My moodle site was spammed!

I had a message from one of my moodle managers today saying "James, where did all the hotmail accounts come from?"  Oh dear.  After a little investigation, I found the culprit.

The problem was a setting that the spam script exploited, Email-based self registration.  Over the past few months over 5000 fake email accounts had been created.  When I looked in the DB user table, it was pretty clear pretty quick who the fake accounts were.

The fake account characteristics where this:

either the username or the email has "hotmail", "gmail" or "outlook" in the name.  Also, the country was mostly random, not the default value of USA that I had created on the site.  The most telling of the characteristics was a URL value that went to some website, selling stuff.  Most of the URL values in our real accounts are empty.  

One of my first actions was to look up "moodle account spam hotmail"  this lead me to this forum, where there is good discussions about this problem along with a couple different ways people are able to leave email self registration active while combating the spammers.

For more information on enabling / disabling email based self registration on moodle, go here.

It took me about an hr. to identify and remove the accounts from my DB.  My customer is ok with leaving the self registration off for now.  I think if she wants this feature back, I would allow it for a limited amount of time.  In other words, if you want to allow students to self register, which is a good idea (IMHO) - then allow them, but only for a limited time.  DO NOT LEAVE THIS DOOR WIDE OPEN INDEFINITELY - you will get spammed!.

I am using moodle 2.4.1.

Finally, this reducing spam in moodle doc is VERY USEFUL too.  Follow its recommendations!

Well, I checked another of my instances where I knew I had email self registration active and BOOM, spam city!  Over 7500 accounts on this instance with hotmail in the address and where the country is not equal to US.

I used this query in MySQL Workbench, since I am the DB admin as well as the moodle admin.  to find the spam emails

EDIT * from DBname.mdl_user
WHERE email like '%hotmail%' AND country <> 'US'

this query found almost 7500 records.  I selected the first, scrolled way down to end of list, selected last record, right clicked on one of selected records and choose delete.....and waited about 2 minutes....then clicked the icon to actually run the script and the records were gone.  I did look at the moodle spam report, but it seemed much less effective than just removing the records in the table, since I knew the patterns I was looking for already.  I guess the moodle report is useful if you are not the DB admin.  or the DB admin. is not willing to do what I just did.  Site Admin | Reports | Spam cleaner