Answered by:
Spammer able to undelete spam posts that had years ago been deleted

Question
-
I have a worrying development to report.
I have just received two alerts of new posts (one to a thread where I am now a Moderator and one to a thread where I am no longer a Moderator) from the same person.
These alerts are in fact not to new posts from this person (although the alert says "has replied to") but are in fact to very old posts from him that were deleted because all this person does is post adverts for his company's own products and where he has now undeleted them - the notification is thus of an undelete.
I could see this in the following thread
where I am an administrator so it was possible to see that I had earlier deleted the thread as spam and that it had been undeleted by the person who posted it
The other thread in a forum in which I am no longer a Moderator is probably the same - I remember telling a Moderator there of the habit of this poster in only posting advert posts and him reacting to that information by deleting posts. (I can't see the delete undelete pattern there)
-----------------------------------------------
Either:
1- There is a problem in that non-Moderators are now allowed to undelete their own deleted threads
Or
2. A known spammer has been given Moderator rights (if so this is unbelievable!). Because we can no longer see the "Moderator" next to the name of a person it is impossible for us to see this anymore.
If the latter, I would request that this poster be immediately stripped of his Moderator rights throughout the system and especially in all SharePoint 2010 and in all pre-SharePoint 2010 forums.
(The poster is http://social.msdn.microsoft.com/Profile/Ethan%20Bach and that other thread is http://social.msdn.microsoft.com/Forums/en-US/sharepoint2010general/thread/a3df3760-3616-4e2d-813b-dfb7acae7a3a/)
Mike Walsh
P.S. I am now finding via his profile evidence that he has undeleted all of his posts that were earlier deleted as spam. Some I can delete again. Others I now can't.
P.P.S. There is at least one case of him being able to undelete a post in a locked thread !! How is that possible?
P.P.P.S. I am going through the lot now. If he in turn undeletes them again, I want him banned as the spammer he is.
SP 2010 "FAQ" (mainly useful links): http://wssv4faq.mindsharp.com/default.aspx
WSS3/MOSS FAQ (FAQ and Links) http://wssv3faq.mindsharp.com/default.aspx
Both also have links to extensive book lists and to (free) on-line chapters
Answers
-
We actually contacted the user and they weren't very helpful, explaining they didn't remember undeleting anything. If we see this again we could look into it, but for now my hunch is the user was temporarily given mod rights for a while. But we won't be digging into this more unless we have more data or a repro.
Community Forums Program Manager- Proposed as answer by Brent SerbusEditor Saturday, October 15, 2011 5:16 AM
- Marked as answer by Ed Price - MSFTMicrosoft employee Monday, October 24, 2011 7:02 PM
All replies
-
There must have been about 50 posts from this guy. ALL were proposing a product from his company and ALL the over 40 where I could see this had been undeleted within a couple of minutes of each other.
I suggest we ban him direct. We can do without such posters and then having the cheek to undelete all of his posts is just the final straw.
Mike Walsh Moderator pre-SP 2010 forums / ex-Moderator SP 2010 forums.
SP 2010 "FAQ" (mainly useful links): http://wssv4faq.mindsharp.com/default.aspx
WSS3/MOSS FAQ (FAQ and Links) http://wssv3faq.mindsharp.com/default.aspx
Both also have links to extensive book lists and to (free) on-line chapters -
-
-
-
> Most likely (haven't looked, though) an exploit in the system
That was my idea too although I must admit I was somewhat afraid to say so publically.
There were two reasons for thinking that.
1. The undeletes occured very rapidly and much faster than it was possible for me later to access and delete them again manually.
2. Some of them had four hours earlier before the undelete cycle been *deleted* by him (a delete on top of an older delete, presumably). This indicated to me someone who was trying out a hacking technique and getting close the first time and then refining it for the second cycle.
Of course it may just be "given Moderator rights" but anyone looking at the totality of his posts ought to have seen a) relatively few posts and b) only posts pushing products from his company so requirements for Moderator should by no means have been satisfied.
SP 2010 "FAQ" (mainly useful links): http://wssv4faq.mindsharp.com/default.aspx
WSS3/MOSS FAQ (FAQ and Links) http://wssv3faq.mindsharp.com/default.aspx
Both also have links to extensive book lists and to (free) on-line chapters -
-
We actually contacted the user and they weren't very helpful, explaining they didn't remember undeleting anything. If we see this again we could look into it, but for now my hunch is the user was temporarily given mod rights for a while. But we won't be digging into this more unless we have more data or a repro.
Community Forums Program Manager- Proposed as answer by Brent SerbusEditor Saturday, October 15, 2011 5:16 AM
- Marked as answer by Ed Price - MSFTMicrosoft employee Monday, October 24, 2011 7:02 PM