XF 2.2 Old users are becoming SPAM everyday !

[Sadiq6210]

Hello

Recently I upgraded our forum from 2.2.8 to latest version and I noticed that many old users are becoming SPAM everyday (5 to 10 old memberships are stolen everyday and posting spam threads). I can't see any relation between the upgrade and the issue, however, this is what happened. Is it a coincidence? Is this a new method of SPAM attacking to steal the users accounts instead of new registration? I mean I am moderating this forum since 2006, moved to Xenforo since 2015 and I didn't face something similar.

Currently I am trying to control the SPAM posts by banning many valuable old users everyday.
Anyone is facing same issue? and advise?

 

[Xon]

Frustratingly, I've seen these compromises from accounts that are +8 years old to ones which are less than 2-3 months old.

I've been using "I'm under attack" clouldflare setting for the /login url which has migrated most of it, but it has collateral damage (hates on 32bit firefox apparently).

I also run haveibeenpwned.com integration which checks on login and forces 2fa emails if the user is using a known compromised password and that isn't enough as it isn't reliably triggering in all cases.

At this stage I think a popular browser extension has been compromised and is/was harvesting credentials

 

[Ozzy47]

This free addon will prevent old breached accounts from logging in, https://xenforo.com/community/resources/ozzmodz-security-lock-old-accounts.9372/

 

[Xon]

Force password resets
Force two factor authentication

If it is an issue with password reuse, using a haveibeenpwned integration (aka my free add-on) and enforce 2fa on login with a compromised password helps alot. This add-on can also force password resets if they have a compromised password.

Resource icon X

Password Tools

Oct 1, 2018

Cause safer passwords are better passwords.

• Xon
• hibp limitations password zxcvbn
• Add-ons [2.x]

 

[Kirby]

Best solution for me: A CAPTCHA integration for the login form. I use an add-on by @DragonByte Tech for this:

I don't think this is a good approach:
CAPTCHAs are usually really annoying - forcing them on every login could have a significantly negative impact on usability, especialy for users that like to clear their cookies whenever they close their browser.

Requiring a CAPTCHA to continue after a suspicious login might not be too bad though (but is still just a mitigation; if an account is compromised it is compromised and this needs to be addressed)

 

[dethfire]

weird, I just caught spam from someone who joined in 2010 too.

 

[BassMan]

It has nothing to do with upgrading XenForo.

First post approval is one way. I use this on one of my forums and it works fine. Also, old accounts may have been hacked.

 

[Sadiq6210]

It has nothing to do with upgrading XenForo.

First post approval is one way. I use this on one of my forums and it works fine. Also, old accounts may have been hacked.

Yes I fully understand and as mentioned don’t see any link between the issue and the upgrade, however, there is something abnormal I didn’t notice any exist membership becoming spam in last 19 years and now suddenly there are more than 5 users everyday! Unless there is new spam technique or our forum under spam attack

 

[Sadiq6210]

First post approval is one way.

All of them have hundreds of posts, they were active users, so this will not help

 

[woody]

There have been some major password breaches recently. I did a forced password reset to ALL users a couple years back (drastic measure) and have also forced complex passwords.

 

[BassMan]

Unless there is new spam technique or our forum under spam attack

This could be the reason, yes. If you don't have too many registrations per day, I suggest trying with the first post approval technique. Or with any of the Spam add-ons available.

 

[BassMan]

All of them have hundreds of posts, they were active users, so this will not help

Oh, ok, understand. Maybe accounts are breached.

 

[BassMan]

I would try to figure out a pattern and still tried manually banning them for a few days. It is obvious those accounts are controlled by spammers and not the "real" users.

 

[Paul B]

We've seen it several times.

Password reuse is the problem.
Once there is a data breach the spammers/"hackers" try the same log in credentials everywhere.

 

[dethfire]

What last visit cutoff date are people using for the password reset? <2015? Right now I have 200k members this would affect. Will this process kill my server like deletion does?

 

[Paul B]

The query to wipe passwords is a lot simpler than the steps involved in deleting member accounts.

 

[woody]

I did a forced reset to all users in Aug 2021...at that point, 150,000 total accounts. 6 months later, over 25,000 accounts had completed the reset. Dealing with the users who no longer have access to their registration email is a PITA...I still deal with that every week.

Good luck "reaching" those users....

Thread 'Announcement when accounts are security locked'

Aug 3, 2021

What options should I select for users to see an Announcement when accounts are security locked? Currently, User Criteria includes: Usergroups...unregistered and registered (which covers EVERY member account....unless they are in a state of security locked....so....)

I have played with a few settings, and EVERY combo I try fails to display it to members when their account is locked.

If you reset all accounts isn't that everyone?

• woody
• Replies: 6
• Forum: XenForo questions and support

 

[Sadiq6210]

We've seen it several times.

What was the solution to stop it?

 

[James]

What was the solution to stop it?

Force password resets
Force two factor authentication

 

[AndyB]

You might like this add-on:

https://xenforo.com/community/resources/security-lock-manager.9311/