Announcement

Collapse
No announcement yet.

Forum being used to spend spam?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forum being used to spend spam?

    See this thread. I'm running into the same thing, with "email to friend" turned off for unregistered users, those awaiting verification, and those with under five posts. I'm using vB 3.8. Here's an example of the kinds of messages I'm getting.



    Code:
    From - Mon Jan 12 00:27:22 2009
    X-Account-Key: account9
    X-UIDL: UID43770-1148835326
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:                                                                                 
    Return-path: <>
    Envelope-to: (forums email address)
    Delivery-date: Mon, 12 Jan 2009 01:20:29 -0500
    Received: from mailnull by host.[my domain].org with local (Exim 4.69)
    	id 1LMG9z-0008ME-OW
    	for (forums email address); Mon, 12 Jan 2009 01:20:28 -0500
    X-Failed-Recipients: [email protected]
    Auto-Submitted: auto-replied
    From: Mail Delivery System <[email protected][my domain].org>
    To: [email protected][my domain].org
    Subject: Mail delivery failed: returning message to sender
    Message-Id: <[email protected][my domain].org>
    Date: Mon, 12 Jan 2009 01:20:27 -0500
    X-Antivirus: avast! (VPS 090111-1, 01/11/2009), Inbound message
    X-Antivirus-Status: Clean
    
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
      [email protected]
        SMTP error from remote mail server after RCPT TO:<[email protected]>:
        host mail-com.mr.outblaze.com [208.36.123.17]:
        550 <[email protected]>: No thank you rejected: Account Unavailable:
        Possible Forgery
    
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <(forums email address)>
    Received: from nobody by host.[my domain].org with local (Exim 4.69)
    	(envelope-from <[email protected][my domain].org>)
    	id 1LMG9e-00021b-5x
    	for [email protected]; Mon, 12 Jan 2009 01:20:09 -0500
    To: [email protected]
    Subject: [email protected]
    From: "[my domain] Forums" <(forums email address)>
    Auto-Submitted: auto-generated
    Message-ID: <[email protected]>
    MIME-Version: 1.0
    Content-Type: text/plain; charset="ISO-8859-1"
    Content-Transfer-Encoding: 8bit
    X-Priority: 3
    X-Mailer: vBulletin Mail via PHP
    Sender: Nobody <[email protected][my domain].org>
    Date: Mon, 12 Jan 2009 01:20:06 -0500
    
    Hero,
    
    This is a message from Dominic ( mailto: ) from the [my domain] Forums ( http://www.[my domain].org/forums/ ).
    
    The message is as follows:
    
    [email protected]
    
    [my domain] Forums takes no responsibility for messages sent through its system.
    Cyburbia Forums - a third place for urban planners
    http://www.cyburbia.org/forums

  • #2
    Lookup that username (Dominic) in your Admin CP. Check his group permissions to make sure he doesn't have the ability to send emails to users.

    Many spam bots can get past image verification and email verification. The bots can also make posts which could qualify them for the promotion you have setup (5 posts).

    There seems to be a spam campaign going on recently. Lots of forums are getting hit. The ideal is to stop the spam bots from even registering. You can use one of the human verification options:

    Admin CP -> vBulletin Options -> Human Verification Manager (on the left, not the right)

    The Q&A option can be very effective. Note that the "image verification" option isn't very effective anymore since some bots are programmed to read those images.

    Comment


    • #3
      Originally posted by Jake Bunce View Post
      Lookup that username (Dominic) in your Admin CP. Check his group permissions to make sure he doesn't have the ability to send emails to users.

      Many spam bots can get past image verification and email verification. The bots can also make posts which could qualify them for the promotion you have setup (5 posts).

      There seems to be a spam campaign going on recently. Lots of forums are getting hit. The ideal is to stop the spam bots from even registering. You can use one of the human verification options:

      Admin CP -> vBulletin Options -> Human Verification Manager (on the left, not the right)

      The Q&A option can be very effective. Note that the "image verification" option isn't very effective anymore since some bots are programmed to read those images.
      There's no user named Dominic; that's considering both Roman letters and Cyrillic lookalikes in the username. My site has VERY strong spam protection in place; blocks from India, China, Nigeria, Pakistan and other spam/hacking-prone IPs; Q&A for new users; a large list of blocked domains; plugin where messages that include URLs and certain keywords posted by new users are sent to the moderation queue, and so on. PMs are turned off for users with less than five posts. Really, only about 15 real forum spammers manage to register every month, and they majority are usually from a new Indian IP block. We often get them before they spam, and the spam they post is usually caught by our filters.
      Cyburbia Forums - a third place for urban planners
      http://www.cyburbia.org/forums

      Comment


      • #4
        Just as a thought... People from all over the world visit my main forum. If you use the Q&A option, consider your visitors and potential language issues. If you have many foreign visitors who want to register Q&A will be problematic.

        Comment


        • #5
          Originally posted by cyburbia View Post
          There's no user named Dominic
          If there is no user by that name then the email must have been sent from somewhere else. Maybe there is another forum using your email address?

          Comment


          • #6
            Switch off your SMTP email application.

            Just by reading the whole thing I noticed that it was giving you errors.

            Look for another email application so that you don't have that problem. There are heaps of free ones around.
            Aussiefootyforums

            New Site New forum
            Come and talk sports all day long


            Comment


            • #7
              Originally posted by Jake Bunce View Post
              If there is no user by that name then the email must have been sent from somewhere else. Maybe there is another forum using your email address?
              Why? I just Googled my forum email address, and there's no hits.
              Cyburbia Forums - a third place for urban planners
              http://www.cyburbia.org/forums

              Comment


              • #8
                Originally posted by hawksgirl View Post
                Switch off your SMTP email application.
                SMTP is turned off. Should it be on?

                Thanks, all, for the answers so far.
                Last edited by cyburbia; Mon 12th Jan '09, 4:43pm.
                Cyburbia Forums - a third place for urban planners
                http://www.cyburbia.org/forums

                Comment


                • #9
                  Originally posted by cyburbia View Post
                  SMTP is turned off. Should it be on?
                  Keep it off.

                  It is only if you have a server that uses that application.

                  I would search for a new email address from a different application if I were you.
                  Aussiefootyforums

                  New Site New forum
                  Come and talk sports all day long


                  Comment


                  • #10
                    Originally posted by hawksgirl View Post
                    I would search for a new email address from a different application if I were you.
                    Dumb question, but ... why?

                    FWIW, my forum IP isn't on any blacklists.
                    Cyburbia Forums - a third place for urban planners
                    http://www.cyburbia.org/forums

                    Comment


                    • #11
                      Originally posted by cyburbia View Post
                      Dumb question, but ... why?

                      FWIW, my forum IP isn't on any blacklists.
                      Because the one that you have currently got has been sending you the spam.
                      Aussiefootyforums

                      New Site New forum
                      Come and talk sports all day long


                      Comment


                      • #12
                        The same thing has been happening on my forum since upgrading to 3.8, and has never happened in the past. I get the same spam message bounces from messages originating from my forums. The message headers and server log indicate that the spam message is indeed coming from the forums.

                        I have disabled the 'email to friend' option in ALL user groups. I still am getting bounces for spam messages sent after disabling this access. I just matched a spam origination up to the following httpd log entry:

                        forums.myserver.org 88.198.207.4 - - [16/Jan/2009:11:13:43 -0500] "POST /blog.php?do=dosendtofriend&b=193 HTTP/1.0" 200 9039 "http://forums.myserver.org/blog.php?do=sendtofriend&b=193" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910"

                        I checked, and sure enough there is a send to friend option displaying on the blogs. I can't find any option to disable this in the blog options in the ACP. I would think it would obey the user group options to disable emailing to friends.

                        Even though the spam message is of the format that is sent out for email to a friend from the forums, I'm guessing the spammers are using email to a friend from the blogs and changing the message content to look like it's coming from the forums.

                        Comment


                        • #13
                          Originally posted by webswimr View Post
                          I checked, and sure enough there is a send to friend option displaying on the blogs. I can't find any option to disable this in the blog options in the ACP. I would think it would obey the user group options to disable emailing to friends.
                          Has anyone reported this as a 'bug'?

                          Comment


                          • #14
                            Bump. Has this been addressed? It's still going on, and it seems to be coming from blog.php.

                            Return-path: <[forums email address]>
                            Received: from nobody by host.[domain].org with local (Exim 4.69)
                            (envelope-from <[forums email address]>)
                            id 1QhCgH-0004YX-VC
                            for [recipient email address]; Wed, 13 Jul 2011 23:33:42 -0400
                            To: [recipient email address]
                            Subject: [recipient email address]
                            X-PHP-Script: www.[domain].org/forums/blog.php for 62.52.71.56
                            How do I disable "sent to friend" in the blogs?
                            Cyburbia Forums - a third place for urban planners
                            http://www.cyburbia.org/forums

                            Comment


                            • #15
                              You can't - you can only disable it globally.

                              Does the header also have this line:

                              X-Mailer: vBulletin Mail via PHP
                              Vote for:

                              - *Admin Settable Paid Subscription Reminder Timeframe*
                              -
                              *PM - Add ability to reply to originator only*
                              - Add Admin ability to auto-subscribe users to specific channel(s)
                              - Highlight the correct navigation tab when you are on a custom page
                              - "Quick Route" Interface...
                              - Allow to use custom icons for individual forums

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X