[Andrew Field]

Firstly, my apologies if you have been sent a PM (Personal Message) via the user 'mignulikz' this evening.

This user joined the forum last night and then abused the forum system to send multiple PMs to members of the forum. The user has now been deleted and all PMs automatically deleted.

However, in the meantime, while I give the forum software providers time to provide me with permanent fix, I have switched off the PM system for standard members. I do fully appreciate how this may be irritating and annoying, but I would rather be safe than provide an opportunity for a spammer / scammer to cause trouble.

Please do rest assured that your e-mail address has not been compromised though. I am annoyed that the forum software did not prevent this user sending multiple Personal Messages but he / she has not had access to your e-mail. Instead the forum system has used your secure e-mail address to notify you that you've got a new message.

Should you need to get in contact, please do use the support system at http://www.contentge...or.net/support/ or reply to this message.

[Andrew Field]

Just to add - I have had it confirmed from Invision that everyone's e-mail addresses remain completely secure. The rogue user took advantage of the forum notification system to tell you that you had a new message. This message contained a link that led you to a phishing website.

All the messages were deleted last night, as was the user's account. We also switched off the PM system for standard members and removed the automatic forum notification.

I have had a few e-mails today asking where their message is or asking why they cannot access the message. This is a by product of us deleting them all. Apologies again for the inconvenience but this is far more preferable to having spam / phishing messages appearing on the forum.

[Andrew Field]

Invision have now released a patch which prevents a spammer using the forum system to send multiple e-mail messages. We appear to be one of the first forums that encountered the issue. Yesterday Invision didn't plan on releasing a patch. Today - when multiple other forums started reporting similar issues they have done so.

With the patch in place I will soon re-enable PMs (Personal Messages) for standard members. Please note that the messages sent to you from the rogue user should have all been automatically deleted. Do let me know if you find one that hasn't. I will wait a couple of days before switching PMs back on though - just to make sure that the patch has been successfully deployed.

Details from Invision:

Quote

PM Flood Control Patch for Invision Power Board 2.3.6 Released

We have received numerous reports from clients regarding spamming on the Personal Message (PM) system in IP.Board 2.3.6 and below. After consulting with reCaptcha (the provider of the captcha system in 2.3.6) we believe that humans are being used to bypass the captcha and then the newly created account is given to an automated script which sends PMs in huge quantities to your members.

The patch we have released today introduces a flood control setting to the PM system in IP.Board 2.3.6. This will limit how fast a member can send PMs thereby giving you and your moderators time to ban the offending account.

[Andrew Field]

We encountered another spam attack on the forum early this morning too. Thankfully all the measures put in place prevented this user causing any of our members trouble.

They automatically posted 640 posts at 0440 am this morning. I think this may have been an attempt to trigger some sort of automatic upgrade to enable them to send PMs to everyone. However, as I've locked the PM system down at the moment this simply wasn't possible.

Thus, for the moment, standard members still don't have access to PMs I'm afraid. I'll keep updating this topic as I discover more. I've also reported this issue to Invision. To date they have been good at responding to issues like this.

[Andrew Field]

Further attempts were made to 'spam' the forum today too Thankfully the system has continued to stand up - all the spam posts were sent for approval, so they never appeared.

Just irritating and time consuming to deal with though.