Increased spam activity for meettomy.site from compromised accounts

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
User avatar
warmweer
Jr. Extension Validator
Posts: 11623
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium

Re: Increased spam activity for meettomy.site from compromised accounts

Post by warmweer »

HiFiKabin wrote: Mon Feb 26, 2024 1:05 pm
P_I wrote: Mon Feb 26, 2024 12:59 pm For far too many once they register and activate that's the last time they update their email address.
... and even with a board wide notice reminding everyone, no one does anything about it. :roll:
And??? it's not the responsibility of the board owner.
On the other hand, an extension allowing a scheduled confirmation of the mail address would be nice to have.
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 6767
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James

Re: Increased spam activity for meettomy.site from compromised accounts

Post by HiFiKabin »

Its nothing to do with phpBB's code. A list of username/passwords pairs has been scraped from a site that stores passwords in "plain text" and all the bots are doing is trying them out on every site they can hoping that the user is lazy and has been using the same password on all sites.

If the username/password match, the log in and post, if it doesn't they move to the next pair on the list. Its as simple as that

The fact you have just updated to 3.3.x is pure coincidence.
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 6767
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James

Re: Increased spam activity for meettomy.site from compromised accounts

Post by HiFiKabin »

warmweer wrote: Tue Feb 27, 2024 9:44 am
HiFiKabin wrote: Mon Feb 26, 2024 1:05 pm ... and even with a board wide notice reminding everyone, no one does anything about it. :roll:
And??? it's not the responsibility of the board owner.
... but we get the bounced emails
User avatar
warmweer
Jr. Extension Validator
Posts: 11623
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium

Re: Increased spam activity for meettomy.site from compromised accounts

Post by warmweer »

HiFiKabin wrote: Tue Feb 27, 2024 9:50 am ... but we get the bounced emails
In which case I used to send a PM and give them a week (max) to fix that ... not fixed by then ? >>> inactive (+ account not recoverable).
Yeah I know: I'm a dictator 8-)
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.


Time flies like an arrow, but fruit flies like a banana.
User avatar
ssl
Registered User
Posts: 1979
Joined: Sat Feb 08, 2020 2:15 pm
Location: Le Lude, Pays de la Loire - France
Name: Fred Rimbert

Re: Increased spam activity for meettomy.site from compromised accounts

Post by ssl »

warmweer wrote: Tue Feb 27, 2024 10:06 am Yeah I know: I'm a dictator
No, because such a decision never happens with serious and respectful members, the others can be ejected in the same way as spammers. Ejected or placed in a forum section where they will only have access to this section, a siding.
Sorry for my English ... I do my best! :anger_right:

:point_right_tone3: phpBB: 3.3.13 | PHP: 8.3.9
:point_right_tone4: [Kill spam on phpBB] - [Some French translation of extensions]
"Mistress, Mistress someone is bothering me in pm"
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6267
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: Increased spam activity for meettomy.site from compromised accounts

Post by thecoalman »

warmweer wrote: Tue Feb 27, 2024 9:44 am
On the other hand, an extension allowing a scheduled confirmation of the mail address would be nice to have.
I proposed this in the Ideas section.

viewtopic.php?f=436&t=2602251
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26822
Joined: Fri Aug 29, 2008 9:49 am

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Mick »

How do you know?

The fact that you upgraded then had a lot of spambots appear is just bad luck imho. It may be that they were attracted by a later version but nothing more sinister than that. Most of the spam user details look like they’re compromised user accounts that could well have been spam accounts in the first place. Let me say these accounts have not been compromised from this site.
  • "The more connected we get the more alone we become” - Kyle Broflovski© 🇬🇧
User avatar
[Dimetrodon]
Registered User
Posts: 462
Joined: Tue Aug 30, 2022 3:29 am
Location: Paleozoic Era

Re: Increased spam activity for meettomy.site from compromised accounts

Post by [Dimetrodon] »

Mick wrote: Wed Feb 21, 2024 10:50 am You could put the users on MQ or back in the NRU, personally I’d prefer that to requesting a password change.
I think the system would remove them from the NRU usergroup the second they log on if you did that (though I may be wrong). Using a custom Moderaion Queue group with MQ permissions that is also closed or hidden is probably the better option.
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 6767
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James

Re: Increased spam activity for meettomy.site from compromised accounts

Post by HiFiKabin »

Using Autogroups to place members in a newly created MQ group if they have not logged on within the past x days works perfectly.

They are remain in the MQ group when they log on unless/until you manually remove them.

I know it works because thats what I have done.

EDIT:- Do not allow MQ members to change their email address. Confirming that change will remove them from the MQ group (many thanks to [Dimetrodon] for discovering that )
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72559
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

Same here. I started with a 700 day limit but one sneaked through so I've changed it to 300 days.
Anyone who hasn't visited for the best part of a year is very unlikely to come back and if they do and the post goes in a queue so be it. But it's stopped 4 compromised accounts from posting already and it's a 'hands off' solution as it's a continuous rolling check. Works brilliantly.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
[Dimetrodon]
Registered User
Posts: 462
Joined: Tue Aug 30, 2022 3:29 am
Location: Paleozoic Era

Re: Increased spam activity for meettomy.site from compromised accounts

Post by [Dimetrodon] »

KevC wrote: Sat Mar 09, 2024 4:59 pm But it's stopped 4 compromised accounts from posting already and it's a 'hands off' solution as it's a continuous rolling check. Works brilliantly.
What do you do with the account after it becomes compromised, and it starts sending spam into the queue? Do you just change the password so the original owner can reset it, or do you delete the account?
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6267
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: Increased spam activity for meettomy.site from compromised accounts

Post by thecoalman »

You can ban the account and leave a message as to why it was banned and what steps to take to unban it.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72559
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

[Dimetrodon] wrote: Sat Mar 16, 2024 4:50 pm
KevC wrote: Sat Mar 09, 2024 4:59 pm But it's stopped 4 compromised accounts from posting already and it's a 'hands off' solution as it's a continuous rolling check. Works brilliantly.
What do you do with the account after it becomes compromised, and it starts sending spam into the queue? Do you just change the password so the original owner can reset it, or do you delete the account?
They've all been accounts from zero posters up to now so I've just deleted it.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
[Dimetrodon]
Registered User
Posts: 462
Joined: Tue Aug 30, 2022 3:29 am
Location: Paleozoic Era

Re: Increased spam activity for meettomy.site from compromised accounts

Post by [Dimetrodon] »

Makes me wonder if those were ever compromised then and not just spam accounts from the get-go.

Edit: I'm not saying that accounts never get compromised in that way, because I'm sure it happens often. But if they're all zero posters in this specific case, I would assume spam account that just hasn't posted until now, if that account was to suddenly start spamming.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72559
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

They would have to be monumentally dedicated sleeper accounts. One had registered in 2016. I think the others were 2019, 2020 and 2022.

Every site has hundreds of accounts that register for a look around but never post. They also all posted exactly the same spam message.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"

Return to “phpBB Discussion”