Weird user creation / Is this some sort of attack?

Question

For a few years now, a bot-like user tries to create 10-12 users a couple of times during a day first and last names like "rlpzieqT WHKLpdGQr" (on a website of mine). The ip address is always different. Below is an excerpt of a log I created for this attacker.

The email addresses they use seem to be real. Before I prevented the creation of those users, the accounts just were created but not used at all.

As mentioned, this has started two to three years ago. My questions is:

What kind of attack is this? Is it one at all? Has anybody come across a behavior like this?

Tue, 27 Sep 2022 18:50:54 +0000 [14.187.1.115] Prevented user creation of urYXqEnVfIdvTPJ jkZfAsCnVPzH
Tue, 27 Sep 2022 18:50:57 +0000 [14.187.1.115] Prevented user creation of hlcLjIbJagnwXoG CAWLdSYZUfMDvBPs
Tue, 27 Sep 2022 18:51:36 +0000 [14.187.1.115] Prevented user creation of lCnXOPNyTIUSJq rOFJZGTepDE
Tue, 27 Sep 2022 18:51:38 +0000 [14.187.1.115] Prevented user creation of mMBDhvXjzJqc qNUVRJODokZd
Tue, 27 Sep 2022 19:18:45 +0000 [51.161.10.160] Prevented user creation of yKNkJWqYT EuQgGePHCj
Tue, 27 Sep 2022 19:18:46 +0000 [51.161.10.160] Prevented user creation of zqMlCsTtIaWRHnx DsWneFZawEl
Tue, 27 Sep 2022 19:18:51 +0000 [51.161.10.160] Prevented user creation of qoKjkGDz MqjOnhtKD
Tue, 27 Sep 2022 19:18:51 +0000 [51.161.10.160] Prevented user creation of HTLgSRYIeuZkzKj USJhWOGszfAbIQcl
Tue, 27 Sep 2022 19:18:54 +0000 [51.161.10.160] Prevented user creation of kRdTGCnvNajEAZ AapglLqbsD
Tue, 27 Sep 2022 19:18:54 +0000 [51.161.10.160] Prevented user creation of CKwnOfmseEBN eKRbfniQLcU
Tue, 27 Sep 2022 19:19:00 +0000 [51.161.10.160] Prevented user creation of eajlcwixQOI dhxFDcrlAZy
Tue, 27 Sep 2022 19:19:01 +0000 [51.161.10.160] Prevented user creation of PwQKidjqnTrYxBNS qBthHkJi
Wed, 28 Sep 2022 00:08:23 +0000 [149.113.150.53] Prevented user creation of sjpgAlruqxG fjdVUIRDi
Wed, 28 Sep 2022 00:08:24 +0000 [149.113.150.53] Prevented user creation of ugsydAKIpxL XrdgExpZuFzyT
Wed, 28 Sep 2022 00:08:35 +0000 [149.113.150.53] Prevented user creation of qOmaIkwcUZjoE rXihaFpdHQBuYqzV
Wed, 28 Sep 2022 00:08:37 +0000 [149.113.150.53] Prevented user creation of JcNOrtsZ ywIuCfXhpdS
Wed, 28 Sep 2022 00:08:41 +0000 [149.113.150.53] Prevented user creation of VqkzAZljo AiBZNocDdtbKyWgJ
Wed, 28 Sep 2022 00:08:42 +0000 [149.113.150.53] Prevented user creation of ijFasqpMWgX gOMNTwdPCBrsXVSk
Wed, 28 Sep 2022 00:09:03 +0000 [149.113.150.53] Prevented user creation of UrLWKNTJ zWaufCmnBkKwP
Wed, 28 Sep 2022 00:09:07 +0000 [149.113.150.53] Prevented user creation of eAYgfHumK JrlmwXidDZWx
Wed, 28 Sep 2022 08:39:44 +0000 [91.158.221.91] Prevented user creation of BLmFZkTwec cFOBWMtde
Wed, 28 Sep 2022 08:39:45 +0000 [91.158.221.91] Prevented user creation of ZtWnKqbMr qYmzkgptAnsFlBd
Wed, 28 Sep 2022 08:39:46 +0000 [81.89.79.166] Prevented user creation of agdIobexFO uAciqTxo
Wed, 28 Sep 2022 08:39:48 +0000 [81.89.79.166] Prevented user creation of ZRkfrOaq IJfScxnWmMod
Wed, 28 Sep 2022 08:39:51 +0000 [91.158.221.91] Prevented user creation of bxQdAlOnTKPwL EelDxYTIRP
Wed, 28 Sep 2022 08:39:53 +0000 [81.89.79.166] Prevented user creation of NpIRoVBYQTzs lsmLhjOrJZ
Wed, 28 Sep 2022 08:39:53 +0000 [81.89.79.166] Prevented user creation of krYiHsZhFbxgtuS jluAhofitdD
Wed, 28 Sep 2022 08:39:55 +0000 [81.89.79.166] Prevented user creation of hitdEHzpvl pxJlKVwDhonsUc

Answer 1

I've seen similar behavior before. An attacker has discovered you offer something they want. It could be any of several things:

• Something sends email, which is a spam opportunity.
• Something sends SMS messages, which is a toll fraud opportunity.
• Something posts strings to the web, think blog-comment spam, which allows SEO fraud or a way to inject custom HTML to victim browsers directed there through other means.

So they're trying to automate injecting/consuming the resource. I'd treat it as unwanted automated activity and block as appropriate.