[aur-dev] Removing spammer accounts

Daniel Wallace danielwallace at gtmanfred.com
Sun Mar 24 18:47:15 EDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Lukas Fleischer <archlinux at cryptocrack.de> wrote:

>I analyzed recent additions to the AUR user database in the hope of
>finding a way to delete all spammer accounts.
>
>Unfortunately, the account creation bot seems to be a bit more clever
>than I thought. Various different user names (both random user names,
>user names extracted from IRC channels etc.) and various different
>email
>addresses (different hosts, some local parts match the user name and
>some don't) were used.
>
>The only obvious pattern is that following fields are always empty:
>
>* RealName
>* IRCNick
>* PGPKey
>
>However, using that filter and also filtering by ID (51617 is the first
>account obviously created by a bot) and last login (1363737600 is
>2013-03-20 00:00:00 which is after the login form has been disabled for
>Tor users) still leaves 18378 accounts:
>
>    mysql> SELECT COUNT(*) FROM Users WHERE RealName = '' AND
>        -> IRCNick = '' AND PGPKey = '' AND ID >= 51617 AND
>        -> ID <= 70072 AND LastLogin < 1363737600;
>    +----------+
>    | COUNT(*) |
>    +----------+
>    |    18378 |
>    +----------+
>    1 row in set (0.01 sec)
>
>My suggestion is:
>
>1. Set the password field of these accounts to "", so that they will no
>   longer be able to login. They can still use the password reset form.
>
>2. Delete all accounts that still have an empty password field in ~2
>   weeks.
>
>If there are any objections or alternative suggestions, please let me
>know. Otherwise, I will unset password fields before I re-enable the
>registration form (on Tuesday, 2013-03-26).
>
>Regards,
>Lukas

The only suggestion I have to include a message about passwords being cleared on the login screen, more specifically the failed login screen.

- --
Sent from my Android Phone.
Daniel Wallace
Arch Linux Trusted User
GTManfred
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8

iQFUBAEBCAA+BQJRT4JzNxxEYW5pZWwgV2FsbGFjZSAoZ3RtYW5mcmVkKSA8ZGFu
aWVsLndhbGxhY2VAZ2F0ZWNoLmVkdT4ACgkQX6XlVE8BDUjk4gf/fCqpAr8OUnIk
oy/1L0iZzIg0McX9yysXd1L49tWlrFOMD+NLl+14j5ZdOmsbUx/GrLDngQVvqO9Z
BM8NWd6V9gPCk6R3dxZybtojsvR/TbivilmH36arkdNyLBjNOMaIyxTAAnpGZEOJ
vETGYDmQgb5fw1sqfSrrLqND/s4KXfcSLngQW6eeqOSvHUJRvNGLZDE3UTT2qS1w
GF2Z87B5d9SMTauvcTicFvN0pleE22upB9NA4ldtO0eIhxFfdLuSf8Qi+RUX6nl0
uZXMDa+nKHZ9A0Xcma7lKKpzOy1haj9ZBAOs8xN+Sl5JNmEhXT0fKmPO3AvNYHgh
nrrn6LYIiw==
=CH2W
-----END PGP SIGNATURE-----

More information about the aur-dev mailing list