Yesterday we changed from sending mail via the server to actually using an account via SMTP. Which that or using the old method with the -F method apparently open up the possibility of receiving bounced emails.
Almost immediately started seeing bounced emails basically containing spam. I added email logging in the options and luckily it seems all the mail sent has been to invalid email addresses. However when I tried working with our provider to determine if this was happening even say 2 days ago, instead of helping they straight cut off SMTP access.
The official responses from vBulletin 3.x to 4.2 is that there is no vulnerability whatsoever. That making contact us only available to logged in users, enabling anti spam measures, disabling "Allow Users to Email Other Members" will prevent the spammer from using vBulletin to spam people.
However case after case of people following the instructions yielded nothing. The messages are marked as unregistered and antispam measures never even play into it at all. Removing sendmessage.php or stripping it of the code that allows for emailing other users are the only effective solutions. Without doing that an unregistered guest no matter the security setting can send an email to any address with their choice of subject and body wether the reciever is even registered to your site or not.
Anyone know anything? I stripped the code out of sendmessage except for the contact us parts and vitals and it seems to have stopped. But the recommended settings before that did not stop it.