Monday, November 23, 2009

User profile spam attack in Drupal

On New Year, several of my blogs were 'visited' by what I presume to be a bot, all from the same source IP address.

The attack consisted of attempts to register many new user accounts, each having a username containing the term 'DVD':

Soccer DVD, DVD Immature, Underworld DVD, Adult DVD, Enigma DVD, DVD shrink, Blues DVD, Trick DVD, Portable DVD Player, DVD Decryptor, Federation DVD

The email addresses were all unique of course - since the bot attempted to register multiple user names on each site. The sites were configured to include a text field user profile, so that users can share interests, etc.

The spam bots were stuffing URLs and text ads for DVDs into the profile fields, in an attempt to generate search engine "link love", or so it appears.

Recommendations:
  • Install latest spam.module available from kerneltrap.org - this module is useful for other reasons, but does not check user profile data at present
  • Configure new user account creation to require administrator approval
  • Install and configure advuser module to provide email notifications on new user registration
  • If using logintoboggan, be sure to get the latest version, as older versions had a bug that caused new users to be automatically approved even if admin approval was required on new accounts
  • Install and configure captcha module, and require captchas on new user registration, password recovery, and comments for anonymous (guest) users.
  • If you have configured any user profile fields that spammers are looking for (text fields, url fields) ensure that they are not visible in the user registration form - I've found that if there is nothing but an email address, spammers (or their bots) don't bother with your site. You will need to let the new user know that they can fill out these fields once they sign in.

Wish list

Here's what I'd like to see in one or more Drupal modules:

  • Automated spammer filtering for user profile fields
  • Per-IP-address flood control on new user account registration attempts - if a certain threshold is reached, ban or otherwise block the IP address for a period of time
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)