Spammers posting through existing accounts with no need to login?

Was just on another xf site and the exact message was posted, same ip. The admin there didn't now about this issue, assumed it was the member and banned the poor guy. To stop him dead in his tracks, use Ozzy Login Spaminator - it has stopped him 5 times for me in the last two days. I also monitor all new registrations but there really is no need with Ozzy's add-on.
 
I use registration spaminator, which won't fix old accounts, but the IP mentioned is already in my server firewall automated blocklist.

We did see a couple odd posts in profile pages, and one forum post.
 
motowebmaster said:
I use registration spaminator, which won't fix old accounts, but the IP mentioned is already in my server firewall automated blocklist.

We did see a couple odd posts in profile pages, and one forum post.
Click to expand...

Registration Spaminator won’t help in the case of what is happening in this thread. These are old accounts that are compromised. Login Spaminator is what stops these bots.
 
motowebmaster said:
I use registration spaminator, which won't fix old accounts, but the IP mentioned is already in my server firewall automated blocklist.

We did see a couple odd posts in profile pages, and one forum post.
Click to expand...
That fixes NEW registrations, but not logins from existing members like what we are seeing. I might be wrong but, I don't think you need the registration spaminator because eventually, they have to login and if you use the login spaminator, there is where they'll get locked out.

Again, my opinion - blocking the ip won't help - they just end up using a vpn or spoof another ip.

From this morning:
1674414935492.png
Our spammer:

1674414990425.png

We did see a couple odd posts in profile pages, and one forum post.
Click to expand...

The login spaminator will stop them in their tracks else you'll be forever banning ips, setting members to bad emails, etc.
 
pattycake2 said:
I don't think you need the registration spaminator because eventually, they have to login
Click to expand...
If you don't mind hundreds of spam handles created over the years.

Also, the registration Spaminator allows you to make your registration process much more human friendly - you can do away with the puzzles questions games, captchas, timers....
 
Max Taxable said:
If you don't mind hundreds of spam handles created over the years.
Click to expand...
good point... I need to research this and see if I need to retract my statement
Also, the registration Spaminator allows you to make your registration process much more human friendly - you can do away with the puzzles questions games, captchas, timers....
Click to expand...
I don't use ny of that
 
Last edited:
For what I have learned reading you all, I understand this is not an XF issue, something which relieves me.

I have learned as well that there is a built-in spam filter which seems to work pretty well for what we are discussing about here.

There are two IP addresses more that the Moldavian one, coming from the Netherlands but it seems they have stopped working in favour of the latter.

For what it's worth, this is what I have done:

  • added the key words to the SPAM management
  • looked at the spam log and changed the -few affected users to "must reset pwd"
  • put that Moldavian IP in the "discouragement list"

This is the result of the first line (adding the keywords to the spam management):

Log.JPG

By the way, it seems that the bot or whatever it is tries twice: first writing a reply in a random post, then to change the user's location. Both attemps were succesfully rejected.

And the best thing, these simple measures seem to have killed the problem, as we haven't been bothered since yesterday

Until they change the IP address or the "campaign" keywords. I know.
 
Goldoff said:
For what I have learned reading you all, I understand this is not an XF issue, something which relieves me.

I have learned as well that there is a built-in spam filter which seems to work pretty well for what we are discussing about here.

There are two IP addresses more that the Moldavian one, coming from the Netherlands but it seems they have stopped working in favour of the latter.

For what it's worth, this is what I have done:

  • added the key words to the SPAM management
  • looked at the spam log and changed the -few affected users to "must reset pwd"
  • put that Moldavian IP in the "discouragement list"

This is the result of the first line (adding the keywords to the spam management):

View attachment 280424

By the way, it seems that the bot or whatever it is tries twice: first writing a reply in a random post, then to change the user's location. Both attemps were succesfully rejected.

And the best thing, these simple measures seem to have killed the problem, as we haven't been bothered since yesterday

Until they change the IP address or the "campaign" keywords. I know.
Click to expand...
For me, it looks like you did a great job...
 
Xenforo's guests:

1674500317997.png

I did start to wonder what all those Xenforo guests (600+) were doing on this site! ;)

Well done Xenforo (y)
 
alexm said:
Xenforo's guests:

View attachment 280431

I did start to wonder what all those Xenforo guests (600+) were doing on this site! ;)

Well done Xenforo (y)
Click to expand...
Mine too.... mostly bots until I added this to htaccess and they immediately dropped off like flies - courtesy AndyB
# Deny and Allow bots by User-Agent
SetEnvIfNoCase User-Agent "bot|crawler|fetcher|headlesschrome|inspect|search|spider|15.1 Safari/605.1.15|CFNetwork/1335.0.3" bad_bot
SetEnvIfNoCase User-Agent "duckduckgo|googlebot|yahoo" good_bot
Deny from env=bad_bot
Allow from env=good_bot
Click to expand...

Added just below:
Code: 
<IfModule mod_rewrite.c>
    RewriteEngine On
 
Goldoff said:
Until they change the IP address or the "campaign" keywords. I know.
Click to expand...
They'll eventually change both, as you know, but at least you stopped the current influx of bots. 👍 One older XF forum I'm working on upgrading already has the IP blocked but with the "pump_upp*" phrase so common, I'm going to head over there and add it for now.
 
OK guys, got hit with this today and wanted you to know that it's more than just bit coin links. They accessed a long standing members account and turned off their email notifications and then changed their email address, from there they posted really good deals on things my members use in my classified section, I had one member purchase one item for several hundred dollars. This is how we found out about it.
 
click here said:
OK guys, got hit with this today and wanted you to know that it's more than just bit coin links. They accessed a long standing members account and turned off their email notifications and then changed their email address, from there they posted really good deals on things my members use in my classified section, I had one member purchase one item for several hundred dollars. This is how we found out about it.
Click to expand...
I think this is something completely different.

I had this issue too. In fact, it turned on to be a huge problem because the -hacker? did exactly what you have described and catched the money from unprevented buyers (yes, there were several).

But the big difference is that in this case (the Moldavian affair, if I might say) they don't need access to the email, and I guess they even can't. The proof is that one of the accounts used for spamming in my forum did not have an email associated (I eliminated it some years ago when the automated birthday greeting came bounced).

My thought is that these two incidents come from different breaches:
  • the scammer in the classified had access to the email, from where he/she retrieved a new pasword.
  • the Moldavian (so to say) has had access to the username and password, but not the email.
 
Goldoff said:
I think this is something completely different.

I had this issue too. In fact, it turned on to be a huge problem because the -hacker? did exactly what you have described and catched the money from unprevented buyers (yes, there were several).

But the big difference is that in this case (the Moldavian affair, if I might say) they don't need access to the email, and I guess they even can't. The proof is that one of the accounts used for spamming in my forum did not have an email associated (I eliminated it some years ago when the automated birthday greeting came bounced).

My thought is that these two incidents come from different breaches:
  • the scammer in the classified had access to the email, from where he/she retrieved a new pasword.
  • the Moldavian (so to say) has had access to the username and password, but not the email.
Click to expand...
I think you're right as the post was very descriptive and didn't appear typical of a non English speaking spammer... with that being said, at the same time I had another user that was compromised like others in this thread. Turned the PC on this morning to a **** storm and trying to get a handle on everything and they both kind of blended together.
 
click here said:
I think you're right as the post was very descriptive and didn't appear typical of a non English speaking spammer...
Click to expand...
There is always the ongoing problem of weak passwords, and that type of exploit could even happen through a spammer casually reading through posts on a board. If I had a board game forum and one member posted a lot about the game Parcheesi, it stands to reason that member's password could be "parcheesi" or something closely related. I think that's how we had a staff member's account compromised--he's a fan of certain topics, and any of those might have been his password. Thankfully we caught it quickly enough, but it was enough to get the staff to change passwords and enable 2FA.
 
You must log in or register to reply here.
Top Bottom