Yet another new kind of spam
Profile spam. Got my first three today, and it was three in a row on a rapid post timestamps, which makes me suspect the process has already been automated.
Do you have a site where people can subscribe immediately and fill out their profile? Even if the profile requires an email-confirm, with yahoo/hotmail disposable accounts, that's a no-brainer, and the profile may even still be visible and be visible for Google indexing long before the new member is validated.
If you have a site like this, where you accept registrations with only an email confirm, then you have a new scourge to keep scrubbing from your site, and this just underlines what I have said before, that all publically writable space must be subjected to a spam filter. No exceptions, and no more sticking our head in the sand thinking it could never happen to me. Every bit of public write-access space on your site, every bit of data that does not eminate from your own fingers, must be filtered.
For example, consider this real-world example of a perfectly legal entry placed into the Instant Messenger field in this morning's latest spam-profile ...
Instant Messenger
Jabber:
Here are just some fun questions from<a href='http://RANDOMspamURL'>http://RANDOMspamURL</a>about interesting things! 1. What is your favorite sexual position? explain? 2. Which do you prefer more, Recieving oral sex, or making love? 3. Do you use toys? explain? 4a. What do you do to your partner, that really turns YOU on? 4b. What does your partner do to you that really turns you on? 5. What really turns your significant other on?
this was the nice one, the others get progressively bolder as they probe just how much spam info they can tuck into each form field. Note also the clever use of href='
I don't have the smoking gun yet, but I have suspected for a while that there are drupal accounts out there which have been taken specifically to provide distributed-authentication access to other drupal sites, and this current run of profile-spam may be their first step in that process. Now there's another scary scenario I'd rather not think about, but I think maybe it is time we did.
[edited: removed url and added code tags, let's not give the spammers traffic -sepeck]
detecting (and deleting) profile spammers in mysql
Blocking and deleting profile spammers through the user admin interface is far too tedious, but you can identify them through some mysql keyword-regex sifting of your user_profile tables:
select distinct p.uid, p.name, p.mail, p.statusfrom users p, profile_values v
where p.uid = v.uid
and v.value regexp 'gambling|texas|holdem|wet-girl'|poker|sexual|olimpiya|bitches;
Sure enough, the majority (but not all) are using yahoo.com email accounts. Looking at my user-base on www.teledyn.com, my first profile spammer registered months ago, and almost all of them are distinguished by using capitalized normal Christian names, and in placing their spam URL as their home page, description and, on one of my sites, also as the contents of the Jabber IM field (interesting mis-reading of that label, eh?)
The above SQL query gets the list of profile-spammers on the site, but a better question is this: since mysql has no
update ... where uid in select ...subselecting, how do I frame this search into an UPDATE statement to set users.status = 0 where user.uid = profile_values.uid and profile_values.value matches the (very large and growing) anti-spam regex?Mind you, maybe that's a moot point. None of these profile spammers ever posted, logged a comment or even returned to the site beyond confirming their email to register their account. And why should they? They have already accomplished what they set out to do; to slant the Google rank to their site, they only needed to log a link somewhere in the public write-access spots on as many different websites as possible. So that's what they do, they log a profile, and then they're done, fait accompli, they move on to the next site on their gotta-hit hotlist.
Best you and I can do is clean up the mess ... and wait for the next one.