XF 2.3 Spam in xf_unfurl_result: No source in posts or conversations

[Astra]

Good evening.

I’m seeking some advice regarding the "xf_unfurl_result" table on my XenForo 2.3.10 site.
I’ve noticed that this table is constantly being populated with what looks like spam links. The strange thing is that these URLs do not appear to exist in my "xf_post" table — I’ve checked via terminal using SQL queries and found no matches.
I tried truncating the "xf_unfurl_result" table yesterday to start fresh, but it has already begun filling up again with the same suspicious links.

Could you please clarify:

1. Besides public posts, where else does the XenForo Unfurl system pull URLs from?
2. Is there a way to track which specific piece of content (or user) triggered a particular unfurl request?
3. Could a third-party addon be bypassing standard content tables and using the unfurl service directly?

I want to make sure my forum hasn't been compromised or isn't being used for some kind of background link-crawling.

I tried using Gemini and GPT to find a solution to this unclear situation. Both suggested re-downloading the forum’s js and src folders, deleting the existing ones, and uploading fresh copies. After that, they recommended placing the addons back into those folders — I only have three addons installed.

Thank you for any help or suggestions!

 

[briansol]

My bet is that a spammer posted something, you or a mod spam cleaned it, removing the post, but the unfurl table is not cleaned as part of the spam clean up routine.

I looked at the code and it doesn't appear to clean that table as part of the routine.

file it as a bug i would say.

 

[Astra]

I hadn't cleared the "xf_unfurl_result" table for 7 years, and it had reached 70 MB. I assumed there was a built-in XenForo tool or cron job to clean it up, but when I finally looked inside, it was mostly filled with spam links.

I truncated the table, but it started growing again the next day, despite having no new registrations or posts with those links overnight. I’ve scanned posts, conversations, signatures, and everything else I could think of — these links simply do not exist on the forum. I’ve just cleared the table again to see what happens in an hour.

Where are these links coming from? Who is generating them?

I have one lead: until today, guests were allowed to see and type in the message editor (though they were prompted to register upon clicking "post"). I have now disabled the editor for guests entirely. Is it possible that the Unfurl system triggers and saves a result to the database as soon as a link is pasted into the editor, even if the user is a guest and the post is never actually submitted?

---

It’s frustrating that this table doesn’t store any metadata about the origin of the links or who triggered them. There is absolutely nothing to help identify the source or understand whether this is a security breach, normal system behavior, or something generated by an addon.
Could you please check your own "xf_unfurl_result" tables? What kind of data do you see there? Is it just me seeing these spam links, or is this a common occurrence for everyone?

 

[briansol]

yeah, it's very possible they make the post, hit the draft/save state which processes the url, and then the post gets discardded but these don't get cleaned up.

it's a bug.

I'm bloated too.

 

[Chromaniac]

just a fyi. if you are truncating in bulk without actually checking what you are deleting, you might end up with links that do not unfurl at all on your board. xenforo needs the row in database for existing links to work. it just does not process any link that has been posted already but it is not present in the relevant table unless you post it fresh again. more in this post.

 

[Astra]

I understand, but links to third-party sites are prohibited on my forum, so I'm not worried about that scenario. What concerns me most is the presence of links to third-party sites itself.

Because there has already been a precedent on my other forum where people post dangerous and illegal links, and then those same people run to the registrar and file a complaint stating that there are illegal links on the forum. The registrar then suspends the forum's operation. They can do the same to the hosting provider, who also blocks the services. It turns out that anyone can get your forum blocked without your knowledge if you don't find the hidden cause of this block in time.

 

[Astra]

Found the reason behind all those links. Just as I suspected, it turned out to be possible if a user writes a message in the editor before registering. Most likely, these are just regular spam bots that spotted an opportunity to post on the forum without registration. Their links get loaded, but since they never intended to actually register, their links just keep multiplying and piling up in that table. After deleting the table, everything works perfectly, as I don’t have any other third-party links on my forum. Thanks to everyone for the comments; have a great day and a wonderful mood!