Attack via password reminder

Hawkmoth · July 12, 2011, 02:08:36 AM

Hi People

We having an issue with spammers using the password reminder.

This is will get annoying for our members as they keep geting password reminders comming through.

Is there any way to prevent this or perhaps adding a security question before a reminder is sent out.

Many thanks
Hawkmoth

Illori · July 12, 2011, 06:26:56 AM

what version of smf are you running? if you are running 2.0 [not any of the RC's] this has been patched.

Yourmum90 · July 12, 2011, 10:18:57 AM

Hi Illori,

I am running SMF 2.0 RC5 is this fixed in this version or is there a new one?

Illori · July 12, 2011, 10:20:18 AM

this should be fixed in RC5 and the patch to RC4, but it is always recommended to upgrade to the latest version for further security fixes.

Yourmum90 · July 12, 2011, 11:45:09 AM

Kind of hijacking the thread a little, but is there anywhere a list of the changes or new features from Rc5 to 2.0?

Illori · July 12, 2011, 11:47:45 AM

there are no new features just bug fixes and security fixes. there is a changelog on the downloads page if you wish to look at it.

MiY4Gi · July 12, 2011, 03:18:12 PM

Quote from: Illori on July 12, 2011, 11:47:45 AM
there are no new features just bug fixes and security fixes. there is a changelog on the downloads page if you wish to look at it.

That and SMF officially becoming open source. I heard you can remove the copyright now. Or have I been smoking too much weed?

Illori · July 12, 2011, 03:20:14 PM

you can remove it, but if you do you can also loose any/all support from the team.

MiY4Gi · July 12, 2011, 03:35:03 PM

Quote from: Illori on July 12, 2011, 03:20:14 PM
you can remove it, but if you do you can also loose any/all support from the team.

Can or will? Is the copyright removal still being debated among the SMF staff?

Illori · July 12, 2011, 03:41:02 PM

you CAN remove it but you WILL cause the team to not support your install.

MiY4Gi · July 12, 2011, 04:04:13 PM

I see. Well, that's only natural. You guys put a lot of hard work into it afterall.

Hawkmoth · July 13, 2011, 02:18:48 AM

Quote from: Illori on July 12, 2011, 06:26:56 AM
what version of smf are you running? if you are running 2.0 [not any of the RC's] this has been patched.

I am running version 2.
I did check the downloads but can't see the patch.

I must be blind!
Have you a link?

Thanks

CapadY · July 13, 2011, 03:04:40 AM

When you are running SMF2 this patch is included in the source code so you wouldn't see it as a separate patch.

Hawkmoth · July 13, 2011, 01:08:28 PM

Hi CapadY

I am running smf2.0 which I upgraded to on 19/06/2011

Forgive me for being stupid but are you saying it already patched?
If so, why am I still getting problems?

Or
Are you saying that the files required to patch it are in the souce folder.
In which case which files are they and How do I ensure that it is installed?

many thanks
Hawkmoth

MiY4Gi · July 13, 2011, 01:16:50 PM

He means that the patch is already installed on your forum. Your problem must be caused by something else.

Try sending a password reminder to yourself, and see if the forum requires you to fill in a Captcha, or answer some questions. The questions is, is it bots doing it, or actual people.

Hawkmoth · July 13, 2011, 01:30:18 PM

I just tested it now.

I entered my username and submitted.
Then it informs me that an email has been sent.

No Captcha or questions were asked.

This is my problem because some of are regular users are recieveing lots of password reminder emails.

Thanks
hawkmoth

Suki · July 13, 2011, 01:37:51 PM

Hi, there is a mod that may help you:

http://custom.simplemachines.org/mods/index.php?mod=1623

Hawkmoth · July 13, 2011, 01:47:50 PM

Hi Miss All Sunday

Downloaded the mod but it doesn't appear to be compatable or something.
No install button and listed for 2.0RC3

Thanks
Hawkmoth

MiY4Gi · July 13, 2011, 01:50:16 PM

I checked on my forum [2.0 Gold] and I experience the same thing - no captcha or anything to prevent bots from spamming the password reminder.

However Hawkmoth, there's no evidence that it's actually a bot doing it. It could just be an annoying user, or even a hacker doing it. To check, go to Admin > Error Log. It should give you the IP that sent the password reminder.

Hawkmoth · July 13, 2011, 02:03:30 PM

Well to be honest I am pretty sure it's a disgruntled ex member but I have no real Prof due to the IP addresses changing so often but most are from the same 2 or 3 ISP's.

I wouldn't normally worry about spammers but this is affecting our regular members and their understanding of the issue will only last so long before they get peived with it.

So far, the only way I have found to get round it is to make the Username/email address box hidden in the code.
But this doesn't help anyone who genuinely looses or forgets their password.

I have seen on other websites where security questions have been used in conjunction with email addresses only.
We like Guests to see the online users as they can then see we are a busy and active forum but it also means the Guests can copy these usernames directly into the password reminder box. If it worked just on email addresses then this wouldn't happen.

Anyway, I am still open for any suggestions / help

many thanks
Hawkmoth

News:

Attack via password reminder