I'm not sure there is anything we can do about this, but I thought I would post the alarm anyway, just in case, just so you know.
By now I am sure many of you will have experienced what I call Profile Spamming where you will get a sudden burst of site registrations with bogus emails and where all other fields in their profile will be jammed full of URLs for all sorts of nasties; these are a pain, but they can be stopped at the OS level by adding the offending IP to your firewall.
Unfortunately there is a new variant of these bogus registration requests that is particularly deadly -- I just received several dozen of them, all of them arriving within a few minutes (so it is a DoS attack too)
Type user
Date Sunday, July 8, 2007 - 6:26pm
User a tourist
Location http://myhost/user/register?destination=node/807%2523comment_form
Referrer http://myhost/user/register?destination=node/807%2523comment_form
Message New user: tfgklbrom <wawoco@jcicwi.com>.
Severity notice
Hostname 24.138.71.203
Now, here's the kicker: every last one of these attempts arrived from a different IP!
and each IP is from a different Class-A network (so you can't block by a netmask) -- and here's the scary part: not only do they attack in a coordinated fleet, but with each registration, while the requested name and bogus emails were unique (random) all attackers carried the nearly identical profile spam message. This suggests the attackers are all from the same 'Anti-Drupal Registration Bomb' software, and that the base for this software is distributed, but coordinated. Just as with earlier first-shots of automated website spamming (eg Trackback spam and comment spam) I did see one or two first-shots that had the same format, but arrived in isolation a few days ago. This suggests they are gearing up for more major attacks.
FWIW, I have my new registrations 'protected' by the Math-Quiz CAPTCHA test; apparently this doesn't slow them down at all.
Is there anything we can do about this new threat?
To help deal with these idiots, I would like to put in one very useful feature request: Can we provide a javascript link on the admin/users list to say "select all" to select all visible logins, and then have an option on the actions list to Delete Without Confirmation? Either one alone would be a help, but together at least I'd be able to scrape the junk users off my website with a miminum of mouseclicks and keystrokes.
Comments
Comment #1
vm commentedthe captcha.module is a bit outdated. MyCaptcha.module and riddler.module are now the leading user registration spam deterents.
Comment #2
mikey_p commentedDrupal 5.1 and HEAD currently do have a select all checkbox in the table header row, that selects all the users listed on that page at admin/user/user.
I don't see there being much chance of getting an option to delete without confirmation. This wouldn't fit very well with established Drupal conventions regarding deletions. Maybe see if the Deletion API lands in D7 and go from there...
Comment #3
mikey_p commented