We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 6705
    • 79 Posts
    I have just found out that comment spam has been appearing in the demo "Mini-Blog HOWTO" article on my website :-(, which is one of the demo pages in the sample MODx website that you can choose to install when you install MODx.

    I had left the demo pages in place on my site in case they contained any code that I might find useful later, but it seems that this was perhaps not a wise strategy.

    To prevent the problem from occurring again, I think I will delete the demo pages from my live site (but leave them on my test site, which has very strict access permissions).

    I haven't knowingly used any of the demo pages other than "404 - Document Not Found" and "Search Results". Are the other pages needed for any part of MODx functionality, or is it safe to remove them? ("RSS Feed" (actually, I might want to make use of that), "MODx Features" (and children), "[*loginName*]" ×2 (URIs: login and blog-login), "Thank You", "Contact Us", "Blog" (and children), "Request an Account"). The site doesn't have any web users, only manager users.

    To get rid of the spam comments themselves, can I just delete all of the records in the modx_jot_* tables, or are there any records that "need" to be in there? I don't actually use Jot, although I suppose that there is always the possibility that I might do so in future.

    I'm also somewhat worried as to how the comment spam found its way there in the first place. I haven't really investigated the demo blog in very much detail, but I am surprised that it somehow seems to have allowed spam to be posted without alerting a manager user first!

    Given the "Forgot manager login" bug, I have checked that there are no unexpected user accounts on the site, and have now disabled the "Forgot manager login" plugin. I will upgrade my installation to 1.0.7 when I get time. I don't know whether this is a related issue or not.

    Just another reminder of the need to be ever-careful, I suppose!

    This question has been answered by david55. See the first response.

      Please don't PM me unless it's absolutely essential: if a technical question is worth asking, it's worth asking in public, so that others can share their experience, and so that all can learn from the answers.
      • 16278
      • 928 Posts
      I don't think Jot is particularly good at avoiding spam, even with CAPTCHA enabled. I use a snippet to check again the blacklist from Project Honeypot, as described in the Wiki: http://wiki.modxcms.com/index.php/Spamproofing_for_Jot

      :) KP
        • 6705
        • 79 Posts
        Thanks, KP, that's useful to know if I do want to allow commenting on my real articles at some point.

        However, I had left the demo blog installed "just for possible future reference", and so it's a bit worrying if it turns out that either it ships in a form which allows commenting without moderation/notification by default(?) (undesirable), or if spammers have found a way to get around any such protection that exists in the default setup.

        Admittedly, it was my mistake to assume that demo/default content would be safe to leave hanging around, but I suppose being known demo page URIs these are among the first things that attackers are going to try to target..
          Please don't PM me unless it's absolutely essential: if a technical question is worth asking, it's worth asking in public, so that others can share their experience, and so that all can learn from the answers.
        • discuss.answer
          • 6705
          • 79 Posts
          Ah, looking further at the Jot documentation, it looks as though moderation of comments is not actually the default option (&moderated=`1` needs to be explicitly specified, otherwise comments are allowed and published by default(!)). sad

          That's maybe something that should be changed in the "Comments" chunk that the demo blog uses, as that's not a very "fail-safe" default value to have..
            Please don't PM me unless it's absolutely essential: if a technical question is worth asking, it's worth asking in public, so that others can share their experience, and so that all can learn from the answers.