I have been using Drupal both for personal use as well as for small outside projects for couple of years. In almost all cases, I have noticed a pattern whereby people from Russia or (recently people from New York or Texas, in the US) applying for a user account. None of the sites I created had "users can create their own accounts and log in" functionality turned on - I know this would be a necessity on a busy site where making users wait for me to approve the user account would not be prudent. All of my sites were not of this nature so I had turned this functionality off, for peace of mind!
Getting back to the point, WHY do these hackers do this? I can understand them doing this on site where they can auto-create user account and log in, to snoop around, but what's the purpose of doing this on a site where they know that Admin approval is needed to log in?
Is there some hidden tactic behind this that I don't know about? Do they glean any info. (however small) from the very process of merely applying for an account (but knowing it's not going to be approved)?
Please enlighten!
Kenneth
Comments
More than likely the bots
More than likely the bots simply scrape for the /user/login url and register. The bots are automated and as such don't realize nor care that the site requires an admin's approval. Bots are made to target as many sites as possible, not prioritize and evaluate each and every single one. If bots were made to scrape the content and deduce that an admin's approval was needed, people would be able to avoid bots by mimicing the same criteria on open registration sites.
That's what I had thought but...
I noticed that some fields on the registration form that were mandatory were filled (such as street names, city etc.) Of course I am sure this could be accomplished with sophisticated scripts but still... Anyway, it's an annoyance to say the least!
Thanks!
Kenneth
I'll admit its a seriously
I'll admit its a seriously annoying issue. Some options of course include a captcha or recaptcha but at times those can discourage users from signing up. Personally i've been using recaptcha only when I don't have a particular field that can be ran through a verify-script (be it a particular id that the user associates with or what have you).