is that he was unsubscribed using an Android device.

Please let me know if you see anything else like this.

Thanks,
Mark

That's odd. I was the one that unsubscribed Sanjay, with that message, and I did it from a Linux machine (Ubuntu 14.04) and Chrome.  Very odd.


--jeffp 


locked Re: after search and "collapse topics," allow operations on threads #suggestion

 

Either that, or I think we need some other reasonable navigational path to find and merge two topics, one or more of which may be old. I am finding it nearly impossible. ???
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked after search and "collapse topics," allow operations on threads #suggestion

 

This morning I wanted to merge two threads having to do with a particular cat, "Fluffy" (not her real name;). I first had to find the two threads, since one of them was old.  I did a search on "Fluffy" and then collapsed topics, which yielded the two topics. So far, so good. However, I could not merge them, because the "merge" operations were unavailable in the dropdown. They seem to be only available for topics within the complete topics list, not for subsets of it resulting from a search.

In a word, this is a ginormous PITA. Ok, two words. ;) Is there some reason preventing the "start merge" and "merge into" functions from being available on topics within search results?
--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked Re: Unsubscribing others... this seems to be possible

 

Hi Jeff,

On Mon, Sep 26, 2016 at 11:16 PM, Jeff Powell <jrpstonecarver@...> wrote:

Here's one that wasn't defanged as we did our testing of this issue:

https://groups.io/g/95033test/message/29?p=Created,0,,100,2,0,6828005&offset=0

I know it wasn't defanged because at Sanjay's request I clicked on it and he was removed.  :)


If you look at the source of the message, or the URL itself, it has been defanged. Clicking on that link would not have unsubscribed Sanjay, it would have (and does) return a 404 error.  So, unfortunately I'm not sure what happened to get Sanjay unsubscribed in this case. All I can see is that he was unsubscribed using an Android device.

Please let me know if you see anything else like this.

Thanks,
Mark


locked Change in emailed login links

 

Hi All,

I just made a change to emailed login links. Before, the link would expire after the first time it was clicked, or 30 minutes, whichever came first. But there are anti-spam systems that automatically click on every link in an email, and there's no way to distinguish those clicks from real clicks. People protected by these systems cannot use the email me a login link functionality (and get frustrated when they try). So I've changed it so that the links are active for 30 minutes regardless of how many times they're clicked. 

I don't think this creates much more of a security issue. Please let me know if you disagree of have other suggestions.

Thanks,
Mark


locked Re: Unsubscribing others... this seems to be possible

Jeff Powell <jrpstonecarver@...>
 

Here's one that wasn't defanged as we did our testing of this issue:

https://groups.io/g/95033test/message/29?p=Created,0,,100,2,0,6828005&offset=0

I know it wasn't defanged because at Sanjay's request I clicked on it and he was removed.  :)

It is, of course, not active now, but it was when Sanjay created it.

--jeffp



locked Re: Unsubscribing others... this seems to be possible

 

The "forwarded unsubscribe link" is a problem for just about everything that is emailed.

One extra bit of protection you might consider is that if someone is logged in as a different user, the unsubscribe link for the other user shouldn't work. That's not perfect protection, but it might stop an accidental click, or a troublemaker who's not very intelligent.

JohnF


locked Re: Group Settings Summary Language "no email" and "no editing" #suggestion

 

Hi Maria,

Good ideas. I've changed those two attributes to be phrased in the positive:

Members can edit their posts
Members can set their subscriptions to no email

Thanks,
Mark

On Thu, Sep 22, 2016 at 6:56 PM, HR Tech via Groups.io <m.conway11=yahoo.com@groups.io> wrote:

Or maybe if members can edit their posts it could say: "members can edit their posts" - but if they can't then it says nothing?

And if the no email option is offered then it can say :  "Members can set their subscription to no email" but if they can't do that, then maybe it shouldn't be listed as they can see their choices in their subscription setting. Maybe there can be a note there that the group doesn't offer "no email" options? I just find that ""Members are not allowed to set their subscriptions to no email." confusing and see potential for lack of clarity there.

Maria



locked Re: questions

 

On Sat, Sep 24, 2016 at 10:43 AM, J_Catlady <j.olivia.catlady@...> wrote:

This comes up whenever there's a delivery failure, it seems. I think it's non-specific, at least according to Mark the last time I asked him about it. Is the member using an aol email address? Here's an example for a member with an aol email address in my group:

Message
[Feline_SCL] Mirtazapine and Aggression
Attempted
Aug 28
Response
451 4.3.2 Internal error reading data


That response is what we get from the other server, and can be anything. I'm not really sure what it means in this case other than some sort of temporary internal error on their part.

Mark 


locked Updates to Trello

Beta Integration <beta@...>
 

[Beta] New card "Have an ICS feed of calendar events that people could subscribe to." was added to list "Calendar".


[Beta] The green label "Calendar" was added to the card "Have an ICS feed of calendar events that people could subscribe to.".


locked Re: member confirmation - a possible alternative #suggestion

 

Hi All,

I've mentioned in the past that I wanted to be able to leverage the database code to create a sort of extended set of attributes for each member. And as part of that generate a pending subscription form that needed to be filled out. Haven't gotten to it yet however.

Thanks,
Mark


locked Re: Unsubscribing others... this seems to be possible

 

On Mon, Sep 26, 2016 at 8:37 AM, Jeff Powell <jrpstonecarver@...> wrote:

And nevermind. Someone (Mark!) was ahead of me. Turns out the unsubcribe link is valid for only one use. We just retried it and the link isn't valid anymore.

So at least it isn't a long term denial of service attack against a user. It's an oddity, and it might happen once, but not again for the same link.

And now, in the words of Emily Letella: "Nevermind. That's different."


Right. As my dad says, life is a series of tradeoffs and a filing problem. Originally the unsubscribe link didn't even ask for confirmation, it was a true one-click unsubscribe. But it turns out that there are anti-virus programs that will 'click' on every link in an email automatically, without the user's knowledge. So people would be unsubscribed all the time.

I believe that we look for pasted-in unsubscribe links throughout a message. If there was an instance where we didn't defang one, please forward a pointer to me at support and I'll take a look.

Thanks,
Mark


locked Re: Unsubscribing others... this seems to be possible

 

Remembering back, I think he also did something like that for the confirm link after our group's little misadventure. Before that, I distinctly remember trying the link and being surprised when I landed in the member's account.


On Mon, Sep 26, 2016 at 8:37 AM, Jeff Powell <jrpstonecarver@...> wrote:

And nevermind. Someone (Mark!) was ahead of me. Turns out the unsubcribe link is valid for only one use. We just retried it and the link isn't valid anymore.

So at least it isn't a long term denial of service attack against a user. It's an oddity, and it might happen once, but not again for the same link.

And now, in the words of Emily Letella: "Nevermind. That's different."

--jeffp



--
J

Messages are the sole opinion of the author. 

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


locked Re: Unsubscribing others... this seems to be possible

Jeff Powell <jrpstonecarver@...>
 

And nevermind. Someone (Mark!) was ahead of me. Turns out the unsubcribe link is valid for only one use. We just retried it and the link isn't valid anymore.

So at least it isn't a long term denial of service attack against a user. It's an oddity, and it might happen once, but not again for the same link.

And now, in the words of Emily Letella: "Nevermind. That's different."

--jeffp


locked Re: Unsubscribing others... this seems to be possible

Jeff Powell <jrpstonecarver@...>
 

Well, it can amount to a denial of service attack against the person who posted the link, and so might be viewed as a bit more of an issue.

I could easily write a script using wget that would unsubscribe the person in question every 2 minutes, forever. Or so I think. (The resulting web page does want a confirmation, but I'd just have to parse the return page and wget that as well. Not too hard.)

And that link is out there forever.

If unsubscribe links expired or were tied to an IP address, that would help to some degree.

Removing them entirely would fix it, of course, and the expense of making the system less useful. But maybe an unsubscribe link should take people to a page where they have to login and prove they are who they say they are before unsubscribing them, given this issue?

This is all just thinking out loud, but there was a bit of chaos this morning. It was a moderator who got unsubscribed, and it took him an hour to figure it out. I woke up to find one of my co-moderators had left with no explanation, and it made me more than a little nervous.  (Welcome to the new list... poof, you've lost a moderator!) Yowch!

Anyway, in the words of both Luke (first) and Han, "I have a bad feeling about this."

--jeffp



18641 - 18660 of 29627