spam

[AlexWebsites]

You can optionally hold all newly posted links for moderation, which is what I do. 

[AlexJ]

1 minute ago, AlexWebsites said:

You can optionally hold all newly posted links for moderation, which is what I do. 

Automatic moderation doesn't have option for links or certain keywords.. is their any settings for it? Thanks.

[Malwarebytes Forums]

You don't have to send them a password reset request. Also, they have not seemed to take the time to change the email address associated with the account so if you did change the password, I don't think they'll get the reset request.

 

Quote

The password set here will not be sent to the member, so that information must be delivered to them manually. Alternatively, you can force this user to reset their password themselves. 

 

For our purposes, these users have not logged in or posted in years so we're okay flagging them as spammers.

 

Edited January 17, 2023 by Malwarebytes Forums
Updated information

[Xeite]

What I did to prevent this spam now was:

- added in IPB keywords for verifpro, crypto, datebest, pump_upp - for "Hold content for moderator approval"
- banned IP in cloudflare: 109.107.166.230 (server-109-107-166-230.vmbox.cloud)

It did the trick, for now anyway.

[dutchsnowden]

Exactly the same problem here!

[AlexWebsites]

11 hours ago, AlexJ said:

Automatic moderation doesn't have option for links or certain keywords.. is their any settings for it? Thanks.

[dutchsnowden]

2 hours ago, Xeite said:

added in IPB keywords for verifpro, crypto, datebest, pump_upp - for "Hold content for moderator approval"

where you added this?

19 hours ago, Mikorist said:

I also changed ciphers according to Probely's advice.

server { listen 443 ssl; ... ssl_protocols TLSv1.2 TLSv1.3; ... }

TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHERSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHERSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-
SHA256

 

Can you explain in more details this procedure?

 

 

 

Edited January 17, 2023 by dutchsnowden

[dutchsnowden]

Word Filter - Moderate. Best and easy way.

 

[greek_parea]

21 minutes ago, dutchsnowden said:

Word Filter - Moderate. Best and easy way.

 

ok but why happened this?

[Luuuk]

4 minutes ago, greek_parea said:

ok but why happened this?

Already said that it looks that bots are scanning if compromised logins exist and use those found:

 

On 1/15/2023 at 3:48 PM, opentype said:

They probably use hacked databases from social media sites and login with accounts that use the same data everywhere.

 

13 hours ago, Malwarebytes Forums said:

3/4 were shown compromised on https://haveibeenpwned.com/

We had about 5 that showed no breach found in their database, but assume as others that some other database or underground site has them listed and were used on a fishing expedition.

 

[dutchsnowden]

15 minutes ago, Luuuk said:

Already said that it looks that bots are scanning if compromised logins exist and use those found:

Do we know this to be 100% accurate?

[Mikorist]

1 hour ago, dutchsnowden said:

where you added this?

Can you explain in more details this procedure?

For Nginx  ciphers are located in 

 /etc/nginx/nginx.conf

For Apache2

https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

13 hours ago, Malwarebytes Forums said:

109.107.166.230
The IP address resolves to server-109-107-166-230.vmbox.cloud
Moscow, Moscow, 109044, Russian Federation
 

Strange, but i have problems with same IP adress -same location........

[wegorz23]

On our forum its the same.

We reset passwords for that accounts. 

ip list: 

 

109.107.166.230

37.220.87.25

45.136.48.135

5.61.55.218

95.217.144.254

144.76.23.67

 

 

Word to word filter: "@pump_upp" "Verifpro" "datebest.net" and similar.

 

Any info what is that ? maybe tapatalk app ? 

 

 

 

[dutchsnowden]

someone on my forum mentioned they use Xrumer to spam our forums.

[dutchsnowden]

And force password reset to the compromise accounts? Would this be enough?

[Mark H]

Just a note for the time being...

One thing self-hosted folks can do is to block the IP range of the spammer(s) using 109.107.166.230, but that needs to be done in the server firewall.

This would be the range to block for that service provider, in CIDR format:

109.107.160.0/19

which blocks 109.107.160.0 through 109.107.191.255

And for that spammer in Iraq... that provider has a huge range of IP's, from 37.236.0.0 to 37.239.255.255 so I personally blocked a fairly small range for them which encompasses the one IP that spammer used:

37.239.8.1/24

(Note: I've added these on my own server already, and it appears I got to it before my sites were hit.)

More blocks can be added as you notice them, but try to keep the ranges small. Blocking a too-large range can cause server issues under the right (wrong?) circumstances.

[PurpleSparkles]

We are getting this with members who are verified and long term and this IP being used... 

Edited January 17, 2023 by PurpleSparkles

[Franck Poulain]

Same here, long terms and verified users are posting this SPAM automatically and this is very annoying.

Using word blocking now.

[AlexJ]

For those using Cloudflare (CF), very simple solution. Do managed challenge for this ASN's. CF firewall is extremely fast. 

This IP ASN: AS56380 - Normally all this spam bots use VPN/Proxy or datacenter IP's. 

https://ipinfo.io/AS56380

https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/109.107.166.230

 

[RocketFoot]

I'm getting hammered by new registrations that post 50 or more posts in seconds after they register!  It's all airline related air fare posts.  I've flagged over 8 pages of new members so far!  I changed my challenge questions to something a little harder and it slowed them down.

[Hackbart]

On 1/17/2023 at 8:07 PM, dutchsnowden said:

And force password reset to the compromise accounts? Would this be enough?

We used this in the past for filtering bad words or fixing misspelling. I have no idea why, but it does not seem to work anymore. I added these filters and monitored our board, and the posts just popped up without moderator approval.

[dutchsnowden]

1 hour ago, RocketFoot said:

I'm getting hammered by new registrations that post 50 or more posts in seconds after they register!  It's all airline related air fare posts.  I've flagged over 8 pages of new members so far!  I changed my challenge questions to something a little harder and it slowed them down.

Sorry to say this but seems unrelated to this topic's issue. Sounds like a different issue.

1 hour ago, Hackbart said:

We used this in the past for filtering bad words or fixing misspelling. I have no idea why, but it does not seem to work anymore. I added these filters and monitored our board, and the posts just popped up without moderator approval.

That is horrible if prooves to be true and the filtering does not work properly. I did not got any other spam in the last 24h.

[Arthmoor]

5 hours ago, RocketFoot said:

I'm getting hammered by new registrations that post 50 or more posts in seconds after they register!  It's all airline related air fare posts.  I've flagged over 8 pages of new members so far!  I changed my challenge questions to something a little harder and it slowed them down.

I was getting these for the entire period just before Christmas and right after New Years. They eventually gave up and haven't been back.

These new crypto spammers rose up in their place right after the 4.7.6 update to IPS. Which seems to be when the word filtering just stopped working because adding their keywords to it has done nothing for my own site. They kept getting through without even being slowed down.

In the course of digging around, the IP 109.107.166.230 came up. Which led to needing to block the network range 109.107.166.0/24. Mark's suggestion of 109.107.160.0/19 is probably better though. I've got it blocked off in IPTables now so we'll see.

Unfortunately it appears as though the compromised accounts came from some sort of data breach somewhere because every single one of them that's been spamming has been in the last 2 days using accounts that are all over 6 months old and had no activity on them.

I'd also just like to point out that in the official support section I got nothing but BS responses about spam defense, word filters, and group promotions. This one thread here has had a lot more useful information than I've gotten from the devs in 2 weeks time. Which is sad, because none of us are paying for the package to end up being each other's tech support.

[Randy Calvert]

8 minutes ago, Arthmoor said:

Unfortunately it appears as though the compromised accounts came from some sort of data breach somewhere because every single one of them that's been spamming has been in the last 2 days using accounts that are all over 6 months old and had no activity on them.

If they’re old and never used, they were most likely registered by the spammer months ago and “saved”. Many sites have rules that restrict accounts less than XX days old (say 30 days).  

I would be more inclined to believe it was a data breach elsewhere if it was long term member accounts that had historically been active and participating on your site suddenly spamming. But an account that was registered and never used that surfaces months later does not scream external data breach. 

[Arthmoor]

Patterns of registration like that don't generally span large numbers of locations. They tend to have IP addresses associated with registration from the same part of the world.

Plus there's numerous discussions on numerous sites about this same IP conducting a widespread campaign using compromised old user accounts. This isn't just about IPB, and it doesn't do anyone any good to try and dismiss the obvious out of hand.