Fwd: Cleaning up bogus user accounts

> Since I've gotten zero response in nearly two weeks on the
> plone-website list, I thought I'd forward this along here.
>
> cheers,
> jon
>
>
>
> ---------- Forwarded message ----------
> From: Jon Stahl <[hidden email]>
> Date: Fri, Mar 9, 2012 at 3:02 PM
> Subject: Cleaning up bogus user accounts
> To: [hidden email]
>
>
> Hi all-
>
> Sean Kelly and I have been investigating the state of the plone.org
> LDAP database, and we have some recommendations to bounce off of the
> larger community.
>
> We have about 58k accounts in the plone.org LDAP system, which
> backends authentication for plone.org, dev.plone.org (trac) and is
> synced to github.  The vast, vast majority of these accounts (all but
> about 2000) are pretty obviously bogus/spam accounts, and most of
> these (but not all) were created back in the days when we had a
> vulnerability (now closed) related to member portraits, which made it
> worthwhile to try to create bogus user accounts for SEO spamming.
>
> Sean and I believe we can easily nuke all of these accounts with
> minimal collateral damage to legit accounts by removing all accounts
> that are NOT members of a plone.org LDAP group (e.g. committers,
> collective committers, etc.) AND also have not ever created a record
> in the Trac database (e.g. a bug report or a comment) AND don't own an
> item in http://plone.org/support/sites or
> http://plone.org/support/providers.
>
> Can anybody think of a class of legitimate accounts that would be
> excluded by the above logic?
>
>
> ---
> Jon Stahl
> MPA Candidate, Evans School of Public Affairs
> University of Washington
> http://jstahl.org
> 206.226.0818
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Plone-developers mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/plone-developers

> Jon,
>
> Perhaps generate the list of accounts and let people raise their hands if any should be kept?
>
> -Bill
> On Mar 21, 2012, at 2:57 PM, Jon Stahl wrote:
>
>> Since I've gotten zero response in nearly two weeks on the
>> plone-website list, I thought I'd forward this along here.
>>
>> cheers,
>> jon
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Jon Stahl <[hidden email]>
>> Date: Fri, Mar 9, 2012 at 3:02 PM
>> Subject: Cleaning up bogus user accounts
>> To: [hidden email]
>>
>>
>> Hi all-
>>
>> Sean Kelly and I have been investigating the state of the plone.org
>> LDAP database, and we have some recommendations to bounce off of the
>> larger community.
>>
>> We have about 58k accounts in the plone.org LDAP system, which
>> backends authentication for plone.org, dev.plone.org (trac) and is
>> synced to github.  The vast, vast majority of these accounts (all but
>> about 2000) are pretty obviously bogus/spam accounts, and most of
>> these (but not all) were created back in the days when we had a
>> vulnerability (now closed) related to member portraits, which made it
>> worthwhile to try to create bogus user accounts for SEO spamming.
>>
>> Sean and I believe we can easily nuke all of these accounts with
>> minimal collateral damage to legit accounts by removing all accounts
>> that are NOT members of a plone.org LDAP group (e.g. committers,
>> collective committers, etc.) AND also have not ever created a record
>> in the Trac database (e.g. a bug report or a comment) AND don't own an
>> item in http://plone.org/support/sites or
>> http://plone.org/support/providers.
>>
>> Can anybody think of a class of legitimate accounts that would be
>> excluded by the above logic?
>>
>>
>> ---
>> Jon Stahl
>> MPA Candidate, Evans School of Public Affairs
>> University of Washington
>> http://jstahl.org
>> 206.226.0818
>>
>> ------------------------------------------------------------------------------
>> This SF email is sponsosred by:
>> Try Windows Azure free for 90 days Click Here
>> http://p.sf.net/sfu/sfd2d-msazure
>> _______________________________________________
>> Plone-developers mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/plone-developers
>

> Hmm, good suggestion, we'll consider that.   It will be quite long,
> but people can search it, I suppose.
>
>
> On Wed, Mar 21, 2012 at 3:20 PM, William Deegan
> <[hidden email]> wrote:
>> Jon,
>>
>> Perhaps generate the list of accounts and let people raise their hands if any should be kept?
>>
>> -Bill
>> On Mar 21, 2012, at 2:57 PM, Jon Stahl wrote:
>>
>>> Since I've gotten zero response in nearly two weeks on the
>>> plone-website list, I thought I'd forward this along here.
>>>
>>> cheers,
>>> jon
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Jon Stahl <[hidden email]>
>>> Date: Fri, Mar 9, 2012 at 3:02 PM
>>> Subject: Cleaning up bogus user accounts
>>> To: [hidden email]
>>>
>>>
>>> Hi all-
>>>
>>> Sean Kelly and I have been investigating the state of the plone.org
>>> LDAP database, and we have some recommendations to bounce off of the
>>> larger community.
>>>
>>> We have about 58k accounts in the plone.org LDAP system, which
>>> backends authentication for plone.org, dev.plone.org (trac) and is
>>> synced to github.  The vast, vast majority of these accounts (all but
>>> about 2000) are pretty obviously bogus/spam accounts, and most of
>>> these (but not all) were created back in the days when we had a
>>> vulnerability (now closed) related to member portraits, which made it
>>> worthwhile to try to create bogus user accounts for SEO spamming.
>>>
>>> Sean and I believe we can easily nuke all of these accounts with
>>> minimal collateral damage to legit accounts by removing all accounts
>>> that are NOT members of a plone.org LDAP group (e.g. committers,
>>> collective committers, etc.) AND also have not ever created a record
>>> in the Trac database (e.g. a bug report or a comment) AND don't own an
>>> item in http://plone.org/support/sites or
>>> http://plone.org/support/providers.
>>>
>>> Can anybody think of a class of legitimate accounts that would be
>>> excluded by the above logic?
>>>
>>>
>>> ---
>>> Jon Stahl
>>> MPA Candidate, Evans School of Public Affairs
>>> University of Washington
>>> http://jstahl.org
>>> 206.226.0818
>>>
>>> ------------------------------------------------------------------------------
>>> This SF email is sponsosred by:
>>> Try Windows Azure free for 90 days Click Here
>>> http://p.sf.net/sfu/sfd2d-msazure
>>> _______________________________________________
>>> Plone-developers mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/plone-developers
>>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Plone-developers mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/plone-developers

> To be completely sure you might need to look at all local role
> assignments as well, if a user has none then they can just recreate
> their account if needs be.
>
> Another way might be to cross-check against login_time /
> last_login_time (I forget which is updated)? And decide that any
> account that has not logged in recently but would otherwise be removed
> would become fair game. If people want to keep their accounts they can
> just log in to plone.org. (This info is in portal_memberdata rather
> than in ldap.)
>
> Laurence
>
> On 21 March 2012 22:23, Jon Stahl <[hidden email]> wrote:
>> Hmm, good suggestion, we'll consider that.   It will be quite long,
>> but people can search it, I suppose.
>>
>>
>> On Wed, Mar 21, 2012 at 3:20 PM, William Deegan
>> <[hidden email]> wrote:
>>> Jon,
>>>
>>> Perhaps generate the list of accounts and let people raise their hands if any should be kept?
>>>
>>> -Bill
>>> On Mar 21, 2012, at 2:57 PM, Jon Stahl wrote:
>>>
>>>> Since I've gotten zero response in nearly two weeks on the
>>>> plone-website list, I thought I'd forward this along here.
>>>>
>>>> cheers,
>>>> jon
>>>>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Jon Stahl <[hidden email]>
>>>> Date: Fri, Mar 9, 2012 at 3:02 PM
>>>> Subject: Cleaning up bogus user accounts
>>>> To: [hidden email]
>>>>
>>>>
>>>> Hi all-
>>>>
>>>> Sean Kelly and I have been investigating the state of the plone.org
>>>> LDAP database, and we have some recommendations to bounce off of the
>>>> larger community.
>>>>
>>>> We have about 58k accounts in the plone.org LDAP system, which
>>>> backends authentication for plone.org, dev.plone.org (trac) and is
>>>> synced to github.  The vast, vast majority of these accounts (all but
>>>> about 2000) are pretty obviously bogus/spam accounts, and most of
>>>> these (but not all) were created back in the days when we had a
>>>> vulnerability (now closed) related to member portraits, which made it
>>>> worthwhile to try to create bogus user accounts for SEO spamming.
>>>>
>>>> Sean and I believe we can easily nuke all of these accounts with
>>>> minimal collateral damage to legit accounts by removing all accounts
>>>> that are NOT members of a plone.org LDAP group (e.g. committers,
>>>> collective committers, etc.) AND also have not ever created a record
>>>> in the Trac database (e.g. a bug report or a comment) AND don't own an
>>>> item in http://plone.org/support/sites or
>>>> http://plone.org/support/providers.
>>>>
>>>> Can anybody think of a class of legitimate accounts that would be
>>>> excluded by the above logic?
>>>>
>>>>
>>>> ---
>>>> Jon Stahl
>>>> MPA Candidate, Evans School of Public Affairs
>>>> University of Washington
>>>> http://jstahl.org
>>>> 206.226.0818
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF email is sponsosred by:
>>>> Try Windows Azure free for 90 days Click Here
>>>> http://p.sf.net/sfu/sfd2d-msazure
>>>> _______________________________________________
>>>> Plone-developers mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/plone-developers
>>>
>>
>> ------------------------------------------------------------------------------
>> This SF email is sponsosred by:
>> Try Windows Azure free for 90 days Click Here
>> http://p.sf.net/sfu/sfd2d-msazure
>> _______________________________________________
>> Plone-developers mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/plone-developers
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Plone-developers mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/plone-developers

> I'm sure we have but just in case please ensure you have a tested
> backup / restore procedure in place.
>
> http://blog.jquery.com/2011/12/08/what-is-happening-to-the-jquery-plugins-site/
>
> On 21 March 2012 22:44, Laurence Rowe <[hidden email]> wrote:
>> To be completely sure you might need to look at all local role
>> assignments as well, if a user has none then they can just recreate
>> their account if needs be.
>>
>> Another way might be to cross-check against login_time /
>> last_login_time (I forget which is updated)? And decide that any
>> account that has not logged in recently but would otherwise be removed
>> would become fair game. If people want to keep their accounts they can
>> just log in to plone.org. (This info is in portal_memberdata rather
>> than in ldap.)
>>
>> Laurence
>>
>> On 21 March 2012 22:23, Jon Stahl <[hidden email]> wrote:
>>> Hmm, good suggestion, we'll consider that.   It will be quite long,
>>> but people can search it, I suppose.
>>>
>>>
>>> On Wed, Mar 21, 2012 at 3:20 PM, William Deegan
>>> <[hidden email]> wrote:
>>>> Jon,
>>>>
>>>> Perhaps generate the list of accounts and let people raise their hands if any should be kept?
>>>>
>>>> -Bill
>>>> On Mar 21, 2012, at 2:57 PM, Jon Stahl wrote:
>>>>
>>>>> Since I've gotten zero response in nearly two weeks on the
>>>>> plone-website list, I thought I'd forward this along here.
>>>>>
>>>>> cheers,
>>>>> jon
>>>>>
>>>>>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: Jon Stahl <[hidden email]>
>>>>> Date: Fri, Mar 9, 2012 at 3:02 PM
>>>>> Subject: Cleaning up bogus user accounts
>>>>> To: [hidden email]
>>>>>
>>>>>
>>>>> Hi all-
>>>>>
>>>>> Sean Kelly and I have been investigating the state of the plone.org
>>>>> LDAP database, and we have some recommendations to bounce off of the
>>>>> larger community.
>>>>>
>>>>> We have about 58k accounts in the plone.org LDAP system, which
>>>>> backends authentication for plone.org, dev.plone.org (trac) and is
>>>>> synced to github.  The vast, vast majority of these accounts (all but
>>>>> about 2000) are pretty obviously bogus/spam accounts, and most of
>>>>> these (but not all) were created back in the days when we had a
>>>>> vulnerability (now closed) related to member portraits, which made it
>>>>> worthwhile to try to create bogus user accounts for SEO spamming.
>>>>>
>>>>> Sean and I believe we can easily nuke all of these accounts with
>>>>> minimal collateral damage to legit accounts by removing all accounts
>>>>> that are NOT members of a plone.org LDAP group (e.g. committers,
>>>>> collective committers, etc.) AND also have not ever created a record
>>>>> in the Trac database (e.g. a bug report or a comment) AND don't own an
>>>>> item in http://plone.org/support/sites or
>>>>> http://plone.org/support/providers.
>>>>>
>>>>> Can anybody think of a class of legitimate accounts that would be
>>>>> excluded by the above logic?
>>>>>
>>>>>
>>>>> ---
>>>>> Jon Stahl
>>>>> MPA Candidate, Evans School of Public Affairs
>>>>> University of Washington
>>>>> http://jstahl.org
>>>>> 206.226.0818
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> This SF email is sponsosred by:
>>>>> Try Windows Azure free for 90 days Click Here
>>>>> http://p.sf.net/sfu/sfd2d-msazure
>>>>> _______________________________________________
>>>>> Plone-developers mailing list
>>>>> [hidden email]
>>>>> https://lists.sourceforge.net/lists/listinfo/plone-developers
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF email is sponsosred by:
>>> Try Windows Azure free for 90 days Click Here
>>> http://p.sf.net/sfu/sfd2d-msazure
>>> _______________________________________________
>>> Plone-developers mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/plone-developers
>>
>> ------------------------------------------------------------------------------
>> This SF email is sponsosred by:
>> Try Windows Azure free for 90 days Click Here
>> http://p.sf.net/sfu/sfd2d-msazure
>> _______________________________________________
>> Plone-developers mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/plone-developers

>
> On Thu, Apr 12, 2012 at 11:53 PM, Luca Fabbri
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On Wed, Mar 21, 2012 at 10:57 PM, Jon Stahl
>     <[hidden email]
>     <mailto:[hidden email]>> wrote:
>      > Since I've gotten zero response in nearly two weeks on the
>      > plone-website list, I thought I'd forward this along here.
>      >
>
>     Just for know: is this task still in progress? Today I get a spam
>     message on a Poi issue tracker, I think from an authenticated user
>
>
> It hasn't happened yet, but it will.  In the meantime, send me the
> username and I will nuke it.

>
>
> On Fri, Apr 13, 2012 at 9:07 AM, Maurits van Rees
> <[hidden email]> wrote:
>>
>> Op 13-04-12 16:33, Jon Stahl schreef:
>> >
>> > On Thu, Apr 12, 2012 at 11:53 PM, Luca Fabbri
>> > <[hidden email]
>> > <mailto:[hidden email]>> wrote:
>> >
>> >     On Wed, Mar 21, 2012 at 10:57 PM, Jon Stahl
>> >     <[hidden email]
>> >     <mailto:[hidden email]>> wrote:
>> >      > Since I've gotten zero response in nearly two weeks on the
>> >      > plone-website list, I thought I'd forward this along here.
>> >      >
>> >
>> >     Just for know: is this task still in progress? Today I get a spam
>> >     message on a Poi issue tracker, I think from an authenticated user
>> >
>> >
>> > It hasn't happened yet, but it will.  In the meantime, send me the
>> > username and I will nuke it.
>>
>> I had one in the issue tracker of Poi itself today, with fullname 'Coach
>> Outlet'; don't know what the exact user id is.  I have removed the spam
>> message.
>
>
> User deleted.
>