Posted by GregChapman on Sep 15, 2013; 4:14pm
URL: https://support.nabble.com/Serious-problem-for-the-security-of-my-forum-tp7586507p7586519.html

Hi Marc,

I quibble with your descriptions of "Anyone", "Registered" and "Members", but agree with your recommended action.

Forum Administrators need to remove the User permissions for "Create_topic" and "Reply" from users in the "Anyone" and "Registered" groups and grant those permissions for the "Members" group. They then need to add the mail address of all approved users to the "Members" group.

The Nabble default is to allow those in the "Anyone" group to post. And that literally does mean anyone!

Most forum administrators remove those two permissions from "Anyone" and add them the "Registered" group. But all that does is force a user to provide an email address before they post and the only protection it offers is the ability to ban someone with that email address from posting. However, it is a simple process for a spammer to create software robots that  create multiple, near identical, email addresses and then use those addresses to register and post to a forum. This is what happening in the current registration and spamming storm.

As you say, the only option currently, for forum administrators is to adopt a manual system of approval of users. Insisting on registration only is not enough. Only allowing approved "Members" to post is the answer.

Having said that, I do believe that Nabble will need to take some action soon, as a minimum, implement some filtering of registrations - removing those that clearly come from spammers as the current situation is unacceptable and will drive users away from Nabble forums.