In a previous post, I study the way some spammers use plone user folder to spam my blog. But this time, it’s my turn. I host since a little time right now, a small CPS
website for my work. And I discovered a lot of spammer user account on it.
The main issue, is that I haven’t unset the “joinable” flag, so everybody can create a account. By the way password are sent, spammers doesn’t manage to post stuff in the personnal area.
With 300 users, and only 4 valids, I need to find a way to clean the acl_user folder. Last time I used twill, this works really great, so I decided to use the same stuff for Zope.
Here my little script:
#!/usr/bin/python LOGIN='foo' PASSWORD='far' LOGIN_URL='http://your_server/manage_main' USER_URL='http://your_server/acl_users/manage_users' GOOD_USERS = ['jkx','foobar'] import twill def delUsers(): twill.commands.go(USER_URL) form = twill.commands.showforms() usernames = form.possible_items('names:list') for u in usernames: if u not in GOOD_USERS: twill.commands.formvalue(1,'names:list',u) twill.commands.showforms() twill.commands.submit(3) def doLogin(): twill.commands.go(LOGIN_URL) forms = twill.commands.showforms() twill.commands.formvalue(2,'__ac_name',LOGIN) twill.commands.formvalue(2,'__ac_password',PASSWORD) twill.commands.submit() if __name__ =='__main__': doLogin() delUsers()
This will drop all user account (not the ones in GOOD_USERS) ..