26,000 Spam Newsletter Signups

@mailpoet I’m wondering the same — are the updates you’re referring to related to the MailPoet 3 or 2.7.14? Also — I’ve found that I’m still getting spam signups even after deleting all my MailPoet forms. It does seem like there’s an exploit in the plugin itself?

I installed WP-Spamshield yesterday and haven’t had any new spam/unconfirmed sign ups yet. I’ve only been getting a couple a day but they managed to get my SendGrid account blocked temporarily with all the spam messages being sent. I’d prefer not to have to have yet another plugin on my site and already have Akismet.

I have 2.7.14 installed. I received about 88 failure notice emails. The email body had your new subscriber confirmation link. Most of them were for the same account <obscene>@gmail.com and the error text was

“The user you are trying to contact is receiving mail at a rate that prevents additional messages from being delivered.”

There were four new, unconfirmed subscribers on my site. The, one above, two reasonable looking email addresses that didn’t result in any error messages and one for [email protected].

I don’t have a “Subscribe” page, so they must have known which php page to invoke.

Does mailpoet keep trying to resend the confirmation link?

I have the same issue here, updated to v 2.7.14 and it persists. Sending emails with mailgun

We are aware that these mass subscription attacks continue on the latest version. We are looking into it at this moment. Sorry for any inconveniences.

Also, if anyone has any server logs to share with us, please contact us at https://www.mailpoet.com/support/wordpress-forums/

Some users have reported that the bot is back in full force.

If this is your case, we’re looking for your server logs. You can share them with us here: https://www.mailpoet.com/support/wordpress-forums/

Thanks!

Exactly same problem is on my website since beginning of October. I’ve sent through Mailpoet’s contact form details about incidents, but I find it ironic, that they use Captcha on their contact form, while advocating against introducing it to subscription forms.

We suggest everyone who is affected to update to 2.7.15.1.

I upgraded to 2.7.15.1 and it didn’t help. What is really strange, is that after disabling Mailpoet plugin I still see API requests coming to Sendgrid.

@oliwkama,
Could you please get in touch directly with us via this form: https://www.mailpoet.com/support/wordpress-forums/
We would like to better understand your case and help you.
Thanks!

Best regards,
MailPoet Team.

We also recommend anyone affected to install these anti-spam plugins and write back if it helps:
https://www.ads-software.com/plugins/goodbye-captcha/
https://www.ads-software.com/plugins/cleantalk-spam-protect/

Ok – I know I might be radical here… but maybe, just maybe, you could add a captcha option yourself? I know you don’t approve, I’ve seen the posts when trying to google how to add captcha to mail poet… but perhaps evidence would suggest it could be useful? It doesn’t even need to be visible these days…
Just a thought … you know… every other sign up form in the world has it… pretty please?

@lickthespoon,
We’ve just released MailPoet 2.8 with ReCaptcha support. Update, set up and enjoy!

Hi,

I have double sign-in enabled for my newsletter subscriptions, and just updated MailPoet to 2.8.1 following mass subscriptions from the same email address which generated several hundred activation confirmation emails and lead to my account getting suspended for spamming by my hosting company.

Can anyone confirm the following:
– does 2.8.1 prevent this kind of attack, even WITHOUT enabling reCAPTCHA?
– I have selected ‘Invisible reCAPTCHA’ when signing up, yet after I enable reCaptcha on the site and added the Site and Secret keys I got, I still see the reCAPTCHA form. Is this expected?
– does changing to MailPoet 3 solve any of the above (that is, prevent mass subscription attacks or use Invisible reCAPTCHA properly)?

Thank you,
JM