Re: Attack in progress (?)

Mon, 04 Sep 2006 13:05:53 -0700 

James G. Sack (jim) wrote:

Tracy R Reed wrote:

James G. Sack (jim) wrote:

I don't know. How would you trace the confirmation step?


If you sign up and create a new account it should not let you login or
create or edit content until you receive a confirmation email containing
your password or a link to click on or something.




Yes, I understood that's how it is supposed to work. What I am 
wondering, is where the audit trail is:

 registration submitted
 confirmation-notice sent
 confirmation-reply or action completed




In the last day, another 13-or-so registrations have occurred, bringing 
the current stats to 314 "members".



I haven't removed the members (or their empty dirs). It should be safe 
because the dirs are inaccessible (because of Josh's mod_rewrite 
lockout). That is, the bogus members can't upload the scam (drugs, porn, 
etc) pages.


Is there any value in recording the user email addresses.


I'm also wondering how to check that the registration process is working 
as expected -- can someone check the maillogs? .. Josh? jhriv?



Even if baddies can't repeat the previous exploit, it seems we're still 
being (sort-of) mobbed by registrations from bogus members. Will that 
dwindle off with unsuccessful exploits? Or is that a new fact-of-life 
that we have to find a solution to?



It's been mentioned before, but should we consider measures to reduce 
bot-driven exploits?



The "captcha" method has been mentioned, but it does add an 
accessibility penalty for the visually impaired.


Sol Shumer has pointed out a w3c pub on alternatives:
  http://www.w3.org/TR/turingtest/


Bottom line questions:


Q1. Does zope 2.8.8, python 2.3.5, plone 2.1.3 protect against the spam 
exploit?



Q2. What should we do about bogus registrations? Prevention? Additional 
DailyDeletion? .. or other cleanout operations, hopefully automated?



Q3. .What are the current stats and trend on attempted access to 
prior/nonexistent-new Members's scam pages? .. When will it be safe to 
reenable access to the Members path? If it's going to be a while, can we 
provide and publish an alias or make a temporary path for new 
registrations, and move to the real-root of Members upon "approval"? Or 
what?


what else?

Regards,
..Jim

--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-steer






















					Reply via email to