Spam attack (Ultimate Rally)

(ACP) You can go find the user sending the PM's and from the drop down select to delete all the PM's from that user, I think that will also delete the ones he send.

You have image verification turned on? And when you ban those users do you also ban their IP address? Do you require email validation during registration?

yep I have email and image verification on. People have been banned individually and by the ips I find in common.

Its the same MO this guy always uses. The users were registered a few weeks ago and then waits to spam everyone.

Sounds like that idiot Kimble and his bunch of asskissers.

Yep it was. I got it under control in a few hours. What a waste of time and patience.

post the emails he uses

so we can call ban them

I just got hit by this guy (these guys?) on May 12. What a pain in the arse... yea.

Anyway, here's what I noticed:

- No IP's appear if I search by IP address (I wanted to find all users using that same IP).
- User has an email address of: [email protected]
- PM's were sent to almost all of my members, but, not all
- An IP address does show up in the member details, here are a few:
202.163.215.194
217.23.37.86
213.239.164.175
Funny thing is.. I cannot look up users based on that IP. It says no results found! So, this guy somehow has disabled IP logging?

I have put the PM timeout to 60 seconds to help avoid this in the future. It's hard to find all of the users who sent out these spam messages. Anyone have a good way of finding them? Perhaps I could find all new users with 0 posts and the date they registered... hm..

Anyway, does anyone know if there is a way I can disable PM's for users with ZERO forum posts? It would be nice to have this feature. Or, it would be even better to give admin the ability to say that a new user is required to have at least X posts before they can use the PM system.

Ideas?

I also don't understand how this guy got past the image verification portion of the registration. This type of spam attack most-certainly would require a script. Does the Vbulletin development team know about this security hole?

I am using image verification and email verification.

The same problem have been reported recently by some Automotive Boards.

He already registers 1 week before with a lot of accounts.

You can simply make that new members can not send PM's:
- Set up a New Usergroup based on Registered Members (and permissions).
- Setup a Promotion from Registered to this new Usergroup after x posts.
- Set the normal Registered Usersgroup to not be allowed PM's

Here's another email this guy is using...

[email protected]

With the following IP: 217.153.247.14

There's a couple of thread already here about this. Below is my current list of blocked IPs. I haven't had any trouble for a couple of months now with these IPs block, until today when a bagelsandcreemchz tosser registered, so I've added his IP too. The second last one is the [email protected] idiot. The last one is the one who had a go today. There is no way around the image verification... they're doing it manually.
66.196.72
12.216.140.10
200.73.174.183
12.202.237.194
66.218.19.68
12.207.135.72
63.226.96.241
80.140.17.85
80.140.15.186
84.171.167.126
213.239.164.175
213.152.66.195
202.163.215.194
193.188.105.22
12.215.51.115

this is very annoying problem caused by idiots.
I know some bad guys who tried to create messup on our board too :/, there should be some official punishments made for this disgrunted board suckers.

we went for a legal action against them, and filed legal suits (got one of them caught), since we are pretty large we cannot tolerate this nuisance.

I was having a look through the webstats for one of my sites and stumbled across this referrer. It brings up an image (in this case broken but I'd imagine it's the registration image) and a form field to enter it into.



EDIT: Also found





Played around with the URLs a bit and tried http://home.bramos.nl/kimpire/marketing/register/

You might find it interesting.

Whois on mp3top40.net
domain: mp3top40.net
status: lock
organization: van der Kolk
email: [email protected]

address: Munterkamp
city: Zwolle
state: --
postal-code: 8014DL
country: OT
phone: --
fax: --
admin-c: [email protected]0

tech-c: [email protected]0

billing-c: [email protected]0

nserver: ns1.redhosting.nl
nserver: ns2.redhosting.nl
created: 2002-04-23 12: 00: 14 UTC
modified: 2005-05-09 13: 06: 30 UTC
expires: 2006-04-23 12: 00: 14 UTC
source: joker.com live whois service
query-time: 0.056723
db-updated: 2005-05-15 09: 46: 41

redhosting.nl supposedly have an abuse email [email protected]