2
You might limit registrations by forcing them for your approval. Once you see where they are coming from, you can ban the IP or email addresses
You could also add CAPTCHA to registration.
Other ways to consider
1) ModSecurity Rule (if you use ModSecurity):
# Detect multiple occurrences of xoops_redirect
SecRule ARGS_NAMES "@streq xoops_redirect" "chain,phase:2,deny,status:403,id:1000"
SecRule &ARGS_NAMES:xoops_redirect "@gt 1"
2) URL Rewriting Solution (Apache):
# Keep only the last xoops_redirect parameter
RewriteCond %{QUERY_STRING} xoops_redirect=([^&]+).*xoops_redirect=([^&]+)
RewriteRule ^(.*)$ $1?xoops_redirect=%2 [R=301,L]
3) Other possible options:
- Implement rate limiting for requests containing xoops_redirect
- Validate redirect URLs against a whitelist
