In my case the spambot wasn't super smart, all the usernames created by the bot started with capital letters. All my real users had usernames with common letters. This made it easy to filter out the bad guys.
Here's my script in a nutshell:
.
.
I used the special --object-path option to indicate the location of my Plone site, relative to the root of the Zope application server.
My final command looked something like this:
bin/instance_debug --object-path='pathto/sitein/zodb/plone' run member_cleanup.py > members_cleanup_report.txt
Many thanks to the plone.api and plone.docs teams, being able to make use of plone.api.user made it 20 times easier to write the script.
A note about transactions
Before my script would run successfully I had to add a transaction.commit() line, it seems commandline scripts require this.
Parting thoughts
There's a lot more that can be added to the script to make it smarter. For example for certain kinds of sites you could filter based on whether the user has created any content or perhaps it might be based on log in patterns, if they have never logged in or only logged in once.
I'm weighing the pros and cons of having a captcha. At the moment members can't do much except change their portrait pictures and profiles, but I know that some spammers use the portrait for hosting "bad" images, so captchas may have to be introduced.
I'm weighing the pros and cons of having a captcha. At the moment members can't do much except change their portrait pictures and profiles, but I know that some spammers use the portrait for hosting "bad" images, so captchas may have to be introduced.
References
The resources I used included the following references:http://docs.plone.org/external/plone.api/docs/api/user.html
http://docs.plone.org/develop/plone/misc/commandline.html#scripting-context
https://pypi.python.org/pypi/plone.recipe.zope2instance
