Ok guys, I am not sure whether this title would be perfect for the post or not but yes, it is related to spammers and it is related to vBulletin.

Today, few hours back, while I was working, I got few mailer daemon messages with bounced back email details. Found, a user sending out spam messages. I just went to the forum and banned that user.

Now, when I checked the number of online users, I got quite shocking figure of around 75 members, it soon increased to 100+ members within few seconds. This was kind of shocking considering there was nothing important on the site around this period.

After checking few things, I found that all the users were actually sending out personal messages and the bounced message was one of them. (Soon more bounced mails started flowing in)

So, the first question came in my mind was “Is it a Hack?” To be frank, I panicked for sometime as I was in middle of some important work and this thing came up.

I quickly, made the forum offline to avoid more spam messages and secondly, I disabled PM option for all the users. (Usergroups  – Usergroup Manager – Select the usergroup and edit – Set PM limit to 0)

Okay, after this, I opened a support ticket in vBulletin member’s area and started digging out their forums to get more info over it.

So what did I find..?

Well, for last couple of month, there is some spam bot (script) playing around  vBulletin based forums, checking the usernames for weak passwords (mainly the users with password same as the username) and then the spam bot logs in using those weak users and sends out spam personal messages.

By default in vbulletin there is no option to check for weak passwords, so first you need to jump to vbulletin.org forums and download this plugin called: Password Security Tools and install it.

This plugin will check for existing usernames with weak passwords (Incl. the ones with password same as username), reset their password to a random string and email them the new login details. And this plugin also prevents new registration with the weak password too.

So, moral of the story is.. if you see something like this in your forum, do not panic, install this plugin and clean up the mess. But make sure you have shut down the forum before doing anything.