Private Messaging System - Discussion

[FrOzeN]

What I'm considering adding to a website I'm going to develop is a Private Messaging System for registered members to communicate directly with one another via the board, and be able to store about 50 messages. I've found this handy on other forums I've used before when wanting to contact Moderators/Members about stuff that doesn't require a topic.

Though, this can quite easily be abused by a member advertising with it, sending offensive material, flaming, spamming, etc. I noticed on these forums they've been disabled/limited for Admin/Moderator use only.

Any suggestions regarding ways to prevent such activities occurring without having to disable it from them?

The only thing I can think of is setting permission for Administrators to read the messages, though, this does inflict with it being a "Private" system, even though I've clearly point out that it's still monitored.

Also, does anyone run they're own forum and have stories regarding how this has worked for then?

Thanks.

[makeshift_theory]

I am building one for my Virtual Team Management Application, I won't get into the code behind it however the best thing to do to filter it is use patterns like cuss words, racism, and other things and filter it that way.  The not so obvious way is to set it up where if a user gets a pm from someone and the message is provocative, then add a block feature so they can block that user from sending them anymore pm's.  Take in mind pm's are like e-mail, the only true node of spam protection is to setup a script that will automatically reply to the person sending the pm or e-mail and have them confirm that it is coming from their computer, and even that is flawed.

[shocker-z]

You could have a list of bad words and masked bad words and filter out or reject when sent.. you could also have a report button in which a user can click to report the message and then it will flag up in admin panel as being a message which has been reported bad and maby a message in which a user can add notes.

Another thing is.. You could put a note saying all URLs added to a message will be reviewed before the user will intercept the message.. click here to carry on sending, You will be informed if the message is not accepted. Then what you do just put a Y in a field in a DB and use an admin page to show all flagged messages.


Just my 2 pence

Regards
Liam

[onlyican]

It depends on the site you are building

I have a site for Disabled Friends
They would NEED to contact each other, to become friends
but
To help make this secure
I dont convert links to actual links, so if someone does spam then they dont actually get turned into links

AND
I have a REPORT ABUSE, on the bottom of EVERY page, (its in the footer)
This grabs there current page, and if its reading a message, then i will get the message ID number, and can look into it
And in my same admin menu, View All Messages by that user
Before some off you go funny
I have in the Terms, that "I may read Personal Messages at any time, for the purpose of protection or Abuse"

When I have kids sign up to the site, I keep an eye on Who sends them messages, and get alerted if a 30 year old sends a 12 year old a message

For Security I read these to make sure it aint something like Meet me in the park in 10 mins or something

But you do have to be careful
Allowing people to send messages opens up a world of horror
Protection of users is all under the rights, (Make sure you cover everything in your terms and conditions.)

[steelmanronald06]

I've actually built a private message system with BBCode.  Email me and I will send you the zip of the source:  netgeekz at gmail dot com

[roopurt18]

Give your members the ability to ignore future messages from other members, report offensive / inappropriate messages, and automatic filters that can be turned on / off.  At the very least you will want to strip Javascript from any messages submitted.

You can develop a mechanism such that if X number of seemingly unrelated members report the same member Y for offenses that will disable Y's ability to send messages for some duration.

On your end, I'd want admin controls logging user activity.  This way you can go back and look for a history of offensive messages from a specific IP range which would enable you to file complaints with the offenders ISP.

Lastly, the one reason you should need or want to read another user's personal messages is if an offense has been reported.  Otherwise I'd say it's none of your business.

(EDIT)  One last idea, when a message is submitted, you might want to check if it matches other messages sent by your members.  It's not foolproof, but you could eliminate people from using multiple accounts to spam the same junk to your users.

I bet this initially sounded like a simple task.  ;D

[onlyican]

[quote author=roopurt18 link=topic=109187.msg443339#msg443339 date=1159481955]
Lastly, the one reason you should need or want to read another user's personal messages is if an offense has been reported.  Otherwise I'd say it's none of your business.
[/quote]
I would like to say, The amount of messages on the site
I dont read all messages
I read reported messages
and when I get the alert from a 30 year old sending 12 year olds messages
I dont want to read the Personal Messages, there personal
It is pointless saying that you cant read the messages, cos you are the site Admin, You can log into MySQL, and read if you wanted
But as I said
ONLY ONLY ONLY read messages when there is a security reason to

[FrOzeN]

[quote author=roopurt18 link=topic=109187.msg443339#msg443339 date=1159481955]
I bet this initially sounded like a simple task.  ;D
[/quote]
Not exactly, I was expecting there would be a fair bit too it.

I've never made "something properly"* in php, and as I'm now developing a site it in from scratch, I'm posting here to gain ideas/innovations I can apply to my code, and discovering different concepts that can be used. I'll most properly be posting my first few classes here (even if they work perfectly) to gain feedback on my code, and to help discover improvements for it, or security loop holes that I wasn't aware of, etc.

Also, thanks for everyone who posted suggestions regarding a PM system. I've taken a few on board, and I'll follow up on this topic when I get around to coding it. Though, that may be a few weeks, possibly a month depending on how long it takes me to do other tasks before it.

---
By "something properly"* I mean I've only done very minor things in php. Like a [url=http://www.clananthrax.net/comments.php]comments[/url] page which does nothing other than add a username/email/comment to a MySQL database and reiterate it on the page in a table, aswell as stripping "<" and ">" characters.