Revision history  [back]

How do unauthenticated users get onto our site?

We have a site that requires validation with an outside authentication service (a wiki/LDAP) but yet we see users with obvious bad names on our site and "posting" questions with nonsense in them.

It is apparent that there are others who use AskBot with similar issues.
I have a few questions:

  • How did these users create accounts for themselves if they did not use our (what we thought was a) sinlge external authentication?

  • How can we stop this from happening?

  • How did these bots find the site? (we don't publish it - it is a closed site)

EDIT Note that I was able to reproduce the ability to sign in with nonsense accounts by navigating to [mysite]/account/signup/?login_provider=local there is no way to get there from a UI as far as I could tell, but the url works and allows a person to signup.

How do unauthenticated users get onto our site?

We have a site that requires validation with an outside authentication service (a wiki/LDAP) but yet we see users with obvious bad names on our site and "posting" questions with nonsense in them.

It is apparent that there are others who use AskBot with similar issues.
I have a few questions:

  • How did these users create accounts for themselves if they did not use our (what we thought was a) sinlge external authentication?

  • How can we stop this from happening?

  • How did these bots find the site? (we don't publish it - it is a closed site)

EDIT Note that I was able to reproduce the ability to sign in with nonsense accounts by navigating to [mysite]/account/signup/?login_provider=local there is no way to get there from a UI as far as I could tell, but the url works and allows a person to signup.