Log Analysis
The spam is being posted from different IP addresses, when I filter the server access logs on an IP-address it's interesting to see what happened. Read this log from the bottom to the top: This is the log from 38.170.124.183 Log from 190.185.109.144 As you can clearly see in both examples:
- It visits the site without https or www and is redirected to the https version
- Visits the UCP to change the signature to add spam there as well
- Opens a forum and posts a message
I can confirm that compromised users did not have their password reset. I've logged all forum mails in the last years and most compromised users only got the "Welcome to" mail (in 2020 or before) and they did not receive any other mails such as password resets.
Widespread
If you check one of the used IPs 190.185.109.144 on https://www.stopforumspam.com/search you will see multiple reports in the last days, and based on the email addresses it also looks like legit accounts were compromised.
When searching on Google for this spam I've found a lot of other sites and forums also being spammed, not just phpBB but also vBulletin, Xenforo and Invision Community. And I've found similar spam on phpBB.com as well.
Mitigation
I've been trying to figure out a way to stop this. Because these account are compromised, it means they're already activated (so no captcha needed) and when they already have posts the "Newly registered users" anti-spam features also no longer apply to them anymore causing them to post spam without needing approval.
Pruning older accounts would stop it, but I rather not just do that. I was also thinking about maybe removing or resetting passwords of older accounts, but that's also not really a good user experience. There is a way to force people to complete a captcha on login, that's when they've too many login attempts. So that's how I came to this;
Setting the "user_login_attempts" to 99 for all users that haven't signed in since 1 Jan 2024. This will cause those users to complete a captcha before they can continue to login. For reference, this is the query I used:
Code: Select all
UPDATE phpbb_users
SET user_login_attempts = 99
WHERE user_type = 0
AND user_inactive_reason = 0
AND user_lastvisit < 1704063600;
I'm looking for thoughts on this idea and I'm open to any other suggestions to fight this type of spammers!