I was wondering if anyone has dealt with bot-driven Abuse Report attacks?
Yesterday our community received 4,375 abuse reports, every message was flagged multiple times with random text inserted in the body. All of this occurred within 60 minutes
As far as I can tell in the Admin, and Lithosphere there is no method for me to identify what IP is doing this since Abuse Reports do not go in the Audit Log. I also cannot turn off the ability for an anonymous user to report Abuse either, nor can I turn off the feature completely?
We are under attack again today, 25+ pages of reports, all within 20 minutes.
I've reached out to support but since its the weekend, and this isn't an outage I won't get an update until tomorrow at the earliest so I was wondering in the interim if anyone else has dealt with abuse report attack? If so how did you mitigate the issue?
This is a new one, haven't seen that attack vector being used before.
I'm not aware of anything out of the box you could do without some development work around it. Ideally I'd recommend raising an idea for Captcha to be completed before an abuse report is raised (especially for anonymous users).
Captcha would be a great addition here, thanks @RobertT!
I'll ask Support if they can enable this ASAP to prevent further attacks and suggest, submitting an idea if needed that this feature should be rolled out to other Lithium customers.
Just FYI on our site if a not logged in user hits the abuse report link on a message, they are taken to the login page where they must login before completing the action. I don't know where this is set, but I'm posting just to let you know this can be done. Good luck. I hate spammers.
Yes, our abuse report page requires log-in too. I don't see any particular setting for this workflow. I wonder if its tied to anonymous users being able to leave comments? We have this disabled.
I was incorrect stating anonymous users can submit an Abuse report, it requires the user to login. Sorry all 😞
What led me to believe it was anonymous is the reports didn't have a username attached.
Digging further, it appears a user was able to register without specifying a username (despite it being required?) so I've flagged this to support asking how this occurred, and banned the user to stop the subsequent attacks.
I'll update this thread with the outcome for everyones awareness! Thanks all for your help 🙂
Curiousity question: Are you using Lithium for login or an external SSO?