Spam Subscribers

I am having the same issue. TONS of spam. Last week it was all Russians. This week, it’s across the board.

I’m having the same issue from all different email address: icloud, yahoo, msn, gmail, and so on. How do I get it to STOP.

Hello,

Sorry for the inconvenience you had.

We are looking into this issue and fix it ASAP.

Hello Malay,

Any luck on this? We are at the point where we are considering removing your plugin. It would be a shame if it is disabled just like that. Did you find a solution?

We are having the same issue—way too many spam signups! Any updates on this?

• This reply was modified 6 years, 4 months ago by itpetersen.

Hello Malay,

Thanks for your efforts at addressing the spamming problem!

Does the “Pro”-Version have the same problem with this subscriber spam?

Hi,

The SPAM problem doesn’t persist with everyone using Email Subscribers and so we can’t promise that the issue will be resolved immediately when activating Email Subscribers Pro. However, we haven’t seen such issue with Email Subscribers Pro.

Also, the development team is working to fix this SPAM issue in the free version, and you can expect a resolution soon.

This is getting more critical. My blog address is now marked as a spam site because of all of the confirm emails being sent out–several hundred a day.

We all need workarounds.

Does the team know the path by which these are coming in? Would it help to put a .htpasswd file on /wp-admin?

Is there a way to make a group not require the confirmation email, yet require it for the group we really use (the fake subscriptions are all in the public group, which I don’t use).

Is it possible to delete the public group and would doing that prevent these subscriptions, or would it simply be re-created?

I hate to end it this way, but the problem is very serious for us. If you can’t help us all shut this problem down, can you suggest an alternate subscription plug in we can switch to?

Thanks,
-Al

Any update on this? I’ve had to deactivate the plugin because we were getting too many spam email signups.

How do you now send out your notifications?
Thanks.

Hi all: I took ours down. Even double-optin email and other tricks didn’t do it. The plugin is just compromised and no reason to ruin your site. Of course we exported users so they are not lost and about to pick another similar plugin with link to mailerlite or MailChimp for managing the subscribers. Makes no sense to keep the drama going.

Hello All,

Sorry for the inconvenience you had.

Yes..Email Subscribers Pro version will fix this with the help of Captcha.

We are also working on the free version of Email Subscribers to stop spam subscription. Will fix the issue today and release a new version.

Will update you as soon as we will release a new version.

Stay tuned..

Thanks to the team for getting a fix incorporated for this. We appreciate it.

Here’s what I did to stop the spam emails. While the updated plugin should fix this particular case, what we have been seeing is a successful attack through a method that would remain to use against other plugins. I’ve shut down the method that was used here so it can’t be used for future attacks.

This will work for people who have access to the file system at the hosting site, and who are comfortable editing configuration files.

IF YOU MAKE A MISTAKE EDITING THIS FILE, YOU CAN BREAK YOUR SITE, in ways that are difficult to diagnose.

BEFORE YOU DO ANYTHING, MAKE A COPY OF THIS FILE SOMEWHERE!

The file involved is .htaccess (notice the leading period), in the directory that contains wp-admin, wp-content, etc.

When I looked at my access logs, I noticed that there were many connections using the curl user agent. Curl is a command-line program to access web sites, that is singularly unsuited to looking at WordPress sites. No valid user will be coming in this way. What’s going on? I also noticed that there were curl HTTP POST operations, which is how data are sent to a website (as opposed to getting information from the site), and the timestamps of those POSTs matched the fake subscriptions. Bingo!

So I closed down curl access to my site, by adding these lines to the top of my .htaccess file. It must be before the lines added by WordPress.

# Added to stop curl access!
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^curl
RewriteRule ^.* – [F,L]
# End of curl elimination

I’ve now gone 18 hours with no new fake subscriptions; unheard of in the past few weeks.

As I said earlier, this cuts out a broad class of attacks, and in my opinion is worthwhile even when we have the new plugin.

Hope this may help some people, and again, THANK YOU to the team for this plugin and the upcoming fix for this problem.

-Al

I’ve received no notice of an updated plugin on my site.

@alsimons Thank you for the fix. We really appreciate it.

Just want to update you that we have just released a new version of Email Subscribers (3.5.16).

We have fixed 2 important issues in this version.

1 Spam subscription issue
2 Visitors are not able to register if they fill the form with autofill feature of chrome.

Please check and let us know how it goes.

Sorry for the inconvenience you all had and we really appreciate your patience and gave us time to fix this issue.