It seems we’ve been under quite a spam attack the last few days. Thanks a lot to everyone who reported messages and helped to clean things up, and to @seancorfield in particular for continuing to steward this community.
I’ve upgraded Discourse to the latest version, and also took the opportunity to upgrade the server to the latest Ubuntu LTS release. Sorry it took a few days. Hopefully this will patch this particular exploit.
A big shout out to @p-himik who did most of the manual cleanup via the Admin UI, to remove hundreds of spam messages!
Thanks for your service! Once you are confident that this is all shored up, please would you describe the attack vector? I’m in charge of a project that uses Discourse and we do not want something like this…
I haven’t found the specific issue but there have been quite a few security issued fixed in the 3.4.0 series: Latest release-notes topics - Discourse Meta
No clue about the vector and it might still be that the update has had nothing to do with the reduction in spam. The spam is still there, it’s just much, much less frequent. Could be because I’m banning all IP addresses that the spammer uses.
There’s still seemingly automated spam, just much less of it. I enabled hCaptcha with my own API keys for a free tier, seems to be working just fine. Hope it gets rid of the spammer.
Huh, just got another spam message. Does the spammer post manually now?..
I cleared 3 or 4 out of the review queue this morning, so at least some of them are getting caught there…
I also just did one “Delete and block user” one from the queue… if this continues we might want to look at alternative captcha plugins, or do something custom like “what’s the result of evaluating this clojure form?”
Thank you for all the hard work you’re putting in to maintain this community! It is very much appreciated and valued.
Just deleted another set of spam posts that were made at exactly the same time. So yeah, either the current captcha is not enough or there’s some vulnerability in Discourse.
I’ve upgraded Discourse, in case it helps. I had to disable the checklist plugin, or the upgrade failed.
Nah, still going on.
Tried setting Auto silence first post regex to booking|travel|+1-8. Weird that Discourse says “DEPRECATED: Use Silence Watched Words instead.” but there’s no Silence Watched Words setting that I could find.
Unfortunately, my email provider (GMX) is now moving all Clojureverse emails to spam automatically. Positive email server reputation is really difficult to establish after distributing spam, so I would suggest disabling the email functionality for the time being before even more damage is done. This will of course be a disappointment to many; indeed email is the main way I interact with Clojureverse. The only other solution is to limit the email functionality to specific users, but I don’t know whether your email infrastructure exposes this feature to administrators.
I ran our email sending domain through an email domain health check thing, and it seems we were missing the DMARC record. I think that wasn’t as much of a thing yet when we first set this up. I’ve added it now (our email sending happens through Mailgun, DNS is with Cloudflare).
There’s also a setting that controls when we stop sending summary emails to people, the default is 180 days of no activity on the site, we had it set to 1000 days, I’ve changed it to 365 to tamper down the email volume a bit.
It does seem that after the big spam wave beginning of August things have been pretty normal again, with perhaps a smaller bump on the 22nd.
I’m hoping our reputation can naturally recover. For me (in gmail) they still seem to be landing in the inbox. The DMARC record will help as well.
I’ll make a separate post to ask people to check their spam boxes and mark any legitimate clojureverse emails as not spam, that should also help a bit.
Should we change any of these from trust_level_0 to trust_level_1, so that posts (or new topics) from new users need approval?
Probably makes sense, shouldn’t be significantly more work.
Alright, let’s see what happens
People who are active should get to trust level 1 pretty quickly, or if we’re sure they’re legit admins can bump them up manually immediately.
To Reach Trust Level 1 (Basic User)
Enter at least 5 different topics .
Read at least 30 posts: across those topics.
Spend a total of 10 minutes reading posts: on the forum.
Good news! My GMX freemail provider has started delivering the Clojureverse emails again, after automatically flagging all of them as spam for a few weeks. Thanks for adding the proper DMARC configuration, @plexus.
