Forum email system hacked?

ivanjs · August 17, 2006, 06:24:26 PM

I just deleted a post from my site which had a fairly pornographic image on it from someone who registered using a throw-away yahoo account (I only allow posts from people who register with legitimate emails). I've since banned all yahoo accounts to my forum, but of course, they'll just go to some other free email system and probably post again.

I don't want to ban images since it's an art and design related forum, so I'm at a loss how to stop this. I've also banned his IP address, but of course they can fake the IP.

Here's the biggest problem though...

Somehow, they emailed the porno post to apparently all my members, and it looked like it came from the forum (I got the email and it said it was from the admin at my forum and even looked legit in the header). I've gotten emails today from users complaining about why the forum sent them porn.

How did this "user" do this and how do I stop it from happening again?

The kicker? Most of my members DON'T show their email addresses publicly, so again, how did he get hold of the email addresses and then make it look like it came from the forum?

At first, I thought maybe he hacked the admin password, but I doubt that since he probably would've just taken the site down completely or something. As of 5 minutes ago, I can still login as admin (and changed my password just in case).

Very very disheartnening...
J.

Elmacik · August 17, 2006, 06:52:23 PM

I can e-mail you from an address like [email protected]
Will you belive that its really that dumb mailing you?

He must have collected your member's mails from the member list (index.php?action=mlist)
Then he must have sent the fake mails with a fake mail sender software or a script.
(This way someone can send mails from even an unexisting address)

I recommend you to disallow your guests (and maybe members too) viewing the member list.
Which can be set in Admin -> Permissions

FliesLikeABrick · August 17, 2006, 07:00:56 PM

Have you noted that he said most of his members [affected] don't have their e-mail address set to be viewed publicly? In addition, doesn't the forum [by default, if not always] specifically not show addresses to guests, even if those members have allowed other members to view their address?

Furthermore, he said he checked the headers and it looks like it is coming from the server.

If you're going to blindly reply to peoples' threads asking for help, I suggest you either don't or take the time to read the post first.

Fizzy · August 17, 2006, 07:03:33 PM

Please send the header info and relevant email content through to [email protected] so that the required checks can be made

Thanks

Elmacik · August 17, 2006, 07:08:10 PM

@FliesLikeABrick, sorry, but you cant know if "most" of your members hide their mails from others unless you check them one by one.
And you can very very easly insert header data to your mail very fakely.
So as long as he is not talking about DNSs, you cant know if its really from his server.

I surely read the post, and now read again in case of misunderstanding, just by your warning.
But I still suppose the same. So if there is still something I misunderstand, sorry.

青山素子 · August 18, 2006, 02:18:22 AM

Please follow the request in Fizzy's post if you haven't already.

vbgamer45 · August 18, 2006, 12:17:57 PM

I would also make sure that you have the CAPTCHA mod installed to filter out some spam bots that have been sending this spam lately.

Shawn Sorrell · August 21, 2006, 03:31:42 PM

I had something similar happen around 7/17/06. A user registered and then sent a PM to each user in my forum that contained an image with links to porno sites. This in turn sent an email to those who had their accounts set to receive notification of PM's with the content of the PM (without the image). As I said I did not have the time when it happened to go in and access my server logs which really is the only thing that may have given an idea of how the "user" did this. What I did do is Deny new users from sending PM's on my forum. Only after so many post are they allowed to send a PM. Not the best solution but it gives me some protection.

I would suggest that if this happens to anyone that they get access to their server logs right away before they are lost (my site archives only so far back) so that the time period in question could be reviewed by SMF coders. The email itself will not give much information since it was sent out by forum to notify folks they had received a PM. CAPTCHA can help some but in my case I did have it installed but the spammer was able to bypass it either by using their temp address to verify the registration or they had cracked the CAPTCHA image (not sure which).

I am not willing to release the restriction on the forum to see if I can bait the spammer to do it again since but I do have another SMF forum where I do not have the restriction in place that is not as "vital" as the site this happened on if they do hit it. If it happens there I will fully investigate it. The only thing is the site I have with out the restriction is running 1.07 and the one it happened on is running RC2.

I do think the attack was somewhat automated since the PM post came in blocks of 10. I think they where trying to adjust for limitations on posting and max recipients on PM's. I did lower the Max Recipients on PM's to try and combat this also.

I know my input doesn't really help the developers much but perhaps it will help others in dealing with the problem if they have it and let them know what may be going on. I don't think this is security issue or bug but just one of those things you have to deal with if you are going to have a forum.

There may be something that could be added to the code but without access logs it would be very hard for developers to determine anything and even then they may not reveal what had happened.

opally · August 23, 2006, 12:22:23 PM

I had the exact thing that WildJoker describes happen this morning: mass PM spam of members. And yes, I'm using CAPTCHA.

I have combed thru the admin settings but haven't found where "Max Recipients on PM" can be set. I am using SMF 1.0.7.

I'd like to set a cap on number of PMs a newbie can send. Is there a way to do that?
edit: I found this code modification, and I'm trying to modify it slightly.

Maybe I need to set up a group beyond Newbies where PM is permitted, and simply shut it down to everyone below that.

Eager to hear some ideas and point me where/how I can set limits in admin or in code.

m771401 · August 23, 2006, 12:42:04 PM

This happend to my site as well yesterday morning. New user, Spammed all the boards, and sent out PMs. I made a backup of my database before I deleted all the messages and PMs, and I can get the logs from the server.

Would this info be useful to SimpleMachines?

Fizzy · August 23, 2006, 01:20:16 PM

Quote from: opally on August 23, 2006, 12:22:23 PM
I had the exact thing that WildJoker describes happen this morning: mass PM spam of members. And yes, I'm using CAPTCHA.

That's no great surprise. Captcha doesn't make it secure. The new bots on the web can use OCR to bust Captcha.

Quote
I have combed thru the admin settings but haven't found where "Max Recipients on PM" can be set. I am using SMF 1.0.7.

I'd like to set a cap on number of PMs a newbie can send. Is there a way to do that?

There is no way currently to set the maximum number of PM's a member can send. The team is working on a solution to this right now.

Quote
Maybe I need to set up a group beyond Newbies where PM is permitted, and simply shut it down to everyone below that.

Unfortunately that may not help either. The spam bots posts messages and send PM's. Unless you set the PM permission very high then a spammer would soon clock up enough forum posts to be able to send PM's.

m771401 · August 23, 2006, 01:32:01 PM

Hopefully something can be done. I have a few kids on my site and what was spammed would make some parents very upset.

For the time being I've made membership by approval only and changed the PM notifications to not include the senders message. Good thing too cause I had to reject a new bot account already this morning.

Fizzy · August 23, 2006, 02:19:28 PM

Sorry to hear that. Unfortunately this is not isolated to SMF. The problem is global at the moment.
Your choice to authorise all new members is a good one.

青山素子 · August 23, 2006, 02:34:02 PM

One thing I will note is that if someone is determined to get in and spam, they will no matter what you put up to stop them. All things like CAPTCHA systems and the like (e-mail verification) do is raise the cost (in time or other factors), making you a less attractive target.

Shawn Sorrell · August 26, 2006, 12:38:30 PM

As mentioned there is no way to fully keep this from happening and it is not just an issue with SMF. All forums and programs that allow users to post to your site face this problem. I thought it may help if I posted all the steps I took to try and combat the problem. Bottom line though is if I had not been diligent in keeping track of my forum and had not had good moderators (mine have my phone number and one called to say this had happend) the spam would have been seen by more of my users then just a few.

First I have Post count based groups set up and the lowest is a newbie group that is 0 post. Under Pemissions I have Denied them to Send personal messages. Other Post count based groups are allowed to the option. You can decide how may post it takes.

As mentioned this may only slow them down since they may simply make some post till the reach the required limit.

Next I went ahead and created a ban useing the following triggers.
Email: [email protected]
Hostname: udp038291uds.hawaiiantel.net [nofollow]
IP: 72.234.50.113
Username: Harrison Ford
More then likely the IP ban is useless since spammers most often fake that. The Email ban may prevent it some but again it is something that the spammer will most likely change. On searching out this issue I did see that the spammer had used the same exact email adding when attacking other sites. The Hostname ban is pretty radical since it is very possible that I have now blocked legit users. The only reason I did it was because I know by my logs and such that up to this date I have had no users that would be affected by the ban. With reasearch I found that this spammer liked useing the Harrison Ford username but pretty sure that will change.

In SMF 1.0.7 you do not have the option to limit Maximum number of recipients allowed in a personal message. but in 1.1 RC2+ it is under Features and Options > Basic Features toward the bottom.

I use the CAPTCHA module and not the one that is now built into SMF 1.1 RC3. Still pretty sure it can be broken by spammers. I do see indications that it helps some in my logs and access files.

All you can really do is slow them down as Motoko-chan mentioned. I feel that it is just as important to have tools integrated into the forum that makes it easier to "fix" any damage that may be done by a spammer. I would like to see a way to deactivate the sending of email notification when a PM is sent by default in profiles. I would also like to see the addition of an option to delete all of a users PM's and then reset new PM count for other users instead of haveing to do it manually.

News:

Forum email system hacked?