Hmmm… well, if he went to the “link above”… that probably means the spyware/adware/malware link was inside the PM he received on the board, and not inside the mail at all!
I found it suspicious since I received that PM notification but there was no PM… the later was probably just because at that point, the spamming user was already deleted along with all his PMs?
Except I didn’t delete a user. My supposition was that the post was blocked due to content (a [url] block, probably), and didn’t actually get posted. (but the new pm email fired). And, I don’t believe deleting a user deletes pms (or posts). So I actually think the PM never got sent.
And the post was a regular PM, I’ve looked at the logs. It wasn’t a hack or anything, it was posted via the PM system.
So, to sum it up: the email seemed to be a perfectly legit notification of a PM (Private Message) received here on the board.
The contents of the private message is something completely different – it could have come from ANY member of this board, including spambots (which are well known to target phpBB since its the most widely spread free forum software).
Although I didn’t think you could get malicious code into a PM. I looked at the database, too — there isn’t anything there.
This is still a good argument to always update phpBB though, since these automated PMs wouldn’t be possible if the spambot would stay outside because he can’t automatically sign up.
I had some hand-tweaked signup form stuff, but clearly not enough. I guess I’ll go back and add some more. Maybe a simple math check.
I hate spammers.