Increased spam activity for meettomy.site from compromised accounts

[warmweer]

For far too many once they register and activate that's the last time they update their email address.

... and even with a board wide notice reminding everyone, no one does anything about it.

And??? it's not the responsibility of the board owner.
On the other hand, an extension allowing a scheduled confirmation of the mail address would be nice to have.

[HiFiKabin]

Its nothing to do with phpBB's code. A list of username/passwords pairs has been scraped from a site that stores passwords in "plain text" and all the bots are doing is trying them out on every site they can hoping that the user is lazy and has been using the same password on all sites.

If the username/password match, the log in and post, if it doesn't they move to the next pair on the list. Its as simple as that

The fact you have just updated to 3.3.x is pure coincidence.

[HiFiKabin]

... and even with a board wide notice reminding everyone, no one does anything about it.

And??? it's not the responsibility of the board owner.

... but we get the bounced emails

[warmweer]

... but we get the bounced emails

In which case I used to send a PM and give them a week (max) to fix that ... not fixed by then ? >>> inactive (+ account not recoverable).
Yeah I know: I'm a dictator

[ssl]

Yeah I know: I'm a dictator

No, because such a decision never happens with serious and respectful members, the others can be ejected in the same way as spammers. Ejected or placed in a forum section where they will only have access to this section, a siding.

[thecoalman]

On the other hand, an extension allowing a scheduled confirmation of the mail address would be nice to have.

I proposed this in the Ideas section.

viewtopic.php?f=436&t=2602251

[Mick]

How do you know?

The fact that you upgraded then had a lot of spambots appear is just bad luck imho. It may be that they were attracted by a later version but nothing more sinister than that. Most of the spam user details look like they’re compromised user accounts that could well have been spam accounts in the first place. Let me say these accounts have not been compromised from this site.

[[Dimetrodon]]

You could put the users on MQ or back in the NRU, personally I’d prefer that to requesting a password change.

I think the system would remove them from the NRU usergroup the second they log on if you did that (though I may be wrong). Using a custom Moderaion Queue group with MQ permissions that is also closed or hidden is probably the better option.

[HiFiKabin]

Using Autogroups to place members in a newly created MQ group if they have not logged on within the past x days works perfectly.

They are remain in the MQ group when they log on unless/until you manually remove them.

I know it works because thats what I have done.

EDIT:- Do not allow MQ members to change their email address. Confirming that change will remove them from the MQ group (many thanks to [Dimetrodon] for discovering that )

[KevC]

Same here. I started with a 700 day limit but one sneaked through so I've changed it to 300 days.
Anyone who hasn't visited for the best part of a year is very unlikely to come back and if they do and the post goes in a queue so be it. But it's stopped 4 compromised accounts from posting already and it's a 'hands off' solution as it's a continuous rolling check. Works brilliantly.

[[Dimetrodon]]

But it's stopped 4 compromised accounts from posting already and it's a 'hands off' solution as it's a continuous rolling check. Works brilliantly.

What do you do with the account after it becomes compromised, and it starts sending spam into the queue? Do you just change the password so the original owner can reset it, or do you delete the account?

[thecoalman]

You can ban the account and leave a message as to why it was banned and what steps to take to unban it.

[KevC]

But it's stopped 4 compromised accounts from posting already and it's a 'hands off' solution as it's a continuous rolling check. Works brilliantly.

What do you do with the account after it becomes compromised, and it starts sending spam into the queue? Do you just change the password so the original owner can reset it, or do you delete the account?

They've all been accounts from zero posters up to now so I've just deleted it.

[[Dimetrodon]]

Makes me wonder if those were ever compromised then and not just spam accounts from the get-go.

Edit: I'm not saying that accounts never get compromised in that way, because I'm sure it happens often. But if they're all zero posters in this specific case, I would assume spam account that just hasn't posted until now, if that account was to suddenly start spamming.

[KevC]

They would have to be monumentally dedicated sleeper accounts. One had registered in 2016. I think the others were 2019, 2020 and 2022.

Every site has hundreds of accounts that register for a look around but never post. They also all posted exactly the same spam message.