[aur-dev] Removing spammer accounts

Lukas Fleischer archlinux at cryptocrack.de
Sun Mar 24 18:37:53 EDT 2013

I analyzed recent additions to the AUR user database in the hope of
finding a way to delete all spammer accounts.

Unfortunately, the account creation bot seems to be a bit more clever
than I thought. Various different user names (both random user names,
user names extracted from IRC channels etc.) and various different email
addresses (different hosts, some local parts match the user name and
some don't) were used.

The only obvious pattern is that following fields are always empty:

* RealName
* IRCNick
* PGPKey

However, using that filter and also filtering by ID (51617 is the first
account obviously created by a bot) and last login (1363737600 is
2013-03-20 00:00:00 which is after the login form has been disabled for
Tor users) still leaves 18378 accounts:

    mysql> SELECT COUNT(*) FROM Users WHERE RealName = '' AND
        -> IRCNick = '' AND PGPKey = '' AND ID >= 51617 AND
        -> ID <= 70072 AND LastLogin < 1363737600;
    | COUNT(*) |
    |    18378 |
    1 row in set (0.01 sec)

My suggestion is:

1. Set the password field of these accounts to "", so that they will no
   longer be able to login. They can still use the password reset form.

2. Delete all accounts that still have an empty password field in ~2

If there are any objections or alternative suggestions, please let me
know. Otherwise, I will unset password fields before I re-enable the
registration form (on Tuesday, 2013-03-26).


More information about the aur-dev mailing list