i was spammed by PM on this board!

[arod]

with the standard "nigerian" spam.
the spammer is the user "davson", which registered today.
as i assume this kind of spam is scripted, i suggest the admins of this site should look into it, and see if it represents a security issue. they should also probably look into how many pms this user (registered today) sent.
admins are encouraged to read my personal messages (those sent to me), and look into the matter.
thx.

[dtm.exe]

I highly doubt that he used a script to spam users via PM.  It's very simple, actually.  One can simply copy and paste the "Who's Online" list to the "To:" field of a PM.

Thanks for reporting this .

[JayBachatero]

This was taken care of and that member is banned .

-JayBachatero

[Strolen]

Me too, although "$10.5m" is too tempting to pass up. What if it *is* real. I went ahead and sent him my social, bank account number, home address, alarm key code, and the hours that the house is empty. I hope he responds, not sure if  he got everything he needed though, often times they need your mother's maiden name but not sure if I am comfortable giving that out.

[dtm.exe]

Me too, although "$10.5m" is too tempting to pass up. What if it *is* real. I went ahead and sent him my social, bank account number, home address, alarm key code, and the hours that the house is empty. I hope he responds, not sure if  he got everything he needed though, often times they need your mother's maiden name but not sure if I am comfortable giving that out.

I hope you're kidding...

[Strolen]

So, you would give your mother's maiden name?

[dtm.exe]

So, you would give your mother's maiden name?

OK...you seriously scared me for a second .

[Acf]

So, you would give your mother's maiden name?

wilhelminajantina

[arod]

I highly doubt that he used a script to spam users via PM.  It's very simple, actually.  One can simply copy and paste the "Who's Online" list to the "To:" field of a PM.

Thanks for reporting this .

well, there are probably several tens of users in the "who's online".
i suspect that the spammer sent this to several thousand people, likely even to everyone.
of course, banning the spammer is as good as locking the barn doors once the horse is out, since he can just as easilly register with another name/email and do it again.
if it is, as you think, manual operation, then it is not very interesting.
otoh, if, as i suspect, this is a mass spam, then it is worth looking into, see how many people were spammed, was there a script used, and if so, what can be done to block such abuse.
note that if it works here, it would work on ANY smf forum, and we wouldnt want that now, would we?

[JayBachatero]

That is the ineffective way to ban someone.  That's why you IP ban them.

[arod]

That is the ineffective way to ban someone.  That's why you IP ban them.

?
what is an ineffective way to ban someone?

[JayBachatero]

By member name or email.

[arod]

i fail to see how your post relate to the subject.
who said anything about banning anyone, either by name, email or ip?
i was suggesting that someone probably employed a script to pm large quantities of users.
i also said that ban, of any kind, is a poor response to this kind of problem, because it is closing the barn door after the horse is out.
look what (i think) happened here: someone registered, never even bother to post a single post, and within several minutes of registration, used a script (my guess) to send only-the-admins-know-how-many pms.
they dont intend to go on your board again. they are probably on the prowl to find another smf board and hit it with the same script/spam.
you can ban either the user or the ip to your heart's content, it is completely irrelevant.
otoh, if there is such a script out there, in a day, week or month, some other user, with a different ip, will hit yet again with a spam pm.

it is possible that this type of thing will make bbs pm completely unuseable, somewhat like a mail client without spam filter is.

what can be done? i can think of several measures:

• make the board software more resistive to mass pm: limit pm within a timeframe, i.e., "flood control"
• limit the total number of pms a member send, based on some ranking system
• dont allow links/email within an unsolicited pm (ie, unless the sender already received a pm from the receiver)
• dont allow pms with the same content to more than X members
• think of another preventive measure i didnt think of

it is entirely possible that i am a paranoid and no real problem exists.
but look what happened to email. if something even remotely similar will happen to bbs pm, the feature will become unuseable.

[TheMaTrIx]

Me too, although "$10.5m" is too tempting to pass up. What if it *is* real. I went ahead and sent him my social, bank account number, home address, alarm key code, and the hours that the house is empty. I hope he responds, not sure if  he got everything he needed though, often times they need your mother's maiden name but not sure if I am comfortable giving that out.

Last time I got one of these it was 8.5 Billion US$ in gold XD

[Thantos]

arod,
On this board there is a limit in the number of emails you can send out at a time and its actually pretty low.

dont allow links/email within an unsolicited pm (ie, unless the sender already received a pm from the receiver)

Yeah that isn't going to work.  I really can't count the number of times I've asked someone in a post to PM me with a link and some details.  Using your idea I'd have to send them a PM first which just makes more work for me.  Also what happens if they delete all their previous PMs?

I know Grudge made mention of looking into some spam filtering for PMs on the next major version after 1.1.

[Kindred]

jeez, arod... alot of hoopla over one message...   I get similar messages at least 300 times a day to the contact email for my domains, and that has nothing to do with SMF.   Having it happen ONCE on ONE SMF board does not make it a crisis.

No, there is no security hole in SMF that allowed someone to use a script to PM people...
This happens occasionally, when the spammer actually takes the time to register and send them PMs "manually"

How can YOU deal with it?   Well, you can require an activation or admin approval on new users...
The more work you make it to register, the less likely you are to have such spammers. Honestly though, I think you have blown this WAY out of proportion.

[arod]

.....
I know Grudge made mention of looking into some spam filtering for PMs on the next major version after 1.1.

that's all i asked.
thanks for the "heads up".

[arod]

No, there is no security hole in SMF that allowed someone to use a script to PM people...
This happens occasionally, when the spammer actually takes the time to register and send them PMs "manually"

you don't know that for a fact.
i hope you are right, and if you are, then, i guess no action should be taken.
that is why i said i think the admins should look into it and see how many pms this user have sent.
if i am "just one of several dozens", then, bad luck, i guess, and no action need to be taken.
but what if i am one of several thousands? in this case, it is a reasonable guess that this is a precursor to a more serious problem, and it is best to take preventive measures.
as i was informed, grudge said he will look into building some spam prevention measures into one of the next versions, and i really couldnt ask for anything more.
just dont underestimate this type of problems, or you may find your own users on your own forum complaining...
have a good one.

[Kindred]

well, I will say...  I was not included on that spam...   so, I would bet it was just the online users at the time...

[charlottezweb]

well, I will say...  I was not included on that spam...   so, I would bet it was just the online users at the time...

ditto

-Jason