Delete Identity accounts with disposable emails
The most used email address domain in KDE Identity accounts is unsurprisingly gmail.com, with 37047 accounts. The second in the list is yopmail.com with 4031 accounts. This is a "disposable email address" provider. We have more yopmail.com accounts than yahoo.com, and we have more yopmail.com than hotmail.com and outlook.com combined.
Many yopmail Identity accounts were used for spam, so we already blocked the domain long ago, so new accounts cannot be created. But we still have these 4 thousand accounts bloating the 'users' LDAP group (worsening the performance issues) and squatting usernames that legitimate users may want.
I think we should delete the accounts.
The problem is that some accounts were used to login to other services (such as the forum). In that case we need to delete the website accounts too. If we don't, then if a new user signs up with the username of a deleted Identity account, and logs in to the forum, they will end up in the existing forum account...
So I think what we need is:
-
Make an efficient script to get the list of usernames and check in which websites they were used.
The existing find-identity-users.py connects to each website server via ssh and will not scale for so many accounts.
-
Automate deletion of the per-website accounts.
It's possible that the vast majority of the Identity accounts were never used, so we can do the website deletion manually, but we don't know that yet, and we don't know what websites were mostly used. But if it turns out to be "too many" we certainly need to automate it.
-
Delete the LDAP accounts.
This also needs a custom script. Deleting accounts through the Identity website, or maybe even through the usual Yii APIs, will be very slow, since it rewrites the entire LDAP group for each individual user that is removed from it. But it's possible to edit the group to delete all users at once and save it at the end.
Apart from yopmail, we also have 694 sharklasers.com accounts and 572 mailinator.com accounts (both free disposable address providers). There's also suspicious things I didn't investigate yet, like 1440 codehot.co.uk accounts (that provider is supposedly paid, I find it hard to believe all those are legit).