Skip to main content

User profile spam attack

On Christmas Eve day, several of my sites were 'visited' by what I presume to be a bot, all from the same source IP address.

The attack consisted of attempts to register many new user accounts, each having a username containing the term 'DVD':

Soccer DVD, DVD Immature, Underworld DVD, Adult DVD, Enigma DVD, DVD shrink, Blues DVD, Trick DVD, Portable DVD Player, DVD Decryptor, Federation DVD

The email addresses were all unique of course - since the bot attempted to register multiple user names on each site. The sites were configured to include a text field user profile, so that users can share interests, etc.

The spam bots were stuffing URLs and text ads for DVDs into the profile fields, in an attempt to generate search engine "link love", or so it appears.

Recommendations

  • Install latest spam.module available from kerneltrap.org - this module is useful for other reasons, but does not check user profile data at present
  • Configure new user account creation to require administrator approval
  • Install and configure advuser module to provide email notifications on new user registration
  • If using logintoboggan, be sure to get the latest version, as older versions had a bug that caused new users to be automatically approved even if admin approval was required on new accounts
  • Install and configure captcha module, and require captchas on new user registration, password recovery, and comments for anonymous (guest) users.
  • If you have configured any user profile fields that spammers are looking for (text fields, url fields) ensure that they are not visible in the user registration form - I've found that if there is nothing but an email address, spammers (or their bots) don't bother with your site. You will need to let the new user know that they can fill out these fields once they sign in.

Wish list

Here's what I'd like to see in one or more Drupal modules:

  • Automated spammer filtering for user profile fields
  • Per-IP-address flood control on new user account registration attempts - if a certain threshold is reached, ban or otherwise block the IP address for a period of time

Update December 25, 2006 - The same bot appears to have been probing this site over the last three days trying to deposit comment spam, and was blocked by the captcha module.

Update December 29, 2006 - This post on webmasterworld.com (registration required) describes a nearly 100% effective technique (mods for phpBB - but the techniques should work for any system).

MOD 1.
New members can only post URLs once they've made x posts and been active for y days. Configurable in the admin panel.

Mod details and download here:
http://www.phpbb.com/phpBB/viewtopic.php?t=464628

MOD 2.
Prevents bot registration if anything is filled in the profile fields, has a notice to warn human registrants. Can also send a notification email to admin.

Mod details and download here:
http://www.phpbb.com/phpBB/viewtopic.php?t=435694

Looks like it's time to see if Bad Behavior can help.

Disclaimer

*NOTE: All information contained herein is provided for educational purposes only. Exodus Development, Inc. disclaims all liability for use or misuse of the information presented herein or on external web sites. Use your own good judgement, ask an expert first. Proceed at your own risk.