AlexWebsites Posted January 17, 2023 Posted January 17, 2023 You can optionally hold all newly posted links for moderation, which is what I do.
AlexJ Posted January 17, 2023 Posted January 17, 2023 1 minute ago, AlexWebsites said: You can optionally hold all newly posted links for moderation, which is what I do. Automatic moderation doesn't have option for links or certain keywords.. is their any settings for it? Thanks.
Malwarebytes Forums Posted January 17, 2023 Posted January 17, 2023 (edited) You don't have to send them a password reset request. Also, they have not seemed to take the time to change the email address associated with the account so if you did change the password, I don't think they'll get the reset request. Quote The password set here will not be sent to the member, so that information must be delivered to them manually. Alternatively, you can force this user to reset their password themselves. For our purposes, these users have not logged in or posted in years so we're okay flagging them as spammers. Edited January 17, 2023 by Malwarebytes Forums Updated information Luuuk and AlexJ 2
Xeite Posted January 17, 2023 Posted January 17, 2023 What I did to prevent this spam now was: - added in IPB keywords for verifpro, crypto, datebest, pump_upp - for "Hold content for moderator approval" - banned IP in cloudflare: 109.107.166.230 (server-109-107-166-230.vmbox.cloud) It did the trick, for now anyway.
AlexWebsites Posted January 17, 2023 Posted January 17, 2023 11 hours ago, AlexJ said: Automatic moderation doesn't have option for links or certain keywords.. is their any settings for it? Thanks. AlexJ 1
dutchsnowden Posted January 17, 2023 Posted January 17, 2023 (edited) 2 hours ago, Xeite said: added in IPB keywords for verifpro, crypto, datebest, pump_upp - for "Hold content for moderator approval" where you added this? 19 hours ago, Mikorist said: I also changed ciphers according to Probely's advice. server { listen 443 ssl; ... ssl_protocols TLSv1.2 TLSv1.3; ... } TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHERSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHERSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128- SHA256 Can you explain in more details this procedure? Edited January 17, 2023 by dutchsnowden
dutchsnowden Posted January 17, 2023 Posted January 17, 2023 Word Filter - Moderate. Best and easy way.
greek_parea Posted January 17, 2023 Author Posted January 17, 2023 21 minutes ago, dutchsnowden said: Word Filter - Moderate. Best and easy way. ok but why happened this?
Luuuk Posted January 17, 2023 Posted January 17, 2023 4 minutes ago, greek_parea said: ok but why happened this? Already said that it looks that bots are scanning if compromised logins exist and use those found: On 1/15/2023 at 3:48 PM, opentype said: They probably use hacked databases from social media sites and login with accounts that use the same data everywhere. 13 hours ago, Malwarebytes Forums said: 3/4 were shown compromised on https://haveibeenpwned.com/ We had about 5 that showed no breach found in their database, but assume as others that some other database or underground site has them listed and were used on a fishing expedition.
dutchsnowden Posted January 17, 2023 Posted January 17, 2023 15 minutes ago, Luuuk said: Already said that it looks that bots are scanning if compromised logins exist and use those found: Do we know this to be 100% accurate?
Mikorist Posted January 17, 2023 Posted January 17, 2023 1 hour ago, dutchsnowden said: where you added this? Can you explain in more details this procedure? For Nginx ciphers are located in /etc/nginx/nginx.conf For Apache2 https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html 13 hours ago, Malwarebytes Forums said: 109.107.166.230 The IP address resolves to server-109-107-166-230.vmbox.cloud Moscow, Moscow, 109044, Russian Federation Strange, but i have problems with same IP adress -same location........
wegorz23 Posted January 17, 2023 Posted January 17, 2023 On our forum its the same. We reset passwords for that accounts. ip list: 109.107.166.230 37.220.87.25 45.136.48.135 5.61.55.218 95.217.144.254 144.76.23.67 Word to word filter: "@pump_upp" "Verifpro" "datebest.net" and similar. Any info what is that ? maybe tapatalk app ?
dutchsnowden Posted January 17, 2023 Posted January 17, 2023 someone on my forum mentioned they use Xrumer to spam our forums.
dutchsnowden Posted January 17, 2023 Posted January 17, 2023 And force password reset to the compromise accounts? Would this be enough? AlexJ 1
Mark H Posted January 17, 2023 Posted January 17, 2023 Just a note for the time being... One thing self-hosted folks can do is to block the IP range of the spammer(s) using 109.107.166.230, but that needs to be done in the server firewall. This would be the range to block for that service provider, in CIDR format: 109.107.160.0/19 which blocks 109.107.160.0 through 109.107.191.255 And for that spammer in Iraq... that provider has a huge range of IP's, from 37.236.0.0 to 37.239.255.255 so I personally blocked a fairly small range for them which encompasses the one IP that spammer used: 37.239.8.1/24 (Note: I've added these on my own server already, and it appears I got to it before my sites were hit.) More blocks can be added as you notice them, but try to keep the ranges small. Blocking a too-large range can cause server issues under the right (wrong?) circumstances. AlexWebsites and dutchsnowden 1 1
PurpleSparkles Posted January 17, 2023 Posted January 17, 2023 (edited) We are getting this with members who are verified and long term and this IP being used... Edited January 17, 2023 by PurpleSparkles dutchsnowden 1
Franck Poulain Posted January 17, 2023 Posted January 17, 2023 Same here, long terms and verified users are posting this SPAM automatically and this is very annoying. Using word blocking now.
AlexJ Posted January 18, 2023 Posted January 18, 2023 For those using Cloudflare (CF), very simple solution. Do managed challenge for this ASN's. CF firewall is extremely fast. This IP ASN: AS56380 - Normally all this spam bots use VPN/Proxy or datacenter IP's. https://ipinfo.io/AS56380 https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/109.107.166.230 Daniel F and dutchsnowden 1 1
RocketFoot Posted January 18, 2023 Posted January 18, 2023 I'm getting hammered by new registrations that post 50 or more posts in seconds after they register! It's all airline related air fare posts. I've flagged over 8 pages of new members so far! I changed my challenge questions to something a little harder and it slowed them down.
Hackbart Posted January 18, 2023 Posted January 18, 2023 On 1/17/2023 at 8:07 PM, dutchsnowden said: And force password reset to the compromise accounts? Would this be enough? We used this in the past for filtering bad words or fixing misspelling. I have no idea why, but it does not seem to work anymore. I added these filters and monitored our board, and the posts just popped up without moderator approval.
dutchsnowden Posted January 18, 2023 Posted January 18, 2023 1 hour ago, RocketFoot said: I'm getting hammered by new registrations that post 50 or more posts in seconds after they register! It's all airline related air fare posts. I've flagged over 8 pages of new members so far! I changed my challenge questions to something a little harder and it slowed them down. Sorry to say this but seems unrelated to this topic's issue. Sounds like a different issue. 1 hour ago, Hackbart said: We used this in the past for filtering bad words or fixing misspelling. I have no idea why, but it does not seem to work anymore. I added these filters and monitored our board, and the posts just popped up without moderator approval. That is horrible if prooves to be true and the filtering does not work properly. I did not got any other spam in the last 24h.
Arthmoor Posted January 19, 2023 Posted January 19, 2023 5 hours ago, RocketFoot said: I'm getting hammered by new registrations that post 50 or more posts in seconds after they register! It's all airline related air fare posts. I've flagged over 8 pages of new members so far! I changed my challenge questions to something a little harder and it slowed them down. I was getting these for the entire period just before Christmas and right after New Years. They eventually gave up and haven't been back. These new crypto spammers rose up in their place right after the 4.7.6 update to IPS. Which seems to be when the word filtering just stopped working because adding their keywords to it has done nothing for my own site. They kept getting through without even being slowed down. In the course of digging around, the IP 109.107.166.230 came up. Which led to needing to block the network range 109.107.166.0/24. Mark's suggestion of 109.107.160.0/19 is probably better though. I've got it blocked off in IPTables now so we'll see. Unfortunately it appears as though the compromised accounts came from some sort of data breach somewhere because every single one of them that's been spamming has been in the last 2 days using accounts that are all over 6 months old and had no activity on them. I'd also just like to point out that in the official support section I got nothing but BS responses about spam defense, word filters, and group promotions. This one thread here has had a lot more useful information than I've gotten from the devs in 2 weeks time. Which is sad, because none of us are paying for the package to end up being each other's tech support.
Randy Calvert Posted January 19, 2023 Posted January 19, 2023 8 minutes ago, Arthmoor said: Unfortunately it appears as though the compromised accounts came from some sort of data breach somewhere because every single one of them that's been spamming has been in the last 2 days using accounts that are all over 6 months old and had no activity on them. If they’re old and never used, they were most likely registered by the spammer months ago and “saved”. Many sites have rules that restrict accounts less than XX days old (say 30 days). I would be more inclined to believe it was a data breach elsewhere if it was long term member accounts that had historically been active and participating on your site suddenly spamming. But an account that was registered and never used that surfaces months later does not scream external data breach. SecondSight 1
Arthmoor Posted January 19, 2023 Posted January 19, 2023 Patterns of registration like that don't generally span large numbers of locations. They tend to have IP addresses associated with registration from the same part of the world. Plus there's numerous discussions on numerous sites about this same IP conducting a widespread campaign using compromised old user accounts. This isn't just about IPB, and it doesn't do anyone any good to try and dismiss the obvious out of hand.
Recommended Posts