Those fictitious users that sign themselves up with Drupal accounts are a strong argument for using profiles, and requesting additional information that can help administrators weed out hackers. As a class, they are known as forum bots, and generally sign up for an account in order to post spam messages in forums or as comments to blogs, stories, pages, etc.
For the past couple of years, I’ve been manually screening out forum bots on http://stoves.bioenergylists.org and making note of the IP address the requests originate from. (The IP information is generally in the “Recent log entries). Usually, a bot will sign up as a user, and then attempt to log in, within an inhumanly rapid time frame, or multiple times within the same second or so. This type of behavior, and the fact that forum bots tend to create accounts from specific single IPs, have lead me to suspect that some of them may be the payload of some other worm or virus instead of software intentionally run on a specific computer.
Bots and Botnets are pretty well described in wikipedia: http://en.wikipedia.org/wiki/Botnet
The Krakken, the Storm Worm (http://en.wikipedia.org/wiki/Storm_botnet) and the recent Conficker worms (http://en.wikipedia.org/wiki/Confickera0 certainly have this type of capability, but they may not be the source of the forum bots I’ve been seeing.
Judging by the profile answers that I’ve been seeing, there are at least 3 different forum bots that routinely try to login to the stoves site. The first type is the easiest to spot and generates random letter and number strings into profile fields. There is a slightly more sophisticated variety that uses random word combinations that are common to spam messages, (e.g. sex, Watches, Cialis, Viagra…), and then there’s a more sophisticated version than that that tends to answer the profile fields ‘correctly’ but can’t, so far, distinguish between city and state fields, so tends to repeat that information. The third type is also much more likely to use ‘mail.ru’ in the email address. The other two are much more random in the email address category.
There’s got to be more information about them available on the net, but where? So far, I haven’t found anything other than isolated reports that seem to describe the above 3 bots dating back to mid 2006. There are others botnets, but the above 3 seem to be the greater nuisance, and the longest lasting.
In Drupal, you can use Captcha ( http://drupal.org/project/captcha ) to help weed out the spurious users before they create an account. That's pretty effective, but for a variety of reasons I haven't been able to use it well on the BioLists site. I tend to take advantage of the fact that Drupal logs the IP address of all new user requests, and use the Drupal Access rules to deny by the specific IP. That works until the worm or virus infects a new computer, and re-finds my web site.
