Simple Machines Community Forum

2.0.19 running in php 8.0.  Logging a lot of these -

/index.php?topic=32691.msg370746
2: mail(): Could not execute mail delivery program '/usr/sbin/sendmail -t -i'
File: /home/ihq7n15g5yh7/public_html/forum/Sources/ScheduledTasks.php
Line: 1010

And a few of these -

/index.php?PHPSESSID=s4aejf3h8kg98ob13ba505bg96&scheduled=task;ts=1728189900
Could not retrieve the file https://www.simplemachines.org/smf/current-version.js?version=SMF+2.0.19.

/index.php?action=printpage;topic=8951.0
Could not retrieve the file https://www.simplemachines.org/smf/latest-support.js?language=english-utf8&version=SMF+2.0.19.

Just started recently.  Nothing's changed.

Something changed... probably on the host side.
Many hosts are disabling send mail these days

Same security type update may also prevent your system from making a remote connection to retrieve the smf updates

I'll ask support.  Not seeing it on any other forums.

Forum is sending mail, received password reset immediately.  There were three emails in queue from 1.2 days ago.  Sending queue manually sent one at a time, requiring several attempts for each.  Seems to be a scheduled task issue, not email.

Support tells me the account was hitting the "Number of Processes" limit, but that shouldn't hang the queue for over a day.

Why are you hitting the process limit?

Bots?

Just looking at resource usage, it's hit the processes number limit 287788 times in past 24 hours, support says it's been happening for over a week.  Trying to determine the cause.  Forum is logging 7000-8000 ban errors every day, that's been getting worse.  Support gave me attached, means nothing to me. :(

I believe the problem is the classic "ye olde bots from China".
https://www.whois.com/whois/117.23.27.105
https://www.whois.com/whois/182.38.48.129

You're being overrun pretty bad, and need to find a way to filter them out.  Your system cannot keep up, and you'll experience random oddness until you fix it.

It would probably be helpful to look at the web access log to see what kind of stuff they're doing.

On my forum, one of these recently read robots.txt tens of thousands of times a day...  Completely non-sensical...

Up until the last month or so, I have never banned by IP.  But I have not found useragents associated with this activity, so I had no other choice.

And you don't want to ban by IP in SMF, because by then it's too late...  You need to stop them earlier in the process, in .htaccess, before they get to SMF.

You need to block as many as you can.  And kill as many of those processes as you can.  Your host should be able to help with the bulk process kills.

I double-check that there are no forum users in that range, the SMF admin version of the memberlist is very good for that.  And if none, add entries into .htaccess.


(I can't wait for this election season to be over...)

I have found the following helpful in converting IP address ranges to the CIDR format used in .htaccess:
https://account.arin.net/public/cidrCalculator

E.g., you will see "117.22.0.0 - 117.23.255.255" in whois.  If you enter that into the CIDR, you will see that is equivalent to "117.22.0.0/15"

That "/15" at the end tells you that only the first 15 bits of this number are fixed, the rest are wildcarded, i.e., can be either 0 or 1.  It's a short, cool way to specify an IP address range. 

If you're not good at converting wildcarded binary values to decimal ranges in your head, the CIDR calculator helps...


I really do find myself checking resources multiple times a week these days.  And if my resources spike on any given day, I download the web access logs and find the culprit, then figure out what to do. 

One other note here...

Consider disabling bot/spider logging in SMF.

For every bot that gets in, stats are updated.  This actually makes any bot swarm much worse in terms of resources...

Have you really been looking at them?  Updating config whenever a new bot is found?

If not, then disable.

Your host likely provides much better stats.

From CW support -

The presence of so many "host -W" processes could indicate a script is running these commands repeatedly. Make sure all scripts/themes/plugins under the account are updated.

This may be another WP issue.  Waiting for additional info.  I suspect this is happening on the website, not the forum.  Forum is logging a lot of ban errors (over 84k in past 10 days), but don't think that's affecting performance.  Someone else manages members and bans, I'll ask him to use .htaccess instead of ip bans.

Quote from: shawnb61 on October 07, 2024, 10:07:40 AMConsider disabling bot/spider logging in SMF.

Can't find it, is that available in 2.0?

If that's Search Engine Tracking, it's been disabled.

https://wiki.simplemachines.org/smf/SMF2.0:Search_engines

host -w... isn't that part of host name lookups?

Quote from: Arantor on October 07, 2024, 03:51:47 PMhost -w... isn't that part of host name lookups?

Yes it is.  A clue these are likely SMF processes.

Which suggests to me that it's bot traffic where it's not carrying sessions with it and that some of the interim hurt could be reduced by turning that off.

Followed by a fun ban spree at htaccess level. Possibly putting behind CloudFlare if it isn't already.

From CW support -

The process "host -W" is found in the following two files of the forum:

/home/ihq7n15g5yh7/public_html/forum/Sources/Subs.php:                  $test = @shell_exec('host -W 1 ' . @escapeshellarg($ip));
/home/ihq7n15g5yh7/public_html/forum/Sources/Subs.php~:                $test = @shell_exec('host -W 1 ' . @escapeshellarg($ip));

Forum is being hammered with ban errors, almot 90k in 10 days, and getting worse.  A lot of these -

Sorry Guest, you are banned from using this forum!
Membership not open to this address block. Thank you. Message blk-C2
This ban is not set to expire.

Quote from: Arantor on October 07, 2024, 05:45:13 PMFollowed by a fun ban spree at htaccess level.

Yeah, that's what's next. :(  Have to get in touch with the guy that handles members/bans before I mess with that.

What is the correct syntax to place these ban triggers in .htaccess -


Order Allow,Deny
Deny from 80.250.185.*
Deny from 83.149.236.96-127
Deny from 84.108.*.*
Deny from 112.111.176-191.*
Deny from 113.112-119.*.*
Deny from 114.79.0-63.*
Allow from all


Don't seem to be working, replaced '-' with '/', no difference.  There are a lot more of them.

As noted above, you need to use the CIDR calculator & enter the range in that format.

See reply #7

Apache does also support partial addresses e.g. Deny from 84.148.*.* can be written in .htaccess as Deny from 84.148

But I don't know if you need to expressly use the non-deprecated syntax for it. (Allow from, etc, is all deprecated)

Quote from: shawnb61 on October 08, 2024, 12:21:42 AMAs noted above, you need to use the CIDR calculator & enter the range in that format.

Saw that also on stackoverflow, but too tired to play with it last night.  Will give it a try. 

The ban triggers work in the forum, and some of the .htaccess denies are working, just over 900 ban errors overnight, which is a big drop.  The resource spikes have also dropped in past 24 hours, still a lot of processes but not maxing out, and cpu usage is normal.