i-pod.info bot and solution

Right after Christmas of 2007, some users complained about illegal activity and mass registration of users from i-pod.info domain. How to protect your site? If you are one of the victims, please read on.

Some moodle admins have become as a Christmas gift a sudden increase of registered users from same domain ending with "i-pod.info". Reason of this unwanted activities is still unknown, but I suspect it is for spamming reasons or maybe even worse.

Spam is very big problem of today's internet. Spam is a result of "abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages" (from wikipedia, check link above) and it costs you time, unneeded download traffic and make you angry, when someone tells you everyday you need to buy some stupid pills because they are SO CHEAP!!! :D. Gimme a break ;).

So what to do?

Try another authenticate method
Email self registration is one of the least safe method of authentication Moodle provides. If you have any other way you can authenticate your users (LDAP, Shiboleth) use it!

But I understand everyone cannot do that. So next steps are for you:

First of all, keep the nasty bot out! In Moodle you can ban domain of email address.

Go to Site Administration >> Server >> Email and add '%@i-pod.info' into denyemailaddresses

Now to get rid of the unwanted fake accounts you need to do:

1. You are sure the new created unconfirmed accounts (since you were hit by bot) are only from mentioned domain:
a) Let Moodle handles it, set Delete unconfirmed users after in Site Administration >> Server >> Cleanup to some low value, for example 1 hour. Cron will start cleanup service and unconfirmed accounts will be deleted after inserted time value.

This way is the easiest for unexperienced administrators or beginners who don't want to mess with database.

b) You are daredevil and you are using 1.9. Now it's your payoff time! Moodle 1.9 has mass deleting tool. You can select bogus users and delete them all at once.

Go to Site administration >> Users >> Accounts >> Bulk users action. Select there unwanted accounts and delete them.

2. You are not sure if your install doesn't have some unconfirmed accounts others from i-pod.info and you don't want to delete these accounts.

a) You have access to your moodle database with some tool (phpmyadmin is the most used) and you are able to use this tool and you are not afraid of it (you should be afraid of messing with database directly in every occasion, if you are not sure, what you are doing, it can go out of hand easily! ).

Run this query in phpmyadmin:

DELETE FROM `mdl_user` WHERE `email` LIKE '%@i-pod.info'

This query will delete all users with emails ending on @i-pod.info!!! I hope you haven't had any real users from this domain! ;)

If you suspect that some fake users already made some actions in your installation, this query is safer:

UPDATE `mdl_user` SET deleted='1' WHERE `email` LIKE '%@i-pod.info'

This query will mark spoiled users as deleted, their's accounts will stay in your database, but they will be not active. Intruders wouldn't be able to use them.

I hope you have endured this article and it was for some help to you. I am preparing post how to protect your email registration driven Moodle from bots, so please add my RSS feed to your readers or subscribe with email address.

No comments: