Somehow, someone is sending spam PM's to my members on the forums. The only way I'm finding out is from email failure notices and people telling me. They're even inidividually addressed to the individual! Any ideas? Here's one of the complete emails I've received. Thanks!

Return-Path:<> Delivered-To:engineco16@socalrailfan.com Received:(qmail 21536 invoked by uid 0); 3 Aug 2007 21:55:45 -0000 X-Scanned-By:qmail-clamscan 0.2 Received:from smtp.neospire.net (66.111.111.26) by mx1-3.neospire.net with SMTP; 3 Aug 2007 21:55:45 -0000 Received-Spf:pass (mx1-3.neospire.net: local policy designates 66.111.111.26 as permitted sender) Received:(qmail 19848 invoked for bounce); 3 Aug 2007 21:55:45 -0000 Date:3 Aug 2007 21:55:45 -0000 From:MAILER-DAEMON@smtp.neospire.net [Add to Address Book (http://mail.hostglobe.com/cgi-bin/webmail/login/engineco16%40socalrailfan.com.authvchkpw/D84BC030B63C39F84C84F1AEF2592239/1186183005?folder=INBOX&form=quickadd&pos=7&newname=MAILER-DAEMON%40smtp.neospire.net&newaddr=MAILER-DAEMON%40smtp.neospire.net)]</SPAN>To:engineco16@socalrailfan.com [Add to Address Book (http://mail.hostglobe.com/cgi-bin/webmail/login/engineco16%40socalrailfan.com.authvchkpw/D84BC030B63C39F84C84F1AEF2592239/1186183005?folder=INBOX&form=quickadd&pos=7&newname=engineco16%40socalrailfan.com&newaddr=engineco16%40socalrailfan.com)]</SPAN>Subject:failure notice
qmail-send at smtp.neospire.net: permanent delivery error.<hps@iname.com>:Sorry, I wasn't able to establish an SMTP connection. (#4.4.1)I'm not going to try again; this message has been in the queue too long.--- Below this line is a copy of the message.Return-Path: <engineco16@socalrailfan.com>Received: (qmail 16214 invoked by uid 0); 30 Jul 2007 17:55:45 -0000Received: from unknown (HELO two.neospire.net) (66.111.101.3) by smtp.neospire.net with SMTP; 30 Jul 2007 17:55:45 -0000Received: (qmail 32066 invoked by uid 1558); 30 Jul 2007 18:00:59 -0000Date: 30 Jul 2007 18:00:59 -0000To: hps@iname.comSubject: New Private Message at SoCalRailFan ForumsFrom: "SoCalRailFan Forums" <engineco16@socalrailfan.com>Auto-Submitted: auto-generatedMessage-ID: <200707301756.71daaf261328@www.socalrailfan.com>MIME-Version: 1.0Content-Type: text/plain; charset="ISO-8859-1"Content-Transfer-Encoding: 8bitX-Priority: 3X-Mailer: vBulletin Mail via PHPDO NOT REPLY TO THIS EMAIL!***************************Dear donald_railfan,You have received a new private message at SoCalRailFan Forums from einstein,entitled "Greeting".To read the original version, respond to, or delete this message, you must login here:http://www.socalrailfan.com/forums/private.php (http://mail.hostglobe.com/cgi-bin/webmail?redirect=http%3A%2F%2Fwww.socalrailfan.com %2Fforums%2Fprivate.php&timestamp=1186183327&md5=rGXPa5WR5Tu%2B62ebI44pZg%3D%3D)This is the message that was sent:***************Hello,I'm new here and just wanted to say "hi" :)How's it going?"Buddhism has the characteristics of what would be expected in a cosmicreligion for the future: it transcends a personal God, avoids dogmas andtheology; it covers both the natural & spiritual, and it is based on areligious sense aspiring from the experience of all things as a meaningfulunity" - Albert Einstein---einsteinhttp://stein.freehostia.com (http://mail.hostglobe.com/cgi-bin/webmail?redirect=http%3A%2F%2Fstein.freehostia.com&timestamp=1186183327&md5=rGXPa5WR5Tu%2B62ebI44pZg%3D%3D)*************** Again, please do not reply to this email. You must go to the following page toreply to this private message:http://www.socalrailfan.com/forums/private.php (http://mail.hostglobe.com/cgi-bin/webmail?redirect=http%3A%2F%2Fwww.socalrailfan.com %2Fforums%2Fprivate.php&timestamp=1186183327&md5=rGXPa5WR5Tu%2B62ebI44pZg%3D%3D) All the best,SoCalRailFan Forums

First, ban that member. Second, delete all the PMs he sent. You can do this in the Quick User Links in his account in the Admin CP.

I must be missing it, but what user sent it? Thanks.

I guess another thing is how and why all of a sudden am I getting people signed up that are spammers when I have several verifications steps yet they're getting through them.

The user that sent this was einstein:


You have received a new private message at SoCalRailFan Forums from einstein

Verifications don't stop spammers if they they use a real email address. People can still register and spam.

This might help:

How to Reduce Spam and Registration Bots (http://www.vbulletin.com/forum/showthread.php?t=211647)

Today 75 of my members got this exact same Buddhist Spam as Private Messages before I stopped it.

Here is the content of the PM:

Hi,
I'm new here, how's it going?

"Buddhism has the characteristics of what would be expected in a cosmic religion for the future: it transcends a personal God, avoids dogmas and theology; it covers both the natural & spiritual, and it is based on a religious sense aspiring from the experience of all things as a meaningful unity" - Albert Einstein

---
buddha
http://two.xthost.info/buddha4

How can this be done? More importantly how can this be prevented.

Paul Green

I just got hit by this issue. I have removed the messages and deleted 'einstien' but how can I prevent this from happening again?

Same thing here. Same user. Same message. 115 times in 1-1/2 hours. According to the mods that reported it to me, the user was bouncing back and forth between the member list and PM at rapid fire speed.I queried "select pmtextid,touserarray from pmtext where fromuserid = 'einstein' order by pmtextid asc" and fired the result set off to another member of our staff who likes to bird dog this kind of stuff. She reported back that it appeared that "he" was sorting the member list by last online and sending the PMs that way.I googled "einstein spam", and uncovered threads on numerous boards around the net all reporting this exact same problem.I'm wondering if we have a new bot that needs to be dealt with.

I used to get this sort of thing several times a day on my form when it was run on phpbb2.
No matter what mods and security enhancements I added they walked around them daily,since using VBulletin this has not happened once.

I use the Captcha and the date of birth requirement which uses 3 drop down menus and I think that stops a lot of Bots as they normally write to a text field.

I hardened my forum by adding some mods from VBulletin.org. and this means only the most determined manual spammer can access the board.

http://www.vbulletin.org/forum/showthread.php?t=135094 IS Bot.

This mod looks at registration speed,if it is faster than a human can type the registration fails.

http://www.vbulletin.org/forum/showthread.php?t=131314 No Spam.

This is an additional Captcha with a difference, you can set as many questions as you wish and they have to be read and answered to proceed with registration.

http://www.vbulletin.org/forum/showthread.php?t=131314 Track guest visists.

This one tracks guest visits, I love this as I see the attempted registrations from all those spammers that have failed.

http://www.vbulletin.org/forum/showthread.php?t=156444 One touch cleanup control.

And this one is for the spammer or troll that registers manually, one press of the button and all their work disappears and they are banned instantly.

I love the way you can add and remove these mods in VBulletin it is a superb forum system and after years of the pleasures of phpbb and battling with the menaces that populate the internet I find it a dream to work with.

We were affected by einstein the spammer a couple of days ago who used the email address einstein2@myway.com

I noticed he joined up, confirmed his email address and answered the unique no spam question so appeared genuine, then stayed on the forum for hours without posting a message on the forum - It was only when I noticed he was looking at the member list then private messaging that I realised something wasn't quite right. I banned him and have now deleted all his spam messages.

What is the best way to deal with new users to limit their powers to either post spam on the forum and deny them the ability to use private messaging until they have contributed a few posts to the forum, is it best to create a new newbie 'usergroup' and change the permissions. I believe that usergroup 2 is fixed so I assume that is the one I modify, and create a new usergroup with the default permissions?

This guy also uses the user name dharma. He hit my site a few weeks ago. He starts at the beginning of your members list and spams away. He is wise, and deletes his pm from his sent items folder after he sends it.

Do yourself a favor. Create a new member with a username that starts at or near the beginning of your members list. ie 124895, andrew, 1abe, etc... With this username, use an email address you check daily. Set the usergroup settings to "Send Notification Email When a Private Message is Received".

This will not eliminate them, but will allow you to catch them in the very beginning. ;)

At least his site has been taken down...

404 Not Found!

This site has been deleted due to abuse!

-- Admin

All my members have received PM spam today from a new user named "Sue" who was in the "(COPPA) Users Awaiting Moderation" usergroup.

Here is the contents of her spam:

Sorry to msg you out of the blue. Here's the thing.

I wrote a book together with a friend. My boyfriend keeps saying it's no good. I think he's just jealous tho. He's a big time poster here, so I told him I'm going to pick a random person here, and ask them, and we ended up betting on it.

So go to http:// books. zenofeller. com/ asylum /asylum_chapter1.html and call it either way. Good or no good.

Thanks.


I just looked around in my AdminCP and saw that I had to change the usergroup settings for the following usergroups or else pretty much any new unconfirmed users could start PM spamming:

"Maximum Stored Messages:
If you set this to 0 users from this usergroup will not be able to use private messaging."

Unregistered / Not Logged In
Users Awaiting Email Confirmation
(COPPA) Users Awaiting Moderation

How can this be done? More importantly how can this be prevented.

Just because it is spam doesn't mean it is being done by a bot or automatically. There is no way to prevent humans from registering at your site except to take it down. That probably isn't an acceptable solution.

A lot of people are going to a moderated new user system where users cannot use PMs and all their messages are pre-moderated before going public. This keeps their message out of view until you can handle it. After they have a few legitimate messages, then they are promoted to a usergroup with more permissions. You can use vBulletin's Usergroup Promotions to handle this. However someone could still register, post the 10 or so good messages and then spam once promoted. We can't do anything about intent.

We have PMs disabled for our "Registered" group, yet this spammer managed to spam our board with PMs containing the same message Verbose posted. We're trying to figure out how he managed to do it.

Just got him myself. The user has not yet activated his account (false email address) but managed to spam 15 PMs before i seen it.

I suggest anyone who has the same spam type to set the "Users awaiting email activation" to have very limited access.

Set Maximum Recipients to Send PMs at a time: to 1
Maximum Stored Messages: 5 or less.

tbh unregistered users should only be allowed to send a PM to an admin if he has problems with activation.

there is NO way i can find of doing this.

I've been hit by the buddah guy in one forum, and just got somebody begging money in another.

For me, the easy solution would be to set it so nobody who has under x number of posts can use the PM system. That way, it would help screen users.

By viewing the threads posted by new users before the threshold was reached, it would be easier to separate people joining just to spam from people who want to participate in legitimate discussions.

Another way would be to set up the basic registered user level without PM priveleges, and the admins could promote legitimage users to a level that allowed PMs.

However, after seraching the VB documentation, I can't find out how to do either of these two options.

Can someone send me the link to make this happen?

Thanks,
DC

This seems like a good way to approach this problem. In theory at least. Just set it up, so haven't any real life experience yet . . .


http://www.vbulletin.com/forum/showthread.php?t=248053

Like I've already stated, we've had it set up so that "Registered" users can't send PMs, but this spammer was somehow still able to do so even though he was in the Registered group.

I had the same thing today. Someone in the Users awaiting Email conf with Private Messaging disabled for that group still sent out a few thousand emails.
\

Perhaps this is why they released PL2?

Sorry Rachet-

I was responding to the original post. Didn't see your "me too" until just now.

DC

Interesting thread , I think the best to know how they did is to grab there tool wich I think could be Xrumer, I will try to get my hand on this stuff to check if the author managed to workaround because if you've been so many to be hit, there is known tool behide.

I'm running PL2 and just got hit with this junk.

The guy was actually using someone e-mail and account. The real person that owns the account tipped me off and seemed quite familiar to what is going on. I'm very curious as to how he is doing this.

I recommend you all send complaint letters to his host and internet provider. They are as follows:
'abuse@layeredtech.com'; 'abuse@servage.net'

His IP is 78.96.82.26.

Interesting thread , I think the best to know how they did is to grab there tool wich I think could be Xrumer, I will try to get my hand on this stuff to check if the author managed to workaround because if you've been so many to be hit, there is known tool behide.

XRumer looks like a likely candidate.

We got hit with this today. It was the Buddhist message, but instead of einstein, it was a Jeanette.

The worst part is that two of our members reported as spam the email alerting them that they got the PM (since the email includes the contents of the PM...). Their ISP, AOL, then sent an abuse report to our server saying our site was sending spam. :(


I'm about to set up a promotion to only allow those with 3 posts to use the PM feature, but the posts above, which state they had people sending them even though their group is not allowed concerns me. Was that resolved?

Erin Pavlina sent the following pm to over 400 people on a clients forum:

Sorry for PMing out of the blue. Here's the thing.

I wrote a book with a friend of mine. My husband keeps saying it sucks. I think he's just jealous tho.

He spends a lot of time on these boards, so I told him I'm going to pick a random person here, and ask them, and we ended up betting on it.

So go to ...... url deleted /asylum/ ... and make the call. Does it suck?

Thanks.

When I look in the database, I see that the touserarray has bcc of over 400 people in it.

Yet when I try and personally send a private message to so many, it limits me to the max 5 that has been setup.

The person had an unconfirmed email address and was still able to send to many. I have now changed the messages for that user group to not be able to send PM's.

But the question still remains, how could they get around the system that limits the number of pms able to be sent at one time????

The following is the first part of the touserarray field:

a:2:{s:2:"cc";a:1:{i:78;s:9:"fr1endly2";}s:3:"bcc";a:484:{i:721;s:16:"*Butterfly*Girl*";i:712;s:10:"3daughters";i:1579;s:8:"A new me";i:1414;s:9:"Adumont75";i:1337;s:6:"akosak";i:366;s:4:"alli";i:290;s:7:"allicat";i:1697;s:3:"amy";i:2045;s:14:"amyswankhuizen";i:814;s:9:"angeluv73";i:2168;s:8:"angieblu";i:1206;s:10:"anglong123";i:1715;s:8:"anikay55";i:1276;s:3:"Ann";i:425;s:8:"anna1916";i:775;s:10:"AnnaBanana";i:2852;s:8:"anne-gro";i:1313;s:5:"AnneN";i:2917;s:14:"AnointedSpirit";i:2232;s:10:"applesauce";i:1428;s:15:"armywife2aerial";i:1230;s:8:"Aunt Bet";i:319;s:9:"aussiegal";i:2800;s:9:"av8r_wife";i:2388;s:9:"Avanterre";i:1904;s:10:"azarmywife";i:2554;s:9:"babiegirl";i:2651;s:9:"babycakes";i:2083;s:7:"bac2500";i:1357;s:7:"BamaGal";i:637;s:13:"barefootpeach";i:341;s:10:"baynesbits";i:230;s:5:"Becca";i:893;s:11:"beccawaters";i:841;s:10:"beckamarie";i:1466;s:8:"beckers3";i:6;s:8:"BeckySue";i:954;s:3:"bee";i:2357;s:7:"bev1674";i:2028;s:9:"BigMama08";i:1633;s:9:"bingoklee";i:2419;s:9:"Blankmama";i:243;s:7:"Blessed";i:1290;s:9:"Blue eyes";i:377;s:10:"BLUE JEANS";i:1116;s:9:"Bobbie Jo";i:1908;s:7:"BonBon1";i:2439;s:7:"bonfire";i:525;s:5:"BOOTS";i:67;s:9:"BreeChick";i:539;s:4:"bren";i:2230;s:12:"bryghteyes25";i:428;s:11:"bttrflyjudy";i:466;s:9:"Buckwheat";i:1163;s:11:"butterfly73";i:334;s:6:"cabbie";i:1775;s:6:"cag524";i:1344;s:6:"camick";i:161;s:13:"canadianblues";i:1347;s:10:"CandyBrown";i:1477;s:6:"carylk";i:80;s:10:"Catapillar";i:2789;s:6:"CeeCee";i:1647;s:7:"celadon";i:2616;s:11:"chabela0731";i:820;s:10:"cherish_mj";i:1309;s:6:"Cherri";i:2224;s:10:"chicagogal";i:1402;s:6:"Chilly";i:755;s:8:"chrissyb";i:897;s:9:"christina";i:2874;s:14:"christinakroll";i:2570;s:11:"Christy0283";i:22;s:11:"christyblue";i:1161;s:11:"chubby-Doll";i:249;s:10:"ChuppyGirl";i:1232;s:6:"cindyh";i:748;s:8:"cindylee";i:1543;s:11:"cindylouwho";i:517;s:5:"Ciren";i:1528;s:6:"ckrieg";i:901;s:6:"claire";i:2130;s:15:"claire-in-texas";i:2013;s:15:"clancythecamper";i:760;s:8:"cleofoxy";i:1587;s:7:"Cockney";i:504;s:8:"colosn0w";i:2190;s:17:"concernedwife2007";i:1539;s:7:"Coolata";i:2418;s:7:"Corrine";i:1165;s:9:"court1980";i:1380;s:12:"Court2-12-06";i:2323;s:9:"courtneey";i:714;s:8:"CraftHer";i:2;s:6:"CraigT";i:346;s:8:"CURIOUS1";i:222;s:10:"cynthia c.";i:1901;s:20:"daughter of the king";

I'm running PL2 and just got hit with this junk.

The guy was actually using someone e-mail and account. The real person that owns the account tipped me off and seemed quite familiar to what is going on. I'm very curious as to how he is doing this.

I recommend you all send complaint letters to his host and internet provider. They are as follows:
'abuse@layeredtech.com'; 'abuse@servage.net'

His IP is 78.96.82.26.
Erin Pavlina hit us this morning also - sent thousands of PMs in the space of an hour or so. The account was awaiting activation too.

I also got a dodgy looking email (to our support address) from someone claiming to be her husband Steve. Not sure why this email was sent though.

This is the email warning me of the spammer:
This is a heads up that you have a PM-spammer on your forums. For several
weeks someone has been signing up for dozens of different forums using other
people's email addresses, including mine and my wife's. I never signed up
for this account on your forums, so I'm not going to click the verification
link.

But even with an unverified account, you can still get spammed. This works
because many forums allow PM'ing for unverified accounts (the default for
VBulletin), so the bot will send the same PM to your members if you let it.
If you have PM'ing enabled for unverified accounts, he's probably
PM-spamming your members about his ebook right now.

Here's the PM the spammer tries to send (there are variations):

> Sorry for PMing out of the
> blue. Here's the thing.
>
> I wrote a book with a friend of mine. My husband keeps saying it sucks.
> I think he's just jealous tho.
>
> He spends a lot of time on these boards, so I told him I'm going to
> pick a random person here, and ask them, and we ended up betting on it.
>
> So go to http://books.zenofeller.com/asylum/asylum_chapter1_b.html (http://books.zenofeller.com/asylum/asylum_chapter1_b.html)and
> make the call. Does it suck?
>
> Thanks.

On the forums I administrate, he used the IP address 78.96.82.26 (http://78.96.82.26/), so you may
want to do a search on that via your control panel to make sure you don't
have other accounts that got through. I've already banned that IP on my
forums.

I also added the URL zenofeller.com (http://zenofeller.com/) to my forum's Censored Word List, so at
least if he tries to spam his book links again, the link won't work.

For more info on this spammer, see this thread on the VBulletin forums:
http://www.vbulletin.com/forum/showthread.php?t=238857

Good luck!


- Steve

Erin Pavlina sent the following pm to over 400 people on a clients forum:



When I look in the database, I see that the touserarray has bcc of over 400 people in it.

Yet when I try and personally send a private message to so many, it limits me to the max 5 that has been setup.

The person had an unconfirmed email address and was still able to send to many. I have now changed the messages for that user group to not be able to send PM's.

But the question still remains, how could they get around the system that limits the number of pms able to be sent at one time????

The following is the first part of the touserarray field:
Scary!

I would have to suspect it either accepts wildcards, or it's something to do with the auto-complete function.. but then again, I am quite often wrong. :)

The owner of zenofeller.com and I have been in email contact. He thought I was the spammer while I thought he was. But the truth is that neither of us have been sending out these PM spams, which by my estimate have hit at least 200 VB forums so far. Someone has been spamming links to his ebook, using my email and my wife's name and email to sign up for accounts. We don't know who's doing it yet.

But apparently the problem is caused because the default VB installation allows PMing for unverified accounts. This means someone can register using someone else's email, never complete the email verification process, and PM spam the members. Naturally people will assume the spammer is either the person who owns the URL being spammed or the owner of the email account used to register. In this case neither of those were true.

PM spamming for unverified accounts can be prevented by setting PMs to zero for COPPA, Unverified, and Awaiting Verification usergroups. But still a lot of forums are vulnerable to this.

I strongly suggest the VB team disable PMing for unverified accounts by default. Otherwise it can create a real headache for people.

If you know of anyone else being PM spammed, please refer them to this post.

Does anyone have a fix for this (vbulletin tech people?!). We have people who are not internet savy on our site and now they are paranoid that we are not secure. We can't get much more secure than to set permissions to 0. What can we do?

Not sure I follow this but PMs are turned off by default for unverified accounts. What is your exact question or problem?

We got hit with this today. It was the Buddhist message, but instead of einstein, it was a Jeanette.

Same here today, Jeannette sent for about 30mins buddhist PM's for my users before I caught him. IP was 207.195.246.40.

Only reason I caught the spammer was due to some PM notification emails bouncing back to me.

We've had the same problem. I've tested the Private Messaging, and it is definitely possible to send PM's from an unverified account. I assume that this is in vBulletin default settings - as we wouldnt' have changed the unverified accounts PM limit to 50.

Jeannette hit our site too, sent over 1000 PM's in just under a few minutes. I went in and deleted them all from the database.

here's the thing....I updated to the patch level 2 on SUNDAY the 13th. This Jeannette id registered on Monday the 14th, and then yesterday, hit almost 1/4 of our members. I found out by a member sending me a copy of the pm, immediately banned the id, and then went into the database and found the over 1000 pm's that they had sent and removed them. (I tried to do a quick remove of PM, but it said they had none........so I went in manually to the database to remove.)

Oh, and default setting is that no one can send a message to more then 5 people at a time, and that coppa and users waiting email confirmation can't post at all, and that registered users must meet the next group level of 5 posts before they can send pm, but not one of this mattered. they were able to get in send to high numbers of people in a matter of a minute. So obviously, even if they did a manual registration and it's a human that got through all the other process (and believe me there are a lot, because I get complaints all the time how hard it is to get registered!)....once they got in, they were able to do something to allow them to do those PM's, and QUICK.

I got hit by "Jeanette" too. They hit my board at 1:00 a.m. so they were able to PM all 770 members of my forum. :mad: I just now got that PM from another vbulletin board that I'm a member of.

It looks like there is an exploit in the software somewhere.

I'm running 3.6.7 PL1.

I got hit by "Jeannette" too. Sent thousands of PMs using IP 128.241.105.37


I'm running 3.6.8 PL2

Check your permissions on the Users Awaiting Email Confirmation usergroup and set the max stored PMs to 0 to prevent them from sending PMs.

Check your permissions on the Users Awaiting Email Confirmation usergroup and set the max stored PMs to 0 to prevent them from sending PMs.
Thank you! Mine was set to 50 but is now zero.

Just because it is spam doesn't mean it is being done by a bot or automatically. There is no way to prevent humans from registering at your site except to take it down. That probably isn't an acceptable solution.

No - but its clear when you have such a repeatable pattern and high speed that the stuff is being done by software. If the registration is done automatically or not is only one piece of this.

Not sure I follow this but PMs are turned off by default for unverified accounts. What is your exact question or problem?

No they are not - at least - its not effective.

The defaults are

Maximum Stored Messages:If you set this to 0 users from this usergroup will not be able to use private messaging.

That is set to 50

Maximum Recipients to Send PMs at a time:Do not set this too high for performance reasons (set to 0 to disable)

This setting is set to 0

Yet - a user is still able to send PMs. Its my understanding from the description that the second setting should disable sending PMs - but it does not - at least in 3.6.8

Check your permissions on the Users Awaiting Email Confirmation usergroup and set the max stored PMs to 0 to prevent them from sending PMs.

Yes, but that also would prevent users from receiving them would it not? Shouldn't the second setting prevent sending?

... and yes, we saw the Jenette varient of this spammer today.

I got him to, i already had max stored pm's to 0 on the users awaiting e-mail confirmation?

It would be interesting to see what's been exploited. I believe this one was tapping into the Calendar, peeking into events well into 2011 on the site.

I also got hit

I still think its a script - seems that large forums are reporting that 400 messages are being sent - same in our case 4x0 messages


If a member was manually sending PMs they would be awfully busy and consistent to send spam to 400 members of all these various forums...
if the permissions are working the max at a time they could send is 5

Maybe Im wrong but I doubt that its likley that these tens of thousands of personalized Pms are being manually typed by someone..

got me too.

Is there a way to allow a maximum of 5 messages to be sent for any user with under 5 posts? This way new users can still contact me if they have difficulty with the site, however spammers will be stopped at 5..

Something is wrong.

I got hit today with porn spam to members pm boxes! The user is 'lollergirl' does not have a valid e-mail address, in fact it used my domain. When viewing pm stats on this user it says 1. The IP looks like a proxy and resolves to Romania

Yep, I've gotten hit by Lollergirl twice. Looks like some kind of script. I've also gotten the 'my book sucks please read it' one and the buddhist one three times.

I've made it so unverified users can no longer send PMs, but I'm not sure that's going to stop anything.

The worst thing about it is the lollergirl one is porn, and a lot of my users are under 18. Not very family friendly, and hurts my reputation as a forum owner.

Just got hit by Buddha last night... did something in 3.7 make it easier for them to do or is that just coincidence. What do people do to stop this... the person did register.

I ran a "delete users sent PMs" before removing the user, but I am still getting reports from people... it appears to not have completely flushed out their sent PMs or something. Any other way to rip out this PM?

Got hit by the buddhism one. 176 pm's before an admin deleted the account.

However, I have a setting where you have to have 5 posts to be able to pm, so it's obviously an exploit.

vbulletin team, this needs digging into.

One other note, the script apparently doesn't fill in the numbers in a username for the subject. Anyone that has a username with a number such as test123test will have the subject with that name minus the numbers, ex. Re: testtest

I'm just amazed by the continuing lack of an official response to this.

What official response are you expecting? People spam. It happens.

I had this same problem with pm spamming. I think the default setting was that users waiting for email confirmation were allowed to pm and email members.

I created a newbie usergroup until 3 posts are made. I turned the PMs and email members off until they make x posts.

It gives me some protection and piece of mind knowing they have to post and moderators can see if the posts are legit.

What official response are you expecting? People spam. It happens.

On my board, new users are not allowed to pm until they have 5 posts. The 'user' that sent the pm's had zero posts, but was able to send out 176 pm's in short order, bypassing the requirement for 5 posts somehow.

I feel like it's an exploit by a script, not a person that signed up because the timestamps on the pm's were too consistent and because of my controls/limits that prevent normal people from doing this. I've had many users say that the 5 post minimum is silly, so I know that works for normal users.

I made a few more changes to prevent this, we'll see what happens.

An idea I've thought of would be to expand on the time limit between pm's, so it's an incremental number, say 10 seconds, then 15 for the next, then 20 for the next, etc etc. After say 10 minutes with no pm, the limit resets to normal. Trying to send 176 pm's would at that point require ~15 minutes between pm's, and I doubt a spammer is going to wait that long, however for a normal person, that extra time wouldn't be a factor and would reset fairly quickly.

On my board, new users are not allowed to pm until they have 5 posts. The 'user' that sent the pm's had zero posts, but was able to send out 176 pm's in short order, bypassing the requirement for 5 posts somehow.
That is not possible with the default vB code if the permissions are set correctly.

Please see this thread on how to make your vBulletin more secure:

http://www.vbulletin.com/go/secure

If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.