Good morning! I'm sorry if this is the wrong venue for this, but I am not sure where else to post it. As of this morning, I have good reason to suspect that one of my Drupal sites is the victim of a zombie-based DDoS attack, and I felt I should warn the Drupal development community that a new Drupal-specific bot may be out there in the wild. The site allows anyone to create a user account, with no approval needed but of course with no special privileges (all it really gains them is the ability to queue comments for approval, subscribe to node comments, and to customize their timezone). What happened is that last night a large number of new user accounts were all created with garbage-looking and undeliverable Yahoo! addresses as the email target, e.g., sdfuhgfdhghu@yahoo.com. My site is a rather narrowly- focused site related to historical reenactment, and we typically average only 1 or 2 new users per day, and there have been 57 since midnight last night. That's not a huge number, but it's *way* outside our normal statistical range. I initially thought this might be one script kiddie with a Perl bot, but I checked my logs, and there were 57 requests since midnight spread over 21 different IPs. Only one of the IP addresses has a valid reverse DNS, and it points to a dialup pool. In the Apache logs, all of the browser ID strings are identical: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" which suggests either a bot emulating this browser, or a coordinated attack by a couple dozen individuals. I consider the latter to be unlikely, as the site is neither politically controversial nor commercial in nature, so I doubt anyone would have enough motive to work hard enough to do an attack by manual means. I post this message here for three reasons: 1. I wanted to warn others that if there is a bot to attack my site, they may attack other Drupal sites in the near future, and 2. I wanted to see if anyone has a suggestion of a module -- including one that I might create -- that could block bogus user account requests like this but not legitimate ones. Will the "Captcha" module do what I need? 3. I wanted to find out if anyone else has seen similar behavior, to see if this is part of a larger pattern that may need to be addressed in user.module. For example, if this is commonplace, should "Captcha" become part of core? The attacks aren't doing any real harm -- my server can easily cope with the load, and I'll eventually just purge the accounts that are never activated. They're a nuisance, but I still want to make this go away if I can. I'll be glad to share more details upon request -- my site is not business- related, so I have no reason to conceal logs or other pertinent data that could help the Drupal development community guard against things like this. Scott -- ------------------------------------------------------------------------------- Syscrusher (Scott Courtney) Drupal page: http://drupal.org/user/9184 syscrusher at 4th dot com Home page: http://4th.com/