Dirty database of users

Mauro Carvalho Chehab mchehab at infradead.org
Mon Mar 25 00:26:10 EST 2013


Hi Jeremy,

What criteria are used to allow someone to create a new account on patchwork?

What I'm seeing on my patchwork instance is that there are thousands of
what it seems to be fake accounts there, like:

	http://patchwork.linuxtv.org/project/linux-media/list/?submitter=4392&state=*
	http://patchwork.linuxtv.org/project/linux-media/list/?submitter=4398&state=*

None of those users never ever sent a patch to patchwork, but they're 
registered there at patchwork.

There are even some entries there at auth_user that seemed to be part of some
sql injection trial, like this one[1]:

| 2994 | liermoz                     | ???????
                   | ??????????
                | liermoz at mail.ru                                   | sha1$0dcf7$62b4bb14fba61e0288b247ed51bf682125552d2a |        0 |         0 |            0 | 2013-01-27 17:55:37 | 2013-01-27 17:55:37 |

A deeper look on the email addresses show that some sites seem to be
registering there random accounts, not sure why. For example, there
are 305 registered emails from ryanandkellywedding.com. I'm pretty
sure I never committed or reviewed any patch from any of such emails.

So, I'm concerned that some those entries could be attempts to violate
patchwork's security.

So, I think it makes sense to better review and fix any security issues
that might be there, and to record more information (like IP address and
timestamp) for any attempt to create a new user there.

Also, as if one never sent a patch, it has no business to do with 
patchwork. So, I can't see why should he/she should be allowed to create
an account there.

So, in the case of the patchwork instance I maintain, I'd like to:

1) run an script that would delete all users that never sent a patch;

2) better validate the patchwork accounts: except for user accounts
created by the admin, an account creation should first check if
that user email has submitted any patch and if the user name matches
what's there at the patch. If it matches, patchwork should then send a
confirmation to such email before allowing the user to create/handle
his account.

As I'm not familiar with the table structure (and I'm not a python
programmer), could you please help doing that?

[1] Btw, this address seem to be used to forge ID's on other places
	http://www.railpage.com.au/user/66425/
	http://www.botscout.com/ipcheck.htm?ip=89.223.41.18
	http://www.stopforumspam.com/ipcheck/89.223.41.18

I suspect that it belongs to a bot that tries to create emails to be
used by spammers. Unfortunately, patchwork doesn't log at the database
the IP address for the one trying to create an account, nor we can
block account creations by knwn bad IP addresses.

Thanks!
Mauro


More information about the Patchwork mailing list