2.8.2 exploited via admin-ajax.php

Maybe the goal is to ‘nudge’ everyone to v3 by letting v2 get less and less desireable?

Even if that is the goal, I have seen no confirmation from MailPoet that v3 is not affected by this issue.

Hello,

MailPoet 3 is the latest MailPoet plugin version and it is currently the actively maintained and developed version.
MailPoet 2 is gradually reaching the end of its life, and while it is getting security updates, consider upgrading to MailPoet 3 if you want to get new features.

If you are experiencing spammy automated subscriptions, the primary tool to stop them is still to enable reCAPTCHA. You can do so from your plugin’s settings (MailPoet 2 > Settings > Advanced > Enable reCAPTCHA).
We strongly encourage you to enable captcha in this case, as from what we have seen it is the reliable way to stopping such subscriptions.

If you really cannot enable reCAPTCHA, the less secure option is to make repeated subscription throttling more aggressive.
By default the throttling window is 24 hours, with a starting delay of 1 minute.
You could make the defense more aggressive and increase these limits by adding this code to your theme’s functions.php file, after <?php code:

function mp2_increase_subscription_throttling_window($window) {
    return 3600*24*7; // 7 days
}
function mp2_increase_subscription_throttling_delay_base($delay) {
    return 60*2; // 2 minutes
}
add_filter('wysija_subscription_limit_window', 'mp2_increase_subscription_throttling_window');
add_filter('wysija_subscription_limit_base', 'mp2_increase_subscription_throttling_delay_base');

What this code will do is consider last 7 days worth of subscription data (as opposed to just last day), and will make delays for repeat subscriptions more severe (5 minutes for second subscription, 10 for third, 20 for fourth and so on, growing exponentially).

Unfortunately, making subscription throttling more aggressive is not the full solution, and once throttling window ends – some subscriptions may still slip through.

Unfortunately, the existing reCAPTCHA approach offers the the most reliable protection against such attacks. We have already considered a few other options, including using nonces, but most options can be still exploited by a determined attacker, so they aren’t helpful.
If you have a better suggestions on how to tackle the issue – please let us know.

You have asked whether MailPoet 3 is affected by this issue. Right now we are not aware of any such cases, especially as subscription process for MP3 is slightly different and more technically complex.
However, conceptually it could still be vulnerable to such attack if the attacker specifically prepared for it. And any other subscription form of most other plugins or services would be vulnerable as well.
Using reCAPTCHA, however, would usually put a stop to it.

The downside of a hosted tool like MailPoet is that a) sites are hosted individually, so one cannot see subscriptions across all MP2 sites, cross reference them and put a stop to such attacks, b) it takes time for sites to be updated, making some mitigation strategies impossible.
This is where a tool like MailChimp has a strength – since all subscriptions ultimately hit their servers, they have full control over each and every subscription network-wide and can actively monitor and mitigate such attacks.

TL;DR: keep your plugin updated and enable reCAPTCHA from your plugin’s settings (MailPoet 2 > Settings > Advanced > Enable reCAPTCHA).
There currently are no better tools to stop such subscription attacks reliably.

[ Signature deleted ]

• This reply was modified 6 years, 11 months ago by Jan Dembowski.

Is there a way to use invisible ReCaptcha with MailPoet? My attempt to implement it has failed.

@nsqrt I’m working on a long-term solution to this problem myself. I’ll keep everyone posted.

@nsqrt I tried using a plugin with invisible ReCaptcha to no avail as well.
@programmerbear Thank you!

Much appreciated, @programmerbear!

I had a couple of attacks again over the weekend. The IPs are the same than you had noted on your blog, by the way.

Hey everyone, thanks for your patience. I have a solution for this now.

Because I use MailPoet 2 and have for a long time, I have a lot of newsletters and data which I’m not willing to give up by switching to MailPoet 3. I also have some addons I’ve paid for, for example MailPoet Premium. Unfortunately there are a lot of addons out there for MailPoet 2 which either have not been updated to work with MailPoet 3, or would have to be re-purchased.

So here’s the situation as I see it:
– MailPoet is abandoning version 2
– They won’t fix obvious security issues
– We can’t keep all our data if we “upgrade”
– Even if we did upgrade, we either have to re-purchase addons or live without them

For these reasons, I’ve decided to fork MailPoet 2. My fork is called MailBard.

In MailBard, I started with the exact code from MailPoet 2.8.2. Then I made a few modifications:

1) Added a nonce-checking system for ajax sign up requests. In my testing, this has stopped the ongoing attack we have all been experiencing. I also believe I have done this in a way that avoids any issues with caching plugins (which was MailPoet’s main objection to adding nonces here).

2) Removed the 2000 subscriber limit.

3) Various minor text and branding changes (from MailPoet to MailBard).

The advantage of MailBard is this is a 100% drop-in replacement for MailPoet 2. All your data is preserved, and all your MailPoet 2-based addons will continue to work. Simply deactivate MailPoet, then activate MailBard, and you’re good to go.

Going forward, I will be taking responsibility for security updates and anything else needed for MailBard. I wish MailPoet all the best with version 3 and I sincerely hope they continue to enjoy success with it… however I think many of us feel they have handled the MailPoet 2 to MailPoet 3 “upgrade” poorly and not really considered the needs of their existing user base. So if any of you, like me, have a lot invested in MailPoet 2 and “upgrading” is just not practical, I would invite you to give MailBard a try.

If anyone is interested in seeing my exact code changes, you can find them on GitHub here: https://github.com/mailbard/mailbard-newsletters

If you want to test out the latest MailBard release, for the time being you can get it here: https://www.mailbard.com/ (I’ll be updating this site more in the coming days and weeks)

If any of you encounter any issues whatsoever, please let me know by contacting me through https://www.mailbard.com/ and I’ll take a look soon as I can. (I do have a day job so I may not be able to reply immediately, but I will as soon as I can.)

I have submitted MailBard to the WordPress Plugins Review team. They required a few changes (mostly to do with code inherited from MailPoet 2.8.2) and I am working with them to hopefully address their requirements, so we can get MailBard in the plugins repo officially. (*keeps fingers crossed*)

• This reply was modified 6 years, 11 months ago by programmerbear. Reason: fix typos

Thanks @programmerbear – I’ll certainly try out Mailbard when I get the time. (So far, your previous fix has worked well).

Thanks, @programmerbear, that sounds great!

When you have a chance, if you’re able to get the invisible re-captchas to actually be invisible, I and others would really appreciate it!

Karen

Just FYI, MailBard (my MailPoet 2 fork) is now live on www.ads-software.com if anyone wants to try it: https://www.ads-software.com/plugins/mailbard-newsletters/

@pictureitsolved I’ll look into the invisible captchas issue and see what I can do. ??

I don’t want to hijack this thread to talk about MailBard so if anyone has more to say please feel free to start a thread through our new plugin page! (https://www.ads-software.com/plugins/mailbard-newsletters/)