[aur-dev] Removing spammer accounts
danielwallace at gtmanfred.com
Sun Mar 24 18:47:15 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Lukas Fleischer <archlinux at cryptocrack.de> wrote:
>I analyzed recent additions to the AUR user database in the hope of
>finding a way to delete all spammer accounts.
>Unfortunately, the account creation bot seems to be a bit more clever
>than I thought. Various different user names (both random user names,
>user names extracted from IRC channels etc.) and various different
>addresses (different hosts, some local parts match the user name and
>some don't) were used.
>The only obvious pattern is that following fields are always empty:
>However, using that filter and also filtering by ID (51617 is the first
>account obviously created by a bot) and last login (1363737600 is
>2013-03-20 00:00:00 which is after the login form has been disabled for
>Tor users) still leaves 18378 accounts:
> mysql> SELECT COUNT(*) FROM Users WHERE RealName = '' AND
> -> IRCNick = '' AND PGPKey = '' AND ID >= 51617 AND
> -> ID <= 70072 AND LastLogin < 1363737600;
> | COUNT(*) |
> | 18378 |
> 1 row in set (0.01 sec)
>My suggestion is:
>1. Set the password field of these accounts to "", so that they will no
> longer be able to login. They can still use the password reset form.
>2. Delete all accounts that still have an empty password field in ~2
>If there are any objections or alternative suggestions, please let me
>know. Otherwise, I will unset password fields before I re-enable the
>registration form (on Tuesday, 2013-03-26).
The only suggestion I have to include a message about passwords being cleared on the login screen, more specifically the failed login screen.
Sent from my Android Phone.
Arch Linux Trusted User
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8
-----END PGP SIGNATURE-----
More information about the aur-dev