i see 2 days now spam for members 

I am getting these too on one site. Seems to be a clever spam attack, since they do not use new accounts. 

But they do use repeating IP addresses and those t.me links, both of which you could block. 

I have never had anything like this in 12 years. I've had spam users but never like this.

We had 20 accounts that have logged into the forums from the same IP since 1/14/2023

109.107.166.230
The IP address resolves to server-109-107-166-230.vmbox.cloud
Moscow, Moscow, 109044, Russian Federation
 

3/4 were shown compromised on https://haveibeenpwned.com/

We had about 5 that showed no breach found in their database, but assume as others that some other database or underground site has them listed and were used on a fishing expedition.

We placed the IP into our Clean Talk to also block that IP

At this point we have to assume that all 20 accounts are now compromised and flag them as spammers. In checking, aside from the spam posts these accounts have not posted in years anyways.

 

 

You don't have to send them a password reset request. Also, they have not seemed to take the time to change the email address associated with the account so if you did change the password, I don't think they'll get the reset request.

 

  Quote

The password set here will not be sent to the member, so that information must be delivered to them manually. Alternatively, you can force this user to reset their password themselves. 

 

For our purposes, these users have not logged in or posted in years so we're okay flagging them as spammers.

 

Edited January 17, 20232 yr by Malwarebytes Forums
Updated information

And force password reset to the compromise accounts? Would this be enough?

Just a note for the time being...

One thing self-hosted folks can do is to block the IP range of the spammer(s) using 109.107.166.230, but that needs to be done in the server firewall.

This would be the range to block for that service provider, in CIDR format:

109.107.160.0/19

which blocks 109.107.160.0 through 109.107.191.255

And for that spammer in Iraq... that provider has a huge range of IP's, from 37.236.0.0 to 37.239.255.255 so I personally blocked a fairly small range for them which encompasses the one IP that spammer used:

37.239.8.1/24

(Note: I've added these on my own server already, and it appears I got to it before my sites were hit.)

More blocks can be added as you notice them, but try to keep the ranges small. Blocking a too-large range can cause server issues under the right (wrong?) circumstances.

 

They tend to have IP addresses associated with registration from the same part of the world.

This is why you ban ASN. Banning CIDR's will do no good and eventually it will take toll on CPU consumption on your server. However, if you do ban IP address, make sure to block at PREROUTING / RAW so it's quick and fast. 

Better yet - get IPS to implement this:

There should be no good reason to have to spend additional money at the price the IPS package sells for. Especially when a solid working anti-spam system exists that's easily implemented into the package.

I did, hence why I linked it here. Maybe more interest in the suggestion will help nudge it along. Besides, I think I made it pretty clear what I was linking when I said "get IPS to implement this".