Wow.. this is really strange. Are you sure you don't have any default username/passwords set up? A bot could just go to /news/post and log in with admin/password. I tried this and it didn't work, so it appears you've deleted the default admin account.
I wonder if you could put an IP restriction on the post() action until you figure out what's going on?
I really do not have an default admin user! I even deleted the Member and Member Password tables temporarily. But the spam posts still are comming in!
Your suggestion "put an IP restriction on the post()" -> can you post an example what to do?
Well, if the user gained access to your website control panel, database or ftp server, then he can easily bypass the SilverStripe security measures. I suggest you do the following, before trying to further shut-down/blame SilverStripe:
Change password to your Control Panel
Change password of your FTP Access
Ask your hosting provider for an FTP access log. Look for suspicious IPs
Disallow any database connections other than from localhost (should be the default, but you never know)
Change DB password
Look for suspicious cgi or php scripts on the server
Just to be sure, re-upload all your php files from a local, uncorrupted copy of the site
Update AFAIK if there's no admin user in the member database, one will automatically be created with username admin and password as password. What do you see in the CMS Security section after running /dev/build?
I really do not have an default admin user! I even deleted the Member and Member Password tables temporarily
This is bad - this will provide a security hole to the site, as the hacker could then run /dev/build?isDev=1 and recreate a dev admin user. If your site has been in dev mode or if your database has gone down then your mysql connection details could have been leaked and this could have access to this.
Make sure you are running SS2.3.2 as this has a security fix for an issue related to this
@willr -> As written above I changed at first all user names and passwords without success (more spam was posted). Then I deleted the Member/MemberPasswords table just for a while to see and check the database if somone is going to create a new member with a trick. But no member was created (!) an we still received spam posts.
Than I re-imported all my members and passwords tables.
I have definitely no default "admin/password" User and you cannot create one by the "dev/build" way.
Guess the problem must be somewhere else.
Thanks, Im going to check out your instructions tomorrow morning (German time :-)) Hope to find some solution.