How is someone sending PM's to my members?

PM spammer update

The owner of zenofeller.com and I have been in email contact. He thought I was the spammer while I thought he was. But the truth is that neither of us have been sending out these PM spams, which by my estimate have hit at least 200 VB forums so far. Someone has been spamming links to his ebook, using my email and my wife's name and email to sign up for accounts. We don't know who's doing it yet.

But apparently the problem is caused because the default VB installation allows PMing for unverified accounts. This means someone can register using someone else's email, never complete the email verification process, and PM spam the members. Naturally people will assume the spammer is either the person who owns the URL being spammed or the owner of the email account used to register. In this case neither of those were true.

PM spamming for unverified accounts can be prevented by setting PMs to zero for COPPA, Unverified, and Awaiting Verification usergroups. But still a lot of forums are vulnerable to this.

I strongly suggest the VB team disable PMing for unverified accounts by default. Otherwise it can create a real headache for people.

If you know of anyone else being PM spammed, please refer them to this post.

Does anyone have a fix for this (vbulletin tech people?!). We have people who are not internet savy on our site and now they are paranoid that we are not secure. We can't get much more secure than to set permissions to 0. What can we do?

Not sure I follow this but PMs are turned off by default for unverified accounts. What is your exact question or problem?

Same here today, Jeannette sent for about 30mins buddhist PM's for my users before I caught him. IP was 207.195.246.40.

Only reason I caught the spammer was due to some PM notification emails bouncing back to me.

We've had the same problem. I've tested the Private Messaging, and it is definitely possible to send PM's from an unverified account. I assume that this is in vBulletin default settings - as we wouldnt' have changed the unverified accounts PM limit to 50.

Jeannette hit our site too, sent over 1000 PM's in just under a few minutes. I went in and deleted them all from the database.

here's the thing....I updated to the patch level 2 on SUNDAY the 13th. This Jeannette id registered on Monday the 14th, and then yesterday, hit almost 1/4 of our members. I found out by a member sending me a copy of the pm, immediately banned the id, and then went into the database and found the over 1000 pm's that they had sent and removed them. (I tried to do a quick remove of PM, but it said they had none........so I went in manually to the database to remove.)

Oh, and default setting is that no one can send a message to more then 5 people at a time, and that coppa and users waiting email confirmation can't post at all, and that registered users must meet the next group level of 5 posts before they can send pm, but not one of this mattered. they were able to get in send to high numbers of people in a matter of a minute. So obviously, even if they did a manual registration and it's a human that got through all the other process (and believe me there are a lot, because I get complaints all the time how hard it is to get registered!)....once they got in, they were able to do something to allow them to do those PM's, and QUICK.

I got hit by "Jeanette" too. They hit my board at 1:00 a.m. so they were able to PM all 770 members of my forum. I just now got that PM from another vbulletin board that I'm a member of.

It looks like there is an exploit in the software somewhere.

I'm running 3.6.7 PL1.

I got hit by "Jeannette" too. Sent thousands of PMs using IP 128.241.105.37


I'm running 3.6.8 PL2

Check your permissions on the Users Awaiting Email Confirmation usergroup and set the max stored PMs to 0 to prevent them from sending PMs.

Thank you! Mine was set to 50 but is now zero.

No - but its clear when you have such a repeatable pattern and high speed that the stuff is being done by software. If the registration is done automatically or not is only one piece of this.

No they are not - at least - its not effective.

The defaults are

Maximum Stored Messages:If you set this to 0 users from this usergroup will not be able to use private messaging.

That is set to 50

Maximum Recipients to Send PMs at a timeo not set this too high for performance reasons (set to 0 to disable)

This setting is set to 0

Yet - a user is still able to send PMs. Its my understanding from the description that the second setting should disable sending PMs - but it does not - at least in 3.6.8

Yes, but that also would prevent users from receiving them would it not? Shouldn't the second setting prevent sending?

... and yes, we saw the Jenette varient of this spammer today.

I got him to, i already had max stored pm's to 0 on the users awaiting e-mail confirmation?

Jeannette got me too...

It would be interesting to see what's been exploited. I believe this one was tapping into the Calendar, peeking into events well into 2011 on the site.

I also got hit

I still think its a script - seems that large forums are reporting that 400 messages are being sent - same in our case 4x0 messages


If a member was manually sending PMs they would be awfully busy and consistent to send spam to 400 members of all these various forums...
if the permissions are working the max at a time they could send is 5

Maybe Im wrong but I doubt that its likley that these tens of thousands of personalized Pms are being manually typed by someone..

got me too.

Is there a way to allow a maximum of 5 messages to be sent for any user with under 5 posts? This way new users can still contact me if they have difficulty with the site, however spammers will be stopped at 5..