Spammers posting through existing accounts with no need to login?

FWIW I think everyone needs to put the recent spate of unauthorised account access into perspective. It's highly unlikely that forcing your entire user base to reset their passwords is proportionate.

We have also had dormant accounts on this very forum, some belonging to actual customers, be accessed by an unauthorised third party and we are absolutely not going to be inflicting a mass password reset on everyone.

We are taking it on a case by case basis. For each spammer we identify, where that user appears to have been a long dormant account, belongs to a customer, or has made legitimate posts before, we will simply security lock that account.

It is, I feel, extremely unlikely anything more than a small percentage of your users will be affected, and, on balance, given the likely vector of the attack (a potentially aged data breach from decades gone by), will only likely affect long dormant accounts.

It is my opinion that forcing a password reset on all of your users to prevent what is little more than fairly harmless spam - the kind that we often see every day anyway - is not very user friendly, inconvenient, and likely to cause unnecessary concern.

Making users aware, globally, preferably just via a notice or similar, that they may want to consider changing their password if they reuse passwords from other sites, or they may want to consider two-step verification is the right way forward.
 
Chris D said:
It's highly unlikely that forcing your entire user base to reset their passwords is proportionate.
Click to expand...
Once you get the batch update users bug fixed, the password lock can be applied to users that have not logged in for over two years. This is certainly a good practice, especially for those running boards that are 20+ years old like mine. If someone has not logged in over 2 years, its time for a password update, assuming they even log in again.

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
Last edited:
The method of dormant account lock-out addresses the potential attack subjects (victims?) which are definitely easy to identify and control.

Maybe we can also consider identifying the attack sources, based on some well-thought triggers.

So far the assumption is that the spammers are using 3rd party leaks to try to find a matching (dormant) account and post spam through it. This implies that their robots are either blindly trying millions of logins until they find a match or, to reduce the ammount of failed attempts, they first try to pull a list of usernames and guess a match between a forum account name and one of the known (username/)e-mail/password combinations.

Both should be easily identified by any brute force detection mechanism, when you have maybe some hundreds of bot IPs getting repeatedly failed login errors, even stretched out over time so that they don't trip a counter too fast. Preventing guests' access to members list would also make it harder for them to scrape usernames from the forum without going page by page like a crawler.

If you roll your own server, a fail2ban mechanism is absolutely wonderful for this. Wordpress has a plugin for it, not sure if Xenforo can dump the login errors in the syslog for the fail2ban to kick them out from the local firewall level.

Another nice way to detect suspicious login attempts might be to compare the country of the previous successful IP with the country of the new login's IP. If different, the login could be conditioned by an e-mail confirmation. This will require a plugin and a GeoIP query.

Will this be 100% failproof? Most likely not. But it will be one significant hurdle to overcome.

[edit] If the assumption is incorrect and the perpetrators have login data from another source, maybe more accurate in terms of forum accounts, that might require a different strategy to catch them with a good trigger/trap. It still doesn't invalidate the need for a good detection for repeated failed login attempts, to block the source attempting multiple failed logins, and/or (temporarily) lock the forum account being repeatedly tested within a moderately short timeframe.
 
Last edited:
Chris D said:
Making users aware, globally, preferably just via a notice or similar, that they may want to consider changing their password if they reuse passwords from other sites, or they may want to consider two-step verification is the right way forward.
Click to expand...
Welp, I tried that. I posted a notice about the spam and suggested changing the password (even linked to a support thread right in the notice). The result? We got a rash of messages saying the board was hacked because someone hacked in and posted that notice and thread...and, a handful reported it, the first minute it was up! 🙄

Can't win, can we? 🤣 To say a handful of the members are conspiracy-minded is an understatement.

Ultimately, though, the Spaminator addons are a very effective deterrent.

ActorMike said:
Once you get the batch update users bug fixed, the password lock can be applied to users that have not logged in for over two years. This is certainly a good practice, especially for those running boards that are 20+ years old like mine. If someone has not logged in over 2 years, its time for a password update, assuming they even log in again.
Click to expand...

The older an account is, the less likely the member will return. That is why it wouldn't bother me if I forced a password reset on accounts over two years old. Accounts older than five years I would consider abandoned. Other sites out there will consider our accounts inactive after a year and force us to reset our passwords, so it's not too uncommon. Inconvenient, sure, but it only takes a minute to update our passwords.
 
Wildcat Media said:
Welp, I tried that. I posted a notice about the spam and suggested changing the password (even linked to a support thread right in the notice). The result? We got a rash of messages saying the board was hacked because someone hacked in and posted that notice and thread...and, a handful reported it, the first minute it was up! 🙄

Can't win, can we? 🤣 To say a handful of the members are conspiracy-minded is an understatement.
Click to expand...

😄

We had the majority of people posting that 'I'm onto you, you 'hacking' b'stard, you won't fool me!'... to a 'bot' :rolleyes:... and not one reported it. :rolleyes:
 
Ozzy47 said:
That has nothing to do with the topic of this thread. 🤷‍♂️
Click to expand...
I think he/she may have been referring to my earlier post about seeing a Guest engaged in a conversation when I was wondering if my forum might be affected. Thanks for the tip :)
 
Chris D said:
FWIW I think everyone needs to put the recent spate of unauthorised account access into perspective. It's highly unlikely that forcing your entire user base to reset their passwords is proportionate.

We have also had dormant accounts on this very forum, some belonging to actual customers, be accessed by an unauthorised third party and we are absolutely not going to be inflicting a mass password reset on everyone.

We are taking it on a case by case basis. For each spammer we identify, where that user appears to have been a long dormant account, belongs to a customer, or has made legitimate posts before, we will simply security lock that account.

It is, I feel, extremely unlikely anything more than a small percentage of your users will be affected, and, on balance, given the likely vector of the attack (a potentially aged data breach from decades gone by), will only likely affect long dormant accounts.

It is my opinion that forcing a password reset on all of your users to prevent what is little more than fairly harmless spam - the kind that we often see every day anyway - is not very user friendly, inconvenient, and likely to cause unnecessary concern.

Making users aware, globally, preferably just via a notice or similar, that they may want to consider changing their password if they reuse passwords from other sites, or they may want to consider two-step verification is the right way forward.
Click to expand...
Apologies if this isn't a helpful suggestion, but would making 2FA compulsory, temporarily, for suspect members (or even all members) stop the spammers logging in?
 
I'm keeping an eye on my forum and have two new robots today I haven't seen before Majestic-12 and Seznam. In case it's relevant (probably not)
 
puterfixer said:
So far the assumption is that the spammers are using 3rd party leaks to try to find a matching (dormant) account and post spam through it. This implies that their robots are either blindly trying millions of logins until they find a match or, to reduce the ammount of failed attempts, they first try to pull a list of usernames and guess a match between a forum account name and one of the known (username/)e-mail/password combinations.

Both should be easily identified by any brute force detection mechanism, when you have maybe some hundreds of bot IPs getting repeatedly failed login errors, even stretched out over time so that they don't trip a counter too fast. Preventing guests' access to members list would also make it harder for them to scrape usernames from the forum without going page by page like a crawler.
Click to expand...

If the entity is using an old list of usernames and passwords and randomly trying to match them up with found accounts with the same names around the web, they should be detected by services like Cloudflare by now for millions of failed login attempts at Wordpress sites and forums. This attack is using a very limited number of IP addresses if what we have seen so far is the extent of it. That would make it seem more like a targeted attack where they are pretty sure the logins are going to work. They would need a lot of IPs to brute force accounts all over the web without getting blocked by firewalls and other systems.

It's also possible they have been slowly testing the data over the last few months using a lot of IP addresses to avoid detection, and now they're putting the valid accounts they found to use.

Does anyone know if any of the big computer security blogs/sites has been informed of this operation? Security experts investigate things that impact large numbers of sites or users, and they often have the expertise to trace the source.
 
Alvin63 said:
Apologies if this isn't a helpful suggestion, but would making 2FA compulsory, temporarily, for suspect members (or even all members) stop the spammers logging in?
Click to expand...
Many of the impacted are dormant accounts, so the spammer may login before the user. If the spammer has access to the password, couldn't they setup 2FA on the account after logging in?
 
Mr Lucky said:
This worked for me:

xenforo.com

Spammers posting through existing accounts with no need to login?

This is such a typical spam post, now also here in the forum ... https://xenforo.com/community/threads/dohtheme-forum-design-services.106584/page-3#post-1609678
xenforo.com xenforo.com
Click to expand...

@Chris D has also posted a temporary fix to the bug here:

xenforo.com

Fixed - Batch update users broken in 2.2.12

For what it's worth, the bulk update worked for me when I deleted Rejected users, ie spammers (no errors) so this is the first I hear of this issue. I know to wait for a fix now though.
xenforo.com xenforo.com
 
sunsky7 said:
Many of the impacted are dormant accounts, so the spammer may login before the user. If the spammer has access to the password, couldn't they setup 2FA on the account after logging in?
Click to expand...
True. But would bots bother going through that? It might slow them up at least.
 
Alvin63 said:
True. But would bots bother going through that? It might slow them up at least.
Click to expand...
I believe the spambots want the low-hanging fruit. They'll access what they can to leave their links in forum posts, then move on to the next target. They could spam a lot more forums in the time it would take to mess around with one person's account (which would require human intervention).

A more malicious bot could do more damage but I don't think that's the case in this recent rash of intrusions.
 
This is a network-wide problem.
Someone (at PHPBB) wrote...

^ no they're not, and most of the ip's are comming thru CloudFlare (CF) anyway. What we've done on our board to discourage the spammers, that effectively seem to use old, dormant accounts is to use the word censor in the Administrator control panel -> Posting -> Word censoring option to make those st**pid posts look even st**pider but harmless:

replaced c.rypto p.umps by stinky socks
replaced @.pump_upp by banned
replaced v.erifpro by stop that scam please
replaced v.erifpro.net by stop that scam please

the dots above should be removed of course
:)
Click to expand...
 
Last edited:
You're right, I brought it as a joke
In principle this could be a solution if many forums do it and add instead of replacing "it's a fraud", Although the bot didn't know, its operator will eventually see
But this can cause another problem where a spammer will insert addresses of his competitor
 
Wasn't there a setting or add-on that fully prevented posting if certain (censored?) words were included, instead of replacing the words with some other text and requiring others to report/review/delete the post?
 
You must log in or register to reply here.

Similar threads

Fullmental
XF 2.2 Using REST API to post a media item, no documentation. Help please?
Replies
4
Views
1K
Schaken
Schaken
Steve Freides
  • Question Question
Managing Spam PMs
Replies
4
Views
1K
MacSeah
MacSeah
P
Best mechanism to ban users and permanently delete their posts?
Replies
3
Views
709
ecologio
E
DroidOne
  • Question Question
XF 1.5 Unable to Connect to ssl://accounts.google.com:443
Replies
10
Views
3K
eva2000
eva2000
XFuser
  • Suggestion Suggestion
Spammers' #1 objective is to post links. Therefore, posting links should be permissions-based.
Replies
16
Views
1K
Xon
X
Top Bottom