Increase in Spam from old accounts

Dkf

Dkf

Active member
Hello everyone,

I've noticed an increase in spam from old accounts over the past few days. These are accounts that haven't posted on the forum for many years. All the spam is advertising "Top-notch Casual Dating".

After analyzing other forums, I've noticed the same thing happening there too. But the most interesting part is that these forums operate on different platforms.

XenForo - https://pika-network.net/threads/top-notch-sasual-dating-verified-maidens.390411/
Vbulletin - https://www.nissan-club.org/board/showthread.php?t=53559
Invision Community - https://ecuforum.ru/topic/9982-genuine-damsels-top-notch-sasual-dating/

How does this spammer manage to simultaneously hack into forums that use different software?
 
Ozzy47 said:
arstechnica.com

Researcher uncovers one of the biggest password dumps in recent history

Roughly 25 million of the passwords have never been seen before by widely used service.
arstechnica.com arstechnica.com
Click to expand...
I've come up with an idea to develop a plugin for XenForo. It will utilize the API of the service https://haveibeenpwned.com/API/v3 to check if a user's password has been compromised. If it has, the user will be notified via email and either be blocked or prompted to change their password in some way...
 
Dkf said:
Hello everyone,

I've noticed an increase in spam from old accounts over the past few days. These are accounts that haven't posted on the forum for many years. All the spam is advertising "Top-notch Casual Dating".

After analyzing other forums, I've noticed the same thing happening there too. But the most interesting part is that these forums operate on different platforms.

XenForo - https://pika-network.net/threads/top-notch-sasual-dating-verified-maidens.390411/
Vbulletin - https://www.nissan-club.org/board/showthread.php?t=53559
Invision Community - https://ecuforum.ru/topic/9982-genuine-damsels-top-notch-sasual-dating/

How does this spammer manage to simultaneously hack into forums that use different software?
Click to expand...
Another way is to delete the old users and send them an email about their accounts being banned and how they have to sign up again with a new one.
 
Ozzy47 said:
There was a massive data breach leak recently.
Click to expand...
I think there have been some other massive breach recently which hasn't found it's way into haveibeenpwned, as I've been seeing this 'casual dating' spam my own sites and only a few of them are being caught by the Password Tools forcing email 2fa if the password is detected as compromised.

Suzanne O said:
Another way is to delete the old users and send them an email about their accounts being banned and how they have to sign up again with a new one.
Click to expand...
This isn't enough. I'm seeing active accounts being compromised with this.
 
The spammers usually get access to these old accounts by working through big databases of compromised email/password or username/password combinations. Of course this is done automatically with bots; each request a new ip address. That is why you cannot get rid of them by banning IP addresses or user accounts after X login attempts.

A good add-on, that can mitigate this issue is this one by @DragonByte Tech

[DBTech] DragonByte Security DragonByte Tech

[DBTech] DragonByte Security

Improve your forum's security

It has a feature, that adds a CAPTCHA to the login form. This will stop practically all such login attempts by bots.
 
Xon said:
This isn't enough. I'm seeing active accounts being compromised with this.
Click to expand...
Hence why I suggested that we need a third security lock option :)

K

Thread 'Security Lock: User must contact Admin'

The recent wave of compromised accounts that are suspected to originate from compromised email accounts has brought up the question how to deal with them without potentially upsetting users that might return.

Right now there seem to be several options to handle compromised accounts:
  1. Ban the account
    Does stop spam activity, but might upset some human users
  2. Set security lock to "User must change password"
    Might work a bit, but as bots know the password they can easily change it
  3. Set security lock to "User must reset password"
    Pretty much the same as before, but requires a bit...
  • Like
 
Xon said:
I think there have been some other massive breach recently which hasn't found it's way into haveibeenpwned, as I've been seeing this 'casual dating' spam my own sites and only a few of them are being caught by the Password Tools forcing email 2fa if the password is detected as compromised.


This isn't enough. I'm seeing active accounts being compromised with this.
Click to expand...
Oh ok.
Kirby said:
Hence why I suggested that we need a third security lock option :)

K

Thread 'Security Lock: User must contact Admin'

The recent wave of compromised accounts that are suspected to originate from compromised email accounts has brought up the question how to deal with them without potentially upsetting users that might return.

Right now there seem to be several options to handle compromised accounts:
  1. Ban the account
    Does stop spam activity, but might upset some human users
  2. Set security lock to "User must change password"
    Might work a bit, but as bots know the password they can easily change it
  3. Set security lock to "User must reset password"
    Pretty much the same as before, but requires a bit...
  • Like
Click to expand...
Maybe that might help if it's added in.

Along with sending out an email to those that still use the account saying that their account will be nuked in 24 hours if it's misused.
 

Similar threads

RedZephon
  • Question Question
XF 1.5 Increase in Spam Users
Replies
1
Views
802
Paul B
Paul B
Top Bottom