For those who look for an extra protection against spammers (to block sending messages to other users), by means of plugin SMS (in order to verify real existence of an user = is not an spammer) I have following advice.
Prerequisites: 1. plugin Instant Messenger installed (I've read somewhere that it replaces the Contact user functionality); 2. plugin SMS in order to double check the user to be a "good" guy, not a spammer.
Situation which i face it: having both plugins, the IM plugin set up to not allow more than 5 messages to max. 3 users in a timeframe of 6 hours. Of course, the spammer managed to send some spam massages until he reached the limit. Why ? Because even he did not verified phone number, still had access to contact user/send message functionality.
I mean, the plugin SMS Number verification make some checks, and if the user (spammer, in our case) do not verify then is not allowed to do many things; when he press on various options of menu is redirected to phone number verification page. Which is nice. BUT still he find a backdoor (I have a session reply service and I can follow user actions). So even if he do not complete phone number verification, he can visit other users listings and from there he is able to send a message to the users (spam, of course).
I have found that the contact user page is not protected for situations when the sender is not verified by phone number.
It not a bug, somehow can be consider ligitimate: eg an user create an account on website only because he wants to contact other user.
But such users can also be spammers.
So, to protect the "contact user page" I adjusted the index.php of SMS plugin in such way that if user is not double time verified (1. email; 2. phone number) extending it's scope:
INITIAL:
if(osc_is_web_user_logged_in() && (osc_is_publish_page() || $location == 'user' || in_array(Params::getParam('route'), array('im-threads','im-messages','osp-item'))) && sms_param('verification_account') == 1) {
MODIFIED:
if(osc_is_web_user_logged_in() && (osc_is_publish_page() || $location == 'user' || in_array(Params::getParam('route'), array('im-threads','im-messages','im-create-thread','osp-item'))) && sms_param('verification_account') == 1) {
I mean I have added the page which user who look to contact another user arrive on when he press "Contact Seller" button, the "im-create-thread" page.
Of course, my hack is just for me and can be seen an optional. But if development team will add an extra button in settings of plugin Instant Message, something like "User need to have phone number verified in order to send messages to other users" will be much better. (just under the "Login required" button on IM plugin settings page)
I agree that the settings already implemented on IM plugin (max. xx messages to max xx users in xx hours) can be an effective way to stop spammers, at least for a while. But we cannot put very low limits like 3/2/6 because we may block legitimate users. My hack is an extra layer (eg spammer can create as many accounts as he wish and continue bombing the users, but I bet he does not have such big amount of phone numbers at his disposal to verify all of them
, combined with other solutions can keep you away from bad guys.
cheers to all folks around here !