XF 2.3 Spam in xf_unfurl_result: No source in posts or conversations

[Astra]

Good evening.

I’m seeking some advice regarding the "xf_unfurl_result" table on my XenForo 2.3.10 site.
I’ve noticed that this table is constantly being populated with what looks like spam links. The strange thing is that these URLs do not appear to exist in my "xf_post" table — I’ve checked via terminal using SQL queries and found no matches.
I tried truncating the "xf_unfurl_result" table yesterday to start fresh, but it has already begun filling up again with the same suspicious links.

Could you please clarify:

1. Besides public posts, where else does the XenForo Unfurl system pull URLs from?
2. Is there a way to track which specific piece of content (or user) triggered a particular unfurl request?
3. Could a third-party addon be bypassing standard content tables and using the unfurl service directly?

I want to make sure my forum hasn't been compromised or isn't being used for some kind of background link-crawling.

I tried using Gemini and GPT to find a solution to this unclear situation. Both suggested re-downloading the forum’s js and src folders, deleting the existing ones, and uploading fresh copies. After that, they recommended placing the addons back into those folders — I only have three addons installed.

Thank you for any help or suggestions!

 

[briansol]

My bet is that a spammer posted something, you or a mod spam cleaned it, removing the post, but the unfurl table is not cleaned as part of the spam clean up routine.

I looked at the code and it doesn't appear to clean that table as part of the routine.

file it as a bug i would say.

 

[Astra]

I hadn't cleared the "xf_unfurl_result" table for 7 years, and it had reached 70 MB. I assumed there was a built-in XenForo tool or cron job to clean it up, but when I finally looked inside, it was mostly filled with spam links.

I truncated the table, but it started growing again the next day, despite having no new registrations or posts with those links overnight. I’ve scanned posts, conversations, signatures, and everything else I could think of — these links simply do not exist on the forum. I’ve just cleared the table again to see what happens in an hour.

Where are these links coming from? Who is generating them?

I have one lead: until today, guests were allowed to see and type in the message editor (though they were prompted to register upon clicking "post"). I have now disabled the editor for guests entirely. Is it possible that the Unfurl system triggers and saves a result to the database as soon as a link is pasted into the editor, even if the user is a guest and the post is never actually submitted?

---

It’s frustrating that this table doesn’t store any metadata about the origin of the links or who triggered them. There is absolutely nothing to help identify the source or understand whether this is a security breach, normal system behavior, or something generated by an addon.
Could you please check your own "xf_unfurl_result" tables? What kind of data do you see there? Is it just me seeing these spam links, or is this a common occurrence for everyone?

 

[briansol]

yeah, it's very possible they make the post, hit the draft/save state which processes the url, and then the post gets discardded but these don't get cleaned up.

it's a bug.

I'm bloated too.