Hi Ron,
Generally we recommend that educational institutions don't use email authentication at all, because they generally have other sources of authentication available (like LDAP, an external database, IMS enterprise, or a text file that they can bulk upload to create accounts manually). In fact most institutions that I know of do exactly this, so never have a spammer problem caused by leaving their sites open to all comers.
If they do have to use email authentication, then your idea sounds pretty good at first (I found it here too: MDL-9624), but doesn't it suppose that the admin will be able to tell in advance who is a spammer and who isn't? I'm not sure that will be possible ... what do you think?
Thanks for actually proposing solutions, though, that's what we need.
Another idea I'm having is some sort of filter that can detect common spam and blank it out.
Martin Dougiamas
Martin Dougiamas による投稿
Moodle in English -> Security and privacy -> Moodle Security -> Re: spam found on site
- Martin Dougiamas の投稿
Hi, Steve. 
Start with this link to learn how to secure your sites: http://docs.moodle.org/en/Reducing_spam_in_Moodle
We'll also look at creating some sort of detection tool soon to help you clean up your profiles after a spammer attack.
Start with this link to learn how to secure your sites: http://docs.moodle.org/en/Reducing_spam_in_Moodle
We'll also look at creating some sort of detection tool soon to help you clean up your profiles after a spammer attack.
Moodle in English -> Security and privacy -> Moodle Security -> Re: spam found on site
- Martin Dougiamas の投稿
Hi Marc.
Enjoyable as it is, let's bring this conversation back to some facts ...
From what I can see this is a matter of one (possibly very old, I don't know) site that had email authentication on as well as profiles visible, allowing a spammer to add some public junk to a profile page. With those two settings off (or any one of them) it would not be possible.
No existing accounts were compromised and at no time was the existing information in the site stolen or threatened. Right? The information on the site was indeed secure as described in the excerpt you posted (I'm not trying to be picky, just accurate).
So if you're truly investigating this incident to look where improvements need to be made (and I'm not sure this forum is appropriate at all) it comes down to who was responsible for opening those settings.
Is it Moodle software? It's true in the more innocent past that the defaults for these were on, which could very well be the problem for this site. We relied on the admin to switch them off, but that is no longer the case in current versions of Moodle - they are off with big warnings attached. Some other troublesome defaults have been changed as well in reponse to community feedback in the tracker. This helps EVERYONE installing a new Moodle. So if the fault lies with Moodle software then it's largely been fixed since then, though I know we can do even more about usability and user education. Further development is underway regarding this, and more suggestions are always very welcome in the tracker.
Is it the hosting company? One could surely argue that they should provide new sites in the most locked-down configuration possible, which may not always be exactly the same as the default install configuration of a standard Moodle. Security is surely one important factor of a new installation, I think we can all agree, but I can also see that sometimes it's not always wise to force all clients to turn every feature on. That's really up to each individual company to implement with their clients, but I hope the companies I'm associated with (Moodle Partners) will always use feedback like yours to review their SLAs and procedures to further improve quality all around. You may want to call them directly and ask about it if you're interested. A willingness to improve such things is what makes Moodle partners different to your average schmoe selling server space because they just worked out how to use Cpanel (and there are many of these out there). Every time we issue new security fixes (such as the ones on the Moodle Security page http://moodle.org/security) these guys have to update many hundreds of sites (and boy do they love it ).
Is it the client? Well, no, the client is always right, of course. Luckily clients never change settings they don't understand properly and always read the context help and documentation (as far as we can tell). That makes our life so much easier.
Enjoyable as it is, let's bring this conversation back to some facts ...
From what I can see this is a matter of one (possibly very old, I don't know) site that had email authentication on as well as profiles visible, allowing a spammer to add some public junk to a profile page. With those two settings off (or any one of them) it would not be possible.
No existing accounts were compromised and at no time was the existing information in the site stolen or threatened. Right? The information on the site was indeed secure as described in the excerpt you posted (I'm not trying to be picky, just accurate).
So if you're truly investigating this incident to look where improvements need to be made (and I'm not sure this forum is appropriate at all) it comes down to who was responsible for opening those settings.
Is it Moodle software? It's true in the more innocent past that the defaults for these were on, which could very well be the problem for this site. We relied on the admin to switch them off, but that is no longer the case in current versions of Moodle - they are off with big warnings attached. Some other troublesome defaults have been changed as well in reponse to community feedback in the tracker. This helps EVERYONE installing a new Moodle. So if the fault lies with Moodle software then it's largely been fixed since then, though I know we can do even more about usability and user education. Further development is underway regarding this, and more suggestions are always very welcome in the tracker.
Is it the hosting company? One could surely argue that they should provide new sites in the most locked-down configuration possible, which may not always be exactly the same as the default install configuration of a standard Moodle. Security is surely one important factor of a new installation, I think we can all agree, but I can also see that sometimes it's not always wise to force all clients to turn every feature on. That's really up to each individual company to implement with their clients, but I hope the companies I'm associated with (Moodle Partners) will always use feedback like yours to review their SLAs and procedures to further improve quality all around. You may want to call them directly and ask about it if you're interested. A willingness to improve such things is what makes Moodle partners different to your average schmoe selling server space because they just worked out how to use Cpanel (and there are many of these out there). Every time we issue new security fixes (such as the ones on the Moodle Security page http://moodle.org/security) these guys have to update many hundreds of sites (and boy do they love it
Is it the client? Well, no, the client is always right, of course. Luckily clients never change settings they don't understand properly and always read the context help and documentation (as far as we can tell). That makes our life so much easier.
Moodle in English -> Lounge -> who Created moodle? :-) -> Re: who Created moodle? :-)
- Martin Dougiamas の投稿
I planted a seed and I continue to water the tree over many years but it's much bigger than me now.
Moodle in English -> Roles and permissions -> Roles improvements in Moodle 2.0 - your opinions wanted -> Re: Roles improvements in Moodle 2.0 - your opinions wanted
- Martin Dougiamas の投稿
Yes AFAIK this works fine now (there *were* some bugs in earlier versions of Moodle)