I have had the following in my ikiwiki.setup since 2016:

account_creation_password: XXXXXXXXXXXX

The XXX is made of lowercase, uppercase and digits, randomly generated. I would expect this to stop any account creation. Yet new accounts get created all the time:

w-anarcat@marcos:~/source/.ikiwiki$ perl -le 'use Storable; my $userinfo=Storable::retrieve("userdb"); print $userinfo->{$_}->{regdate} foreach keys %$userinfo'  | sort -n | tail -10
1587487021
1587574304
1587695540
1587770285
1588354442
1588409505
1589257010
1589834234
1590175162
1590176201

The last two timestamps, for example, are today. I'm not absolutely certain, but I believe that account is an emailauth account:

      'zemihaso_hfdsf.sadsdskfm.com' => {
                                          'regdate' => 1590175162,
                                          'passwordless' => 'd8de5ec25cfd68e64318fe6353c6428a',
                                          'subscriptions' => 'comment(blog/2020-04-27-drowning-camera)',
                                          'email' => 'zemihaso@hfdsf.sadsdskfm.com'
                                        },

It's obviously a spammer. It seems to be attacking my wiki by doing the following:

1. register an account with emailauth
2. subscribe to the page
3. spam the page with a comment
4. which then sends email to the victim(s)

It's all kind of a mess. I'm at the point in my anti-spam protection where I am seriously considering disabling all user registration and all comments on all pages. Maybe delegate this to Mastodon or some other third-party commenting system, because I'm just tired of dealing with spam and bounces...

Anyone else seeing this? Shouldn't the account_creation_password setting apply to emailauth? What else am I missing?

Thanks! -- anarcat