Spammers posting through existing accounts with no need to login?

mattrogowski said:
Do you have something else to prune inactive users or anything? You must have something else set up to delete users that haven't activated their accounts or something, in which case you wouldn't want to be setting lots of users to that state.
Click to expand...
Hmm, no I don't have anything that prunes inactive accounts.
I do see a lot of bounce errors. When I look up the email adres that is bounced, that user does not exist in ACP.
 
mattrogowski said:
The users are still there, it's just the count that's wrong, it doesn't count users that are set to re-confirm their email address, but there's already code that should be recalculating that.
Click to expand...
Is there a way to undo this? I just realised I now can't tell which are users who had not yet confirmed on registering, and which ones were set by this addon?
 
Mr Lucky said:
Is there a way to undo this? I just realised I now can't tell which are users who had not yet confirmed on registering, and which ones were set by this addon?
Click to expand...
Only based on last activity, which is all this uses. But that would include people who registered > 6 months ago and didn't activate their accounts.

Edit: oh for email confirmation it does set another flag, inactive_reverify
 
I'll just delete it, only dropped it in to try and be helpful as someone asked about it and wasn't expecting ongoing discourse about it, but I don't want a whole new resource for it. Apologies for clogging up the thread.
 
mattrogowski said:
I'll just delete it, only dropped it in to try and be helpful as someone asked about it and wasn't expecting ongoing discourse about it, but I don't want a whole new resource for it. Apologies for clogging up the thread.
Click to expand...
Well it was actually helpful and seemed to be a decent workaround while the xenForo batch update users is not working as it should.
 
alexm said:
Just one here on that IP and I’d already set old accounts to ‘User must reset password’ so he didn’t get anywhere.
Click to expand...
We had no. 2 turn up and, this time, have his turn at spamming us.

He was a 2012 account, never changed his password since before 2018 when we with vBulletin. Had no changes to his account so changed to 'Locked: user must reset password'.

He escaped the earlier 'Locked' status because he was still with X months of posting at the time.

Next! ;)
 
Last edited:
Same here, had to ban all those accounts.

Also censored the telegram channel lol even if they post it, members can't get scammed.
 
I have not yet seen this on our forum, but I have seen similar spam on another forum (not using XenForo). In those cases all the spammers did was post a link and then disappear.

Are people here seeing more dangerous activity? If it's just a few spam links I am not sure why people are proposing such drastic countermeasures (we did change all our admin passwords).
 
JRobert said:
I have not yet seen this on our forum, but I have seen similar spam on another forum (not using XenForo). In those cases all the spammers did was post a link and then disappear.

Are people here seeing more dangerous activity? If it's just a few spam links I am not sure why people are proposing such drastic countermeasures (we did change all our admin passwords).
Click to expand...
Old users are being compromised (verified that was the case with the few of mine that got hit) and their profiles are being updated with the Telegram link in question.

While it isn't the most serious thing, it is a risk that can easily be avoided and 🤷‍♂️. In my case, a member who died was compromised, and he was well liked by the community so people would have gone to the link if it had been posted.
 
I noticed that the XenForo guests list number was high this morning and in it quite a few where old registrations were being viewed. Not sure if it's anything or nothing....

1674025656190.png

Edit: @Chris D @Brogan - is it possible for you to check the IP addresses of your (xenforo.com) 'Guests' viewing member profiles to see if they are coming from the Microsoft Datacentre at Des Moines?
 
Last edited:
webbouk said:
guests list number was high
Click to expand...
Check the source of those guests.

My forum has been under unusually heavy traffic for several days, constantly having around 500-600 visitors from hundreds of IPs allocated to Microsoft in North America, and all with a Mac user agent, which is suspicious/unusual to the regular traffic (forum hosted in Germany targeting a cycling community in Romania). Ultimately I had to deny about 19 subnets in .htaccess. No idea what the purpose was; they were not trying to register or to post anything, maybe just scrape contents for an unknown reason, without identifying as a legitimate crawler.

Second traffic group is from bots attempting to register accounts (blocked by Cloudflare's new captcha) or to post as guests (did that successfully despite permissions set in Invision Power board prior to the migration to Xenforo). They are all coming from thousands of TOR exits/gateways, and I wish there was a nice way to identify them and block them automatically.

Neither of those seem related to the symptoms of the current issue of spam bots breaking into old forum accounts, though...
 
Miri said:
While we sleep, there is a component of @Ozzy47 that protects us from spam.
In my opinion, he has made a deal with the criminals, 🤣 but it doesn't matter. I am protected. 😎
Click to expand...

I've been running Ozzys addon for a whiile, but they still got through and logged into a dozen members. We are a subscription forum so most of the accounts they logged in with couldn't post. But they did generate spam for two subscribers.
 
You must log in or register to reply here.
Top Bottom