We've noticed in the past week that fairly innocuous looking posts are coming in from brand-new users **containing spam links with no anchor text**. They're caught by the post queue but at face value, they could be accepted by a moderator as the link themselves were hidden from view.
It was only once you inspected the raw post content that the hidden link was revealed (e.g. innocuous text [](//malicious.org).
To combat this, NodeBB will now explicitly expose hidden links so that they can be easily seen and caught.
This is what it looks like: [](https://community.nodebb.org//community.nodebb.org )
If you are viewing this post from outside of NodeBB, you might not see anything! That means your software might be vulnerable to this kind of spam backlink injection. Best case, your software detects the empty link text and removes it completely. Worst case, you're allowing them in unknowingly.
Last thing, it's possible this has been around for ages and I only just noticed (thanks also to PitaJ (npub1hxp…n4ux) for pointing out the hidden links from an earlier post!) If you browse around the forum and see some of these hidden links scattered around some posts, flag it immediately so we can take a look.
Thank you!
julian /
npub1uq…pz8a5
2024-05-21 15:28:53
Author Public Key
npub1uq5lznmk9ax9r07mhs0lrv4qaafyguepj2spfjlw54acwkxrds3sppz8a5Published at
2024-05-21 15:28:53Event JSON
{
"id": "0b48fc48453eae3d4441ae3f5b0dbacbae7c2f5df4d76a55d2793d1ee2de003c",
"pubkey": "e029f14f762f4c51bfdbbc1ff1b2a0ef5244732192a014cbeea57b8758c36c23",
"created_at": 1716305333,
"kind": 1,
"tags": [
[
"t",
"spam"
],
[
"t",
"antispam"
],
[
"p",
"b9835f48578fcd7cda11295787c8792b8459e9233a5632832126982ef73466fb"
],
[
"t",
"administration"
],
[
"proxy",
"https://community.nodebb.org/post/99826",
"web"
],
[
"proxy",
"https://community.nodebb.org/post/99826",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://community.nodebb.org/post/99826",
"pink.momostr"
]
],
"content": "We've noticed in the past week that fairly innocuous looking posts are coming in from brand-new users **containing spam links with no anchor text**. They're caught by the post queue but at face value, they could be accepted by a moderator as the link themselves were hidden from view.\n\n\nIt was only once you inspected the raw post content that the hidden link was revealed (e.g. innocuous text [](//malicious.org).\n\n\nTo combat this, NodeBB will now explicitly expose hidden links so that they can be easily seen and caught.\n\n\nThis is what it looks like: [](https://community.nodebb.org//community.nodebb.org )\n\n\nIf you are viewing this post from outside of NodeBB, you might not see anything! That means your software might be vulnerable to this kind of spam backlink injection. Best case, your software detects the empty link text and removes it completely. Worst case, you're allowing them in unknowingly.\n\n\nLast thing, it's possible this has been around for ages and I only just noticed (thanks also to nostr:npub1hxp47jzh3lxheks399tc0jre9wz9n6fr8ftr9qepy6vzaae5vmaszwn4ux for pointing out the hidden links from an earlier post!) If you browse around the forum and see some of these hidden links scattered around some posts, flag it immediately so we can take a look.\n\n\nThank you!\n\n\n",
"sig": "80a3926031a5c769b3982e55fae8968345bad3a1c5df7145d16310615c6aa99d286a13963b1d77df350fcf1a04a0ce2323dd55e708f7ec99aaf544ec4c49a27e"
}