Spammers posting through existing accounts with no need to login?

pattycake2 said:
the problem is, he's not failing a login attempt..
Click to expand...
are you sure? Normally these attackers use a set of email / password combinations and then try one after another - and only some of them will work. So you will most likely have masses of failed logins.

See my post here:
nocte said:
You can use the addon "Dragonbyte Security" by @DragonByte Tech in 2 ways to avoid this issue:

xenforo.com

[DBTech] DragonByte Security

DragonByte keeps a watchful eye over your forum even when you are not there, and has the capability to alert you of any suspicious activity. Uses DragonByte is the ideal product for forums that are concerned about security, or wish to be alerted...
xenforo.com xenforo.com
  1. Turn on Captacha on Login. This will avoid any kind of brute-force login attacks.
  2. Monitor failed logins. If there are a lot of failed logins, probably someone is trying to hack accounts.
Good luck!
Click to expand...
 
pattycake2 said:
the problem is, he's not failing a login attempt... he somehow knows the password and logs right in. Thats why I need an alert whenever that ip address is used.
Click to expand...
The only problem is, today it's just one IP address. As this exploit gains in popularity, it could be a couple dozen IP addresses within the month, or hundreds (if not thousands) by the end of the year. Spammers don't give up, and will find new VPNs, open proxies, or servers in third world countries to attack us with.

I'd just ban the IP address, and no worries from that point on. On the three members I found on one forum, the spam message all had the same IP address, but the members' other addresses were very different, and all were consistent with a particular area.

Pretty crazy, though...think of all the time all of us have wasted on dealing with spammers. If we had a dollar for each minute we've spent on it...
 
nocte said:
are you sure? Normally these attackers use a set of email / password combinations and then try one after another - and only some of them will work. So you will most likely have masses of failed logins.
Click to expand...
absolutely positive. I am monitoring failed login attempts and of the 6 that used the @Pump, none of them had any failed login attempts
 
pattycake2 said:
I am monitoring failed login attempts and of the 6 that used the @Pump, none of them had any failed login attempts
Click to expand...
This is no contradiction to what I posted:
nocte said:
Normally these attackers use a set of email / password combinations and then try one after another - and only some of them will work. So you will most likely have masses of failed logins.
Click to expand...
In other words: They try each account only 1 time, but they will have to try a real big number of existing and (mostly) non-existing accounts and finally they will find only a few logins, that actually work.
 
nocte said:
This is no contradiction to what I posted:

In other words: They try each account only 1 time, but they will have to try a real big number of existing and (mostly) non-existing accounts and finally they will find only a few logins, that actually work.
Click to expand...
OK I guess. This guy used the same ip address as others have stated here (109.107.166.230), on each of the 6 accts he logged in to, there were no failed attempts on any of them. If he tried even once and failed, the logs would show it. Heck, he just tried a few minutes ago on one of the usernames that I had set to "Compromised" and now unfortunately, he's been alerted.

Instead of putting up the notice of a compromised acct, I should have hidden it so I could track him. Now that he knows, I doubt he will be back - not the outcome I wanted. I don't want to stop him, I want to track him so I can see what he's doing, and how he's doing it.
 
Most likely it's automated and doesn't monitor replies. As most spam campaigns are. They'll move on to an easier target rather than try to get around that one site that causes an issue. There are thousands more they'll try.
 
Following this with interest. Clearly my forums aren't interesting enough, But both aren't that old so don't have really historic members. But after reading this I checked members online and have a guest "engaged in conversation". Which is strange, because guests can't do that - only registered members.Guest engaged in conversation.webp
 
tajhay said:
Yep I have the same issue with the same spam url.

Has it been confirmed this is via the lastpass data breach?
Click to expand...
Not sure about lastpass, but I checked the pwned site and none of the emails of my 6 members showed up so I have to believe this is some breach of a long time ago that is resurfacing. I hate script-kiddies.
 
pattycake2 said:
I should have hidden it so I could track him. Now that he knows, I doubt he will be back - not the outcome I wanted. I don't want to stop him, I want to track him so I can see what he's doing, and how he's doing it.
Click to expand...

It’s an automated system, there is no him or no need to spend time tracking. They have millions of compromised accounts across many platforms.
 
pattycake2 said:
Not sure about lastpass, but I checked the pwned site and none of the emails of my 6 members showed up so I have to believe this is some breach of a long time ago that is resurfacing. I hate script-kiddies.
Click to expand...
This is why I theorized earlier in this thread that newer accounts were not targeted--the data from the breaches is probably a few years old, if not older. It's entirely possible that active (non-dormant) accounts could be targeted, if they signed up long ago. But chances are, some of those active accounts may have changed their email addresses or passwords since the data breach, so their accounts are not being accessed.
 
Hit by this today, same IP, old account with real posts. Does banning the IP do it? Or wasn't there some fix in one of these posts, a file?
 
beerForo said:
Hit by this today, same IP, old account with real posts. Does banning the IP do it? Or wasn't there some fix in one of these posts, a file?
Click to expand...
Banning the ip will help..... today. But when he starts using a vpn or spoofing his ip, he'll be back. Like Ozzy says, need to stop the bots from loggin in at all. And like Ozzy said... "It’s an automated system, there is no him or no need to spend time tracking. They have millions of compromised accounts across many platforms.".... I'm wasting time trying to track his steps. I'm just gonna put his post in banned words so it just shows *, and then nuke his ip address... but not with XF... will do it via htaccess so he never even gets to the site.
 
Wildcat Media said:
This is why I theorized earlier in this thread that newer accounts were not targeted--the data from the breaches is probably a few years old, if not older. It's entirely possible that active (non-dormant) accounts could be targeted, if they signed up long ago. But chances are, some of those active accounts may have changed their email addresses or passwords since the data breach, so their accounts are not being accessed.
Click to expand...
Yes, so far all of the accounts being targeted on my forum were registered in or before 2020.
 
Banning the IP is just a temporary bandaid. If these logins and passwords have been compromised, it may be helpful to allow the spammer to do their thing so you know which accounts need to be to reset.
 
You must log in or register to reply here.
Top Bottom