XF 2.2 Old users are becoming SPAM everyday !

Sadiq6210

Well-known member
Hello

Recently I upgraded our forum from 2.2.8 to latest version and I noticed that many old users are becoming SPAM everyday (5 to 10 old memberships are stolen everyday and posting spam threads). I can't see any relation between the upgrade and the issue, however, this is what happened. Is it a coincidence? Is this a new method of SPAM attacking to steal the users accounts instead of new registration? I mean I am moderating this forum since 2006, moved to Xenforo since 2015 and I didn't face something similar.

Currently I am trying to control the SPAM posts by banning many valuable old users everyday.
Anyone is facing same issue? and advise?
 
Hello

Recently I upgraded our forum from 2.2.8 to latest version and I noticed that many old users are becoming SPAM everyday (5 to 10 old memberships are stolen everyday and posting spam threads). I can't see any relation between the upgrade and the issue, however, this is what happened. Is it a coincidence? Is this a new method of SPAM attacking to steal the users accounts instead of new registration? I mean I am moderating this forum since 2006, moved to Xenforo since 2015 and I didn't face something similar.

Currently I am trying to control the SPAM posts by banning many valuable old users everyday.
Anyone is facing same issue? and advise?
Why not use user batch update and "set user state" of old users to awaiting approval or email verification.
 
Anyone know what caused this?
Most likely this database breach.

XF discussion:
 
My forum has been heavily affected by this as well, and now it seems to be getting even more sophisticated.

Today, we had a security locked account doing this same behavior. The spammer actually reset the user's password, so apparently they had full access to the victim's email account and enough time and (non-bot?) attention to carry this out.

We need to come up with more sophisticated ways to deal with this type of "edit spam".
 
Frustratingly, I've seen these compromises from accounts that are +8 years old to ones which are less than 2-3 months old.

I've been using "I'm under attack" clouldflare setting for the /login url which has migrated most of it, but it has collateral damage (hates on 32bit firefox apparently).

I also run haveibeenpwned.com integration which checks on login and forces 2fa emails if the user is using a known compromised password and that isn't enough as it isn't reliably triggering in all cases.

At this stage I think a popular browser extension has been compromised and is/was harvesting credentials
 
Last edited:
Here's the latest, I caught yet another today.

I have a global audience, so blocking by Country Code is not an option.

A member registered a few weeks ago, their IP is recorded and the User Field: Location is required. They have logged in from IP's from that same country consistently for weeks. Even if the IP triggers a suspect/known spammer country, I allow the registration IF their Location field matches. (ie: IP from China, and Location entered is China or a city from that country)

The LATEST spam trick is to register and have those two values match...THEN come in weeks later and update their User Field: Location to a USA city.

Is there an existing plugin that reports User Field changes to the Admin (via alert or email)?? Even better if only triggers based on specific IP/Country Codes.

The spammers continue to improve their game....
 
Top Bottom