Hi everyone,
I'm writing today to introduce some revisions to our member registration policies effective immediately;
1) Automatic user validation is now discontinued as of today. Any applicant for use of the forum system will have to be manually validated by an admin user prior to being granted post access to the system. As a reminder, just reading the message boards from the outside does not require establishment of an account.
2) New system users are requested to make an introductory post in the new member area within one week (7 calendar days) after establishing an account here. This lets the admins and the community know that you really are a live human being and not a bot, phisher, or spammer.
3) All members as of today with a post count of zero will have their accounts deleted. If any of these members are interested in staying active on the forums, they can apply for a new account, go through our validation process, and make an introductory post. I'll be glad to reinstate these account(s) upon completion of the above.
Now, you're wondering why I'm taking such draconian measures I'll bet. Here's what happened.... I was doing some system maintenance last week in preparation for upgrade of our forum system to revision 3.2.5 of PHPbb when I came across a weird set of files in the root system directory that apparently spawned off a zip file uploaded by a forum user. I didn't do it, so I disabled these files and put them in our trash folder for later review.
We've been having problems with forum Email for quite some time. On our sister site, NewCaprice.com the IP for the forum EMAIL (which is the same IP we used being a shared webserver) was flagged for bad activity. We couldn't figure out why and I've been trying to get to the bottom things along with our web hosting provider.
Well, I go to search the site IP and find out that the files I killed off were a phishing plant. The only gateway for the files to end up where they were is through either forum Email or private message uploading a file to the server. Well, with automatic validations the door was essentially for a user to create an account and validate the EMAIL, log in, send a PM with a phishing plant and have this devious software use an exploit to deposit bad code on our forum space. In this case, it was a phishing EMAIL that knocked at the door of a Russian email server.
So.... onto the reasons I'm doing what I'm doing. By killing off all the zero-post posters, I'm doing a security purge of the system against bots that may have established an account without manual validation and may lay dormant until being called into action. Manual validations insure an admin has to take physical action to allow an account applicant in, after a basic "WHOIS" IP check and a validation EMAIL if the information provided looks questionable. The requirement to make an introductory post insures that someone is at home and is saying "hi" in free-form language that a bot couldn't normally handle. This means a pilot is at the controls on the user end.
These security measures will hold us over until I can get the system upgrades completed. None of these actions will impact established account holders on the system that have made at least one post over their account life time.
I SO hate spammers and phishing operators, they make life more miserable for everyone.
Thanks, Eric
_________________ System Manager and your tour guide for the day. REVCON ALUMNI - former owner of 1989 Revcon 31' MB #2752, sold in 2022 to a new next-gen owner!
|