The forum, which runs on the popular phpBB3 software, was hit by a phishing attempt in the last few hours. Around 2000 private messages were sent by hundreds of newly registered users. It is not clear how this automated attack got past our own spam hammer protection that bars new users from sending private messages. Apologies for the annoying messages and thanks to everyone for the reports.
Here is the SQL I used to clear out the scammers and their messages in case this post turns up search results.
SELECT * FROM `phpbb_privmsgs`
left join phpbb_users on author_id=user_id
WHERE `message_subject` LIKE '%We are deleting inactive accounts! Confirm your ac%'
First, backup your database! Second run this query to review what will get deleted. Replace "We are deleting inactive accounts! Confirm your ac" with the subject the phishers used. Could also be a line in the post or a URL.
DELETE `phpbb_users`, `phpbb_privmsgs`
FROM phpbb_privmsgs
left join phpbb_users on author_id=user_id
WHERE `message_subject` LIKE '%We are deleting inactive accounts! Confirm your ac%' AND user_id NOT IN (0,1,2,3)
Run this query to delete the messages and the users. There is no going back (you did a backup right?). If users have responded to the phisher (ours had some choice words...) they might get deleted too because of the reply. Include the user_id of any legit users you don't want to delete in the NOT IN (x,x,x,x) clause (or omit it if none).