Spam is continuing to come in as the cat and mouse game persists. We have implemented two strategies so far to dissuade spammers from posting bogus packages. We are continuing to monitor for spam, remove it, and develop new mitigation strategies.
Posted Oct 19, 2016 - 15:02 UTC
Update
We've determined that accounts generating spam are not using OpenID, but were using disposable email inbox providers.
An update has been introduced to PyPI which refuses account signups and email updates which use addresses on disposable email domains.
We're continuing to mitigate the ongoing spam influx...
Posted Oct 19, 2016 - 03:46 UTC
Update
Spam packages advertising "customer support" for various products containing descriptions with key terms have been identified and removed from PyPI. We are monitoring and continuing to block as the attack persists.
As the spammers are apparently using OpenID and the WebUI to launch the ongoing attack, we make take steps to disable OpenID login if the IP address space available to the attackers is too vast to block.
Posted Oct 18, 2016 - 18:36 UTC
Monitoring
We've cleaned up the spammer accounts and packages. We're monitoring the situation to see if any more spam packages get posted.
Posted Oct 18, 2016 - 18:09 UTC
Identified
It has come to our attention that someone is registering new accounts on PyPI and uploading spam packages to PyPI. We are aware of the problem are are working to resolve it.