I have been getting hundreds of spam registrations to my Drupal 7.x site for the last 4 months. The site has been set to:
Registration and cancellation > Who can register accounts? > Administrators only
for the entire time, so I venture to guess this was introduced 4 months ago (i.e., the site has been operational since early 2012, spam registrations started 4 months ago). Viewing the changelog for Drupal 7.19, it does not address any issue like this, so I would imagine this is still a hole in my installation.
As far as I can tell, they can only register, but the accounts all appear to be blocked, but they shouldn't even be able to register according to the setting above.
Let me know how to escalate this or report this in a more "correct" way.
Cheers,
Dave
Comments
=-=
That's not occurring on any of my D7 sites. That said, I'd look at any contrib modules which are possibly outdated and/or that interact with user registrations. I'd also check any/all users with elevated roles.
Is there an access denied served when logged out and pointing the browser to /user/register
I use logintoboggan
I use logintoboggan (up-to-date).
If I attempt to go to privileged content, I am greeted with a login/register page.