On our Discourse instance, the “system” account has started sending spam to the forum and the email list. It has happened three times in the last five days.
There is no user responsible for “system,” nobody has logged in to admin with that username, and there are no obvious attack surfaces in the admin panel.
My best guess is that someone is exploiting the discourse server. So I came here figuring someone would have seen this before, but I’m at a loss.
Any thoughts?
What does this spam look like?
It’s hard to think of how that could happen.
Two things:
This just popped up after “system” had been quiet for six years.
Do you have any active API keys? Check /admin/api/keys
We don’t.
(I walked through this with an LLM, and that was one of its suggestions.)
Does /u/system/preferences/security show any recent browsers ?
I remember reading another topic where someone reported spam posts that were authored by the system. But I cannot find it anymore. I think the topic was deleted.
No, /u/system/preferences/security does not show any recent browsers (“recently used devices,” right?).
Looks like this was caused by a bad change on our side. Sites that have both:
Will get incoming emails under the system user.
The team responsible is working on a fix.
