In recent days there has been a huge surge in the numbers of spambots attacking SMF 1.1.x forums. Some have suggested that this is due to the recent SMF 1.1.7 security upgrade, but in fact the attacks are unrelated to the functional changes in SMF 1.1.7. This is supported by the fact that SMF 1.1.6 and earlier versions are also subject to the attacks. The attacks have nothing to do with the SMF 1.1.7 upgrade.
We at SMF believe that this is nothing more than a coincidental, large scale, coordinated attack, possibly orchestrated using the recently updated version of Xrumer
or a similar script or program used for spamming forums. Evidently one or more large bot herders have decided to exploit the market and has targeted their fleet towards spamming SMF forums. It is mere coincidence that this happened around the same time as the SMF 1.1.7 upgrade was released.
Why aren't SMF 2.0 forums being targeted?
Nobody knows, but we can speculate that it is due to SMF 2.0's improved functionality, or maybe there are minor differences between 1.1.x and 2.0 that confuse the bots. In either case if you are running 2.0 you should be on the watch for the attack spreading to SMF 2.0.
What can you do?
1.) Everybody should make sure that they are running the latest SMF 1.x or 2.x version. While the spam attacks are not related to security, you should take this occasion as a reminder to check out your security and make sure you have done everything you can to make your forum safe.
2.) At least for now SMF 2.0 has not been affected. The new version has improved spam defenses including the ability to ask any number of verification questions (what year is it? are you a bot?). Since most forums will pick different questions, these questions are very difficult for spambots to answer. If you have been considering upgrading to 2.0, now might be a good time to do so.
3.) Smaller forums may be able to switch from Member Activation to Member Approval and then may examine email addresses, IP addresses, etc. to decide which applications are human and which are spammers. This of course will result in more labor to operate your forum.
4.) You may decide to use post counts to restrict new members to posting a staging area, then give them full access only after they have shown they are human. The staging area can be easily swept of any spam debris.
5.) There are three modification packages that we believe can provide adequate defenses against spambots. I have verified that each of these packages is suitable for SMF 1.1.7. They are:
The last of the three replaces SMF's CAPTCHA system, but if you use one of the other mod packages make sure you have your CAPTCHA enabled. It won't hurt and it may help.
What won't work?
1.) Blaming it on SMF 1.1.7: As I explained above, the attacks are targeting all 1.1.x versions. It has nothing to do with the recent 1.1.7 release.
2.) Banning IP addresses: This is the Internet version of "Whack a Mole." They can create IP addresses and find proxies faster than you can ban them. This is useless in my opinion...
3.) Banning email addresses: Again, they can change them faster than you can ban them. I've never seen a human registration from mail.ru but some of the bots are using Gmail and other accounts. This is probably wasted effort unless you are manually verifying registrations.
4.) Hiding your SMF version: It's impossible for me to beleive that SMF 2.0 wasn't targeted only because the bots are searching for SMF 1.1.x strings. The target of SMF 2.0 would be too irrestible if there were not some other reason than the version tag.
Well that's about it. My colleagues at SMF and I agree that there is no new problem with SMF's software, and that this is simply something that was going to eventually happen anyway. The only thing that changed is that some bot master tweaked and tuned his scripts for SMF 1.1.x. and so the attack has arrived this week.
Please take advantage of one or more of the steps that I've outlined above, and we believe that your spam attacks should stop. Be assured that if these measures don't work that either the developers or the mod package authors will come to your defense. Let's just all stay calm and collected, and one way or another we will beat the spambots. Unfortunately this will be an ongoing effort because each side is always going to be trying to upstage the other. Good luck!
EDIT: Added link to new mod: Anti-Spam Verification Questions