In the last days I've noticed a lot of spam being posted for a the same "meettomy.site dating site" by older (trusted and verified) accounts.I've done some research on a forum I control and I can confirm that these account belong to legitimate users and it seems the spammer appears to know both the username as the passwords of the accounts. The accounts I've checked originate from 2020 or before and the email addresses belonging to the compromised accounts are all listed on https://haveibeenpwned.com/ in 1 or more breaches.
Log Analysis
The spam is being posted from different IP addresses, when I filter the server access logs on an IP-address it's interesting to see what happened. Read this log from the bottom to the top: This is the log from 38.170.124.183Log from 190.185.109.144As you can clearly see in both examples:
I can confirm that compromised users did not have their password reset. I've logged all forum mails in the last years and most compromised users only got the "Welcome to" mail (in 2020 or before) and they did not receive any other mails such as password resets.
Widespread
If you check one of the used IPs 190.185.109.144 on https://www.stopforumspam.com/search you will see multiple reports in the last days, and based on the email addresses it also looks like legit accounts were compromised.
When searching on Google for this spam I've found a lot of other sites and forums also being spammed, not just phpBB but also vBulletin, Xenforo and Invision Community. And I've found similar spam on phpBB.com as well.
Mitigation
I've been trying to figure out a way to stop this. Because these account are compromised, it means they're already activated (so no captcha needed) and when they already have posts the "Newly registered users" anti-spam features also no longer apply to them anymore causing them to post spam without needing approval.
Pruning older accounts would stop it, but I rather not just do that. I was also thinking about maybe removing or resetting passwords of older accounts, but that's also not really a good user experience. There is a way to force people to complete a captcha on login, that's when they've too many login attempts. So that's how I came to this;
Setting the "user_login_attempts" to 99 for all users that haven't signed in since 1 Jan 2024. This will cause those users to complete a captcha before they can continue to login. For reference, this is the query I used:Discuss
I'm looking for thoughts on this idea and I'm open to any other suggestions to fight this type of spammers!
Log Analysis
The spam is being posted from different IP addresses, when I filter the server access logs on an IP-address it's interesting to see what happened. Read this log from the bottom to the top: This is the log from 38.170.124.183
- It visits the site without https or www and is redirected to the https version
- Visits the UCP to change the signature to add spam there as well
- Opens a forum and posts a message
I can confirm that compromised users did not have their password reset. I've logged all forum mails in the last years and most compromised users only got the "Welcome to" mail (in 2020 or before) and they did not receive any other mails such as password resets.
Widespread
If you check one of the used IPs 190.185.109.144 on https://www.stopforumspam.com/search you will see multiple reports in the last days, and based on the email addresses it also looks like legit accounts were compromised.
When searching on Google for this spam I've found a lot of other sites and forums also being spammed, not just phpBB but also vBulletin, Xenforo and Invision Community. And I've found similar spam on phpBB.com as well.
Mitigation
I've been trying to figure out a way to stop this. Because these account are compromised, it means they're already activated (so no captcha needed) and when they already have posts the "Newly registered users" anti-spam features also no longer apply to them anymore causing them to post spam without needing approval.
Pruning older accounts would stop it, but I rather not just do that. I was also thinking about maybe removing or resetting passwords of older accounts, but that's also not really a good user experience. There is a way to force people to complete a captcha on login, that's when they've too many login attempts. So that's how I came to this;
Setting the "user_login_attempts" to 99 for all users that haven't signed in since 1 Jan 2024. This will cause those users to complete a captcha before they can continue to login. For reference, this is the query I used:
Code:
UPDATE phpbb_usersSET user_login_attempts = 99WHERE user_type = 0AND user_inactive_reason = 0AND user_lastvisit < 1704063600;I'm looking for thoughts on this idea and I'm open to any other suggestions to fight this type of spammers!
Statistics: Posted by Derky — Tue Feb 20, 2024 9:56 pm