26,000 Spam Newsletter Signups

  • Resolved gavflan

    (@gavflan)


    7 years, 5 months ago

    Hey,
    I’ve been away for a week, got back to find just over 26,000 spam signups to my newsletter.

    The emails seems genuine, [email protected] etc but prob almost all are spam.

    My newsletter form is simply a “Sign up to newsletter” box, no checks.

    In Mailpoet I can’t find any security setting or captcha setting, so any idea how to solve this?

    Any help appreciated.

Viewing 15 replies - 16 through 30 (of 44 total)

  • Please email all of your own subscribers of this urgent update. I’ve just raised a ticket (premium) before seeing this. I’m surprised you haven’t put out an urgent security mail shot?! I too was plagued by signups and contacted by my host as the bounce list was huge. In the long run I think you need to further improve the filtering beyond the two part signup. I couldn’t use the SpamShield due a script conflict and was trying other means. Can’t you use an invisible recaptcha. Maybe the throttling will be enough. Can you show the ip address of the false subscriber to allow blocking?
    Thank you, Matthew

    I’ve also had this problem and I my case all the spam signups came from 5.188.203.23 Blocking this IP has stopped the signups, for now. (It didn’t stop the spammer from trying 10.000 times per day….)

    Can I asked a numpty question Maarten… how did you identify the IP? I will block that one! Thank you

    @ictbeheer
    That’s the same IP that spammed our customer’s server.

    @lickthespoon
    I would first try the IP that Maarten mentioned ?? If it’s not, I found out that IP by using the Apache’s status page and checking which IPs are accessing the same addresses over and over.

    • This reply was modified 7 years, 5 months ago by grobmotoriker.

    @lickthespoon you can look in the apache log for IP-adressses that POST to /wp-admin/admin-ajax.php repeatedly. If you haven’t deleted all spam subscribers yet you could also look them up in the table wp_wysija_user which has a column IP.

    • This reply was modified 7 years, 5 months ago by Maarten.
    • This reply was modified 7 years, 5 months ago by Maarten.

    Well,
    I would say to Mailpoet that their throttling fix isn’t working. I have had no response to my ticket despite being a premium user. So not good enough on the anti spam front.
    Thank you for the Wysija table check. I’ve bloked those IPs – 209.85.233.27; 217.76.128.139; 82.223.191.131;
    But I am concerned that they aren’t where the spam is coming from but the addresses of sites someone else is trying to get blacklisted – they all seem to relate to spanish / catalonian issues, so very political at present.
    I’ve asked my host to help check IPs in apache logs.
    I may need to disable newsletter signup until a better fix is in place.
    But I’m disappointed in Mailpoet who despite having issues in the past are slow to respond to security issues – and I REALLY LIKE MAILPOET – it’s otherwise excellent.

    Thank you for the tip on the apache logs
    I found a russian ip 5.188.203.23 repeatedly posting to admin ajax, so i’ve blocked that.
    It seems slightly big brother that a russian ip is trying to get spanish/ catalonian websites blacklisted!

    Not only Spanish – its the same for sites here in Austria too.
    And I don’t think that this a pro big brother – these people use multiple IP’s and stay below the default repeat rate of fail2ban per IP per default time period.

    For me its a stupid script kiddy.
    He uses every possible script to attack – if you look at your error_logs you will find that he attacks SSL, aso.. too.

    IV blocked the IP using IPTables on all ports – for the whole NET 5.188.203.* cause a provider should monitor such behaviour.

    • This reply was modified 7 years, 4 months ago by kech61.

    Thank you, i’ll try that too. I’ve had to disable mail poet at the moment due to all of the bounce emails!

    I’m still working on this but don’t fully understand the spam signup mechanism.
    It looked like at some point early on the Spam subscriber did confirm but i’ve deleted it now.

    My concern is with the signup widget removed, as soon as I enable Mailpoet and Mailpoet Premium I start to get spam subscribers. What mechanism could they be using? I can only stop them by disabling the plugins.
    I’ve tried blocking the IP with WP Security blacklist manager but that doesn’t seem to have worked.

    Is there a mechanism that’s bypassing the subscription form – I saw the admin-ajax posts in the log as mentioned previously. Does anyone have any thoughts on exactly how this script is triggering signups and how to block it? I’m confused that even with the widget deactivated it still seems to trigger signups – how?. Could they have used an initial first confirmed signup to glean information for a script? Thank you

    Ok, I tried blocking the IP in the WP All in One security blacklist. But for some reason it didn’t stop the Mail Poet signup spam. I contacted Siteguarding who run our anti-virus and they’ve added some rules in the firewall to stop the spammer IP from executing the form. This has worked for the moment. But as they say the problem is there is no distinction in Mailpoet between a spammer and a genuine subscriber signing up, so they can simply pop up from a different ip. Their advice was to use a different Mailing signup plugin. So I hope Mailpoet take note and add a layer of security to the signup form.

    I am having a same/similar problem, though the volume on my site is less. I have deleted all Mailpoet signup forms but I keep getting new “unconfirmed” subscribers to my WP site and I can’t figure out how they are getting there. Then those same addresses get spammed via my SendGrid account. I just installed MailPoet 2.7.14. Hoping the switch to MailPoet 3 will help but have several things I need to migrate before that will work (many automatic newsletters, and when I last tested moving I found that my subscribers did not import). Is there a fix for these spam subscribers coming? I will try the WP-SpamShield if my host approves.

    How are you able to identify which IP address the signup spam is coming from?

    And I hope we can use Google recaptcha for security on our sign up forms. I use that with my Contact Form 7 forms and it’s working well.

    Thanks!

    Hello,
    I had to use ftp to access my apache server logs as suggested above ‘you can look in the apache log for IP-adressses that POST to /wp-admin/admin-ajax.php repeatedly’ . Your web host should be able to help. It was a repeated IP posting The IP address 82.223.191.131 seems to be persistent attacker for many people. I had trouble blocking it with wp_security and had to contact site guarding (who I use) who added in some custom rules to their firewall. But it’s only a matter of time before they pop up on a different IP. I’m still getting some fake signup even so but no bounce list emails. I think it’s worth accessing your bounce account in your email or checking your email server to make sure you aren’t getting 1000’s of bounced emails you’re unaware of.
    On the Mailpoet 3 thread Mailpoet tell me they’ve improved the signup form over Mailpoet 2. But it’s having the time to test the migration in a controlled way.

    Plugin Author MailPoet

    (@mailpoet)

    @deckar01 we updated our plugin since to bullet proof our forms.

    Please report back if there are any further issues!

    Hi,
    Is this in the 2.7.14 – 2017-10-23 version this week or are you referring to Mailpoet 3 forms?
    Thank you

Viewing 15 replies - 16 through 30 (of 44 total)
  • The topic ‘26,000 Spam Newsletter Signups’ is closed to new replies.

Tags