Hello again @pers,
After closer inspection of the issue we have to say the following:
Generally it is not secure to rely on any other header than REMOTE_ADDR for getting the user’s IP address. Headers like HTTP_X_FORWARDER_FOR can be easily spoofed by an attacker: https://stackoverflow.com/a/7623256/1320363 Thus MailPoet can’t check those headers or it will put users who aren’t behind a proxy at risk.
In fact, it works the same way in WordPress core (https://core.trac.www.ads-software.com/browser/trunk/src/wp-includes/comment.php#L2011), see their recommendation:
We use REMOTE_ADDR here directly. If you are behind a proxy, you should ensure that it is properly set, such as in wp-config.php, for your environment.
So the best solution behind a firewall is to configure your server or website to properly set the REMOTE_ADDR header to the end user’s IP address. For example, you can add a couple lines to your wp-config.php: https://core.trac.www.ads-software.com/ticket/9235#comment:40
If you are unable to do that for any reason, you can disable MailPoet throttling by adding a hook in your theme’s functions.php or elsewhere:
add_filter('mailpoet_subscription_limit_enabled', '__return_false');.
Hope this helps,
Alex.
