It seems we’ve been under quite a spam attack the last few days. Thanks a lot to everyone who reported messages and helped to clean things up, and to @seancorfield in particular for continuing to steward this community.
I’ve upgraded Discord to the latest version, and also took the opportunity to upgrade the server to the latest Ubuntu LTS release. Sorry it took a few days. Hopefully this will patch this particular exploit.
A big shout out to @p-himik who did most of the manual cleanup via the Admin UI, to remove hundreds of spam messages!
Thanks for your service! Once you are confident that this is all shored up, please would you describe the attack vector? I’m in charge of a project that uses Discourse and we do not want something like this…
I haven’t found the specific issue but there have been quite a few security issued fixed in the 3.4.0 series: Latest release-notes topics - Discourse Meta
No clue about the vector and it might still be that the update has had nothing to do with the reduction in spam. The spam is still there, it’s just much, much less frequent. Could be because I’m banning all IP addresses that the spammer uses.
There’s still seemingly automated spam, just much less of it. I enabled hCaptcha with my own API keys for a free tier, seems to be working just fine. Hope it gets rid of the spammer.