Increased spam activity for meettomy.site from compromised accounts

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
glasguensis
Registered User
Posts: 1
Joined: Thu Feb 22, 2024 10:38 pm

Re: Increased spam activity for meettomy.site from compromised accounts

Post by glasguensis »

On our forum, although we’ve seen mostly old accounts being used, we’ve also had a couple where the user had posted in the last day or so. Fortunately most of the accounts, even if old, had few enough posts (or had never posted) that they were trapped by the MQ filter. For the rest we just need to react when we see them.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6313
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: Increased spam activity for meettomy.site from compromised accounts

Post by thecoalman »

Mick wrote: Thu Feb 22, 2024 5:23 pm The main reason I mentioned putting the user on MQ (by whatever method) was the issue of emails. If it’s a genuine user who’s old email address is redundant he’ll never see the password reset email.
He's setting the failed login attempts to 99, the user (or bot) has to pass captcha before being presented with login screen. It's a setting under security settings to prevent brute force attacks on an account.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2437
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦

Re: Increased spam activity for meettomy.site from compromised accounts

Post by P_I »

KevC wrote: Thu Feb 22, 2024 9:03 am Why is it impossible to put accounts in to another group?

If you could run a query (or even have a regular cron) that puts any account that hasn't logged in for, say, 2 years, in to the NRU or a group of your choosing with a mod queue on it, why not? People who leave forums for that amount of time rarely come back, and if they do, they could still post but it would need approval which is fine. If it's a hacked account being used for spam it wouldn't show on the forum and could be dealt with quietly by the team. Win win.
From my read of the extension Auto Groups features
Auto Groups Features wrote:Add users to group(s) based on days passed since their last visit.
If I understand that correctly then it could be used to put them into either the Newly Registered Users (NRU) group or a "On Moderation Queue" group.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 6769
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James

Re: Increased spam activity for meettomy.site from compromised accounts

Post by HiFiKabin »

P_I wrote: Fri Feb 23, 2024 12:29 am From my read of the extension Auto Groups features
Auto Groups Features wrote:Add users to group(s) based on days passed since their last visit.
If I understand that correctly then it could be used to put them into either the Newly Registered Users (NRU) group or a "On Moderation Queue" group.
Although so far my boards have escaped the onslaught that it what I have done to pre-empt the problem.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72569
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

P_I wrote: Fri Feb 23, 2024 12:29 am From my read of the extension Auto Groups features
Excellent spot. That sounds like the perfect solution.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26835
Joined: Fri Aug 29, 2008 9:49 am

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Mick »

Looking at a lot of these ‘users’ details many of them look like sleeper accounts especially the newer ones. They all seem to be advertising similar stuff so I would assume they’re all being driven from the same place. Either way, a good prune would be a start.
  • "The more connected we get the more alone we become” - Kyle Broflovski© 🇬🇧
User avatar
Talk19Zehn
Registered User
Posts: 896
Joined: Tue Aug 09, 2011 1:10 pm

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Talk19Zehn »

Hello Derky, I'm sorry if such an attack was launched.

When I visit the website "m e e t t o m y . s i t e", it is recognised as a phishing website and blocked.
phishing-website-blocked1.png
If I follow things up, for example via / per

https://alldomains.hosting/en/whois.html or for example

https://www.whois.com/whois/meettomy.site

this website is *)registered On: 2023-10-17 and an end is displayed for the duration of one year (as of today!) - Expires On: 2024-10-17.

The idea

Code: Select all

UPDATE phpbb_users
SET user_login_attempts = 99
WHERE user_type = 0
	AND user_inactive_reason = 0
	AND user_lastvisit < 1704063600;
I find this good at first. I'm surprised by 99 login attempts and a user type = 0. Okay, you've explained why you prefer this approach.

Only on the FLY:
I'm not so sure whether a user-type is greater or less than 2 and in my opinion it would contain user_inactive_reason depending on the last login (?), compare ACP.
Is (was) there no connection there?

As well as a timestamp can / should be directed to the *)registered on date (?).

I could be wrong ...

Furthermore, I would inform Go-Daddy about this abuse, as this is apparently a typical way of dealing with stolen websites and more in order to then offer one's own site for sale (?). Possibly by deception of false facts, because the domain mercedesforum.nl carries an almost inconspicuous addition /be .... (?) ....

Best wishes and regards
You do not have the required permissions to view the files attached to this post.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72569
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK

Re: Increased spam activity for meettomy.site from compromised accounts

Post by KevC »

I just used the auto groups ext on one of my forums where I had seen the same activity of old accounts logging back in to post spam.

As P_I expertly noted, you can set a group membership on 'days since last visit'.
I made a mod queue group with NEVER permissions for the ability to post anywhere unapproved, stopped profile edits (meaning they can't instead just edit links in to the profile or the sig) and stopped all email and PM ability.

I set membership to 700 days since the last visit as that seems reasonable.

And then bam, 27000 accounts are all secured from further attack. Problem solved and it's a rolling solution with no further intervention.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
ssl
Registered User
Posts: 1980
Joined: Sat Feb 08, 2020 2:15 pm
Location: Le Lude, Pays de la Loire - France
Name: Fred Rimbert

Re: Increased spam activity for meettomy.site from compromised accounts

Post by ssl »

There is an extension provided for this scenario, User Reminder
Sorry for my English ... I do my best! :anger_right:

:point_right_tone3: phpBB: 3.3.13 | PHP: 8.3.9
:point_right_tone4: [Kill spam on phpBB] - [Some French translation of extensions]
"Mistress, Mistress someone is bothering me in pm"
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26835
Joined: Fri Aug 29, 2008 9:49 am

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Mick »

Again, that’s relying on emails.
  • "The more connected we get the more alone we become” - Kyle Broflovski© 🇬🇧
User avatar
ssl
Registered User
Posts: 1980
Joined: Sat Feb 08, 2020 2:15 pm
Location: Le Lude, Pays de la Loire - France
Name: Fred Rimbert

Re: Increased spam activity for meettomy.site from compromised accounts

Post by ssl »

For accounts that use junk mailboxes, like spammers, this extension is perfect.
Furthermore, serious users always have an up-to-date email address.
Sorry for my English ... I do my best! :anger_right:

:point_right_tone3: phpBB: 3.3.13 | PHP: 8.3.9
:point_right_tone4: [Kill spam on phpBB] - [Some French translation of extensions]
"Mistress, Mistress someone is bothering me in pm"
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26835
Joined: Fri Aug 29, 2008 9:49 am

Re: Increased spam activity for meettomy.site from compromised accounts

Post by Mick »

But the up to date email address may not be the same one they had originally.
  • "The more connected we get the more alone we become” - Kyle Broflovski© 🇬🇧
User avatar
P_I
Community Team Member
Community Team Member
Posts: 2437
Joined: Tue Mar 01, 2011 8:35 pm
Location: Western Canada 🇨🇦

Re: Increased spam activity for meettomy.site from compromised accounts

Post by P_I »

ssl wrote: Mon Feb 26, 2024 10:00 am Furthermore, serious users always have an up-to-date email address.
I wish that were true. Despite posting repeated reminders on boards that I'm running we regularly find email notifications being bounced because members do not keep their email addresses updated and current. For far too many once they register and activate that's the last time they update their email address.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 6769
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James

Re: Increased spam activity for meettomy.site from compromised accounts

Post by HiFiKabin »

P_I wrote: Mon Feb 26, 2024 12:59 pm For far too many once they register and activate that's the last time they update their email address.
... and even with a board wide notice reminding everyone, no one does anything about it. :roll:
alvo
Registered User
Posts: 734
Joined: Thu Jun 22, 2006 3:57 am

Re: Increased spam activity for meettomy.site from compromised accounts

Post by alvo »

It's not sleeper accounts and it may have something to do with the newer phpBB code.

Until a week ago I was running version 3.0.1; it's only since upgrading to 3.3.11 that this has happened to me. I have 8000 users who have posted within the last year, and 32000 other accounts are all inactive.

Return to “phpBB Discussion”