Spam Bots using the Register Now Button in ArchivesSpace

This Community Post is to help inform ArchivesSpace users of the potential for spam bots to create fake user accounts in ArchivesSpace via the Register Now button.

Do you have this button on the staff-facing login screen of your instance of ArchivesSpace?

The Register Now button allows anyone (usually a bot) to create illegitimate accounts inside ArchivesSpace. If you are wondering if you already have illegitimate accounts, please see details below.

The Register Now button is on by default in ArchivesSpace, but it is configurable and can be removed. To prevent spam bots from accessing this button, Atlas Systems can simply turn off the button and it will disappear. This does require a brief system restart that can usually occur overnight.

Some institutions elect to keep the Register Now button because it allows them to easily create legitimate accounts where users can pick their own password; this positive feature of the Register Now button is less relevant past Aspace v3.3.0, as that release of ArchivesSpace includes functionality for individuals to manage their own passwords once they are logged in.

Institutions can elect to retain the Register Now button but should understand that bots will continue to be able to access it and illegitimate accounts may be created.

Hosted customers should contact Atlas Systems for more information, questions, or to schedule a time to remove the Register Now button.

Do you already have illegitimate user accounts?

Upon reading this you may wish to determine if any illegitimate user accounts have already been created in your instance of Aspace. To determine that, navigate to System > Manage Users in your ArchivesSpace instance and confirm that all the individual accounts listed there are legitimate accounts.

If you find illegitimate accounts, don’t panic! Though the accounts have already been created, a Sys Admin would have to take the additional step of assigning permissions to these users and it is highly unlikely that you have taken this extra step to manually assign permissions to illegitimate accounts. This means that if and when anyone ever did log in with an illegitimate account, they wouldn't be able to see or do anything inside ArchivesSpace.

If you find illegitimate accounts, they can be deleted. You will need Sys Admin privileges in order to do so. Please note that if you find illegitimate user accounts, you will also see illegitimate Agent records, which were automatically created once user accounts were generated. Deleting the illegitimate user accounts will also delete their respective Agent records, but you must delete the user account first; do not attempt to delete the Agent record first.

Hosted customers should contact Atlas Systems for more information, questions, or to schedule a time to remove the Register Now button.