Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
0 votes
674 views
in Q2A Core by
edited by
I set the permissions to ask : Only registered users with confirmed email.

Today, I got 3 spam posts, and one of them is from anonymous!!!

Why?

I can't post myself as anonymous but those Russian spammers can?!?!?!
Q2A version: 1.8.4

1 Answer

+1 vote
by
edited by
Check that the spam posts were definitely questions, not answers/comments. (If they are then you'll need to set that permission for "answering questions" and "adding comments" too.)

And what happens when you click the "anonymous" name? If it takes you to a user page then you got a user that registered with the username "anonymous". If it takes you to the IP page then yes they did post without an account.
by
The spam post is question.
I set the same rules for answers/comments.

The only thing I let everybody can do is to view questions.

When I click the "anonymous" link, it contains IP address. It's not someone who named "anonymous", or anonymous-lookalike.

That really freaks me out!

More info: This is a new installation, but I already set permissions at least a week ago.
I didn't use caching.
by
This is the temporary solution for spammers:

I collected about 100 common Russian words and use the plugin by Towhid to put posts with potential spam content under moderation.

The default Q2A sensor function only convert those words into stars.

https://www.question2answer.org/qa/34064/new-plugin-banned-words-filter
by
@teddydoors strange... I can't see any way for that to happen. I tested myself trying to ask (and send POST requests to bypass the ask page) and I wasn't able to post.
by
I didn't use any strange plugin. The only one is Advanced Tag Description extended by either Pupi or Arjun (can't remember!) but it has nothing to do with posting.

My best guess is that I use "service worker". Somehow the spammer may exploit from that.
...