Someone is programmatically spamming their registration pages, and because there don't appear to be any web validation rules set up, accounts are being created. There is no way for ILLiad to know what is or isn't a spam account unless some rules are implemented, so we recommend sites implement web validation rules to help ensure only users with valid information are being created. Another way to help avoid this is to disable any registration pages they aren't using, i.e. if they use an SSO for authentication, they can remove the NewUserRegistration page. Lastly, the speed/amount of the accounts created is an issue for their network IT or the ILLiad server team. They can block the IP address that is spamming registrations, and/or they could look at limiting traffic or the number of calls a single IP can make, among other things, but I can't really advise on that aspect of it, since it's out of my area of expertise. That would need to be looked at by their IT people.
One example of a web validation rule that could help is only to accept email addresses that have a username and end with the university's domain.
This would require the email field to look like firstname.lastname@example.org.
We've seen a couple of similar reports of spam account creation from other sites over the past few months. For what it's worth, I'm going to be bringing those to our support team meeting at the end of the month to see if we can provide some more in-depth documentation or training for the community, but ultimately it is the responsibility of the site to secure their web pages/server using the web validation rules, or other third party implementations like captcha.
As I mentioned before, the Database Manager should be able to clean up the accounts, but it can also be done through SQL if necessar