So here is a weird one ... the LWN site has been seeing a steady stream of login attempts, all using weird yahoo addresses as the username. By "weird" I mean things like lllbnwidgqeerdyi@yahoo.com and other equally unlikely strings.

These do not correspond to LWN accounts, but somebody has looked at our login form for long enough to post the login attempts directly, without loading the form first. The attempts come from all over the Internet, suggesting that some sort of botnet is doing this.

I don't suppose anybody else has seen this sort of pattern, or has any idea what it is that they may be trying to accomplish?

@corbet Are maybe some of these mail adresses (wrongly) in a password dump?

@corbet assuming load is too low for a serious attempt at ddos, this would seem to look like an attempt to hide important log entries in noise?

@corbet I presume you've done the obvious and searched for some of the addresses? The one you've posted doesn't just seem to be a random string - https://www.cleantalk.org/blacklists/lllbnwidgqeerdyi@yahoo.com

@corbet This is a pattern I've seen regularly to attempt DOSing things that can't be cached easily. I see this in DNS attacks where random, even hopefully non-existent, things are triggered because you can't provide a cache for "all the things that do not exist" ...

@corbet If it wasn't for the "weird" addresses, it sounds like a credential stuffing attempt, which I've seen on my sites as well. If they seem like intentionally random / nonexistent accounts... I've no clue.

@corbet I wonder, if that would actually require looking at the login for long enough, or looking at all.

It's king of typical <form method="post"> <input type="text"> <input type="password> <input type="submit"> thingie anyways, right?

@KasTasMykolas You need to look at least long enough to know what names have been assigned to the form elements. It would take less than a minute, but you need to do it for every site you want to attack.

Because I'm an obnoxious person, I changed the names of those elements today, conveniently bringing an end to all of those login failures. We'll see if they bother to update their script...

@corbet let's see what happens next :)

But I'm still convinced that a bit "smarter" crawler would be able to guess out what for is this HTML block with input types common for login form. Even form action points to /Login

buggy bot using mailman-generated passwords as usernames and vice-versa :-)

@corbet @KasTasMykolas Or you could add a CSRF Token qhich also could help to suppress these direct hits.

@corbet is this really new to you? Astounding. You've led a sheltered existence at lwn. I've been trapping and collecting such junk for many years. Some are truly puzzling since entire categories have no obvious point.

A specific category I've long suspected are a part of a negative seo package because the only thing it could do is clutter up our inboxes. If it wasn't trapped.

The specific ESP used generally tells you that esp account creation tool has been cracked, yahoo doesn't surprise me.

@corbet @KasTasMykolas they sell lists with this info. There's several ways to trap them but in general this is really old news, they can spider for this data then build lists with url/form fields.

Depending on how robust your form processing logic is sitewide a big chunk of such automated attempts can be neutralized. I'm surprised you guys don't run such logic, it's difficult to run web facing forms without real builtin protection.

Changing form field names a waste if time, wrong place.

@corbet I would not discard web scrapers for AI training. Allegedly there was another wave of those that left Gnome's Gitlab mostly unusable until yesterday night. See https://discourse.gnome.org/t/login-problems-gitlab/25132/4