Weird Email-subscribers

Dear all

we have the same issue. We have double opt-in and I tried do remove the subscribe form from our page but the spam didn’t stop.
The only solution for the moment is to deactivate the plugin. As soon as I reactivate the plugin the spam starts again.
We have only one group “Neuigkeiten” for which the real users can subscribe. The spam users do have the group “public” which we do not use on our side.

For me it seems that there is a back door which is used and which have to be fixed.

See also the other topics here:
https://www.ads-software.com/support/topic/loads-of-new-russian-based-subscribers/
https://www.ads-software.com/support/topic/truncate-or-limit-namefield-input/
https://www.ads-software.com/support/topic/new-subscriber-without-signup-form/

Thanks for your help.

Cheers
Heike

Even with Double Opt-in enabled, some of the spam subscriptions are getting confirmed.

Every one reporting the issue is being spammed by emails from Russian (.ru) domains. There indeed seems to be a backdoor. Developers need to address the issue soon otherwise it may adversely affect plugin’s reputation.

Over the past few days, my site’s email subscriptions form has been inundated with .ru requests. It would appear that disabling is not the solution. The only one available at the moment appears to be manually bulk deleting.

This plugin has been flawless until recently and so I’m posting my comments here in the hope that the author will act on mine and others concerns as fast as possible. Filtering domains is one suggested solution.

Authors, keep up the good work to date and seek a solution. Many thanks

I was hopeful that the 3.4.9 version released today would resolve this spam issue. The changelog clearly states “Fix: Prevent spam signups”. However, it does not look to be the case as it is still possible to sing up with URLS and long text in the Name field. Did I have miss some configuration settings???

Disappointing…

• This reply was modified 6 years, 8 months ago by thnilsen.

I updated the plugin to the new Version and reactivated it. Just 2 minutes later there are new spam signups…
I had to deactive it once again.

Dear developers
please have a look again and fix the problem.

Cheers Heike

I updated the plugin to the new Version and reactivated it. Just 2 minutes later there are new spam signups…
I had to deactive it once again.

Me too ??

https://prntscr.com/ix78km

Hi there,

you can add this quickfix to your theme’s functions.php:

add_action( 'parse_request', 'es_plugin_parse_request_yebattebya', 1 );
function es_plugin_parse_request_yebattebya($qstring)
{
    if (array_key_exists('es', $qstring->query_vars)) 
    {
        $cyrillic = false;
        $es_name = isset($_POST['es_name']) ? $_POST['es_name'] : '';
        // remove the following line if you need to support cyrillic names
        $cyrillic = preg_match('/[\x{0410}-\x{044F}]+/U',$es_name) === 1;
        if ( strpos($es_name, 'http') !== false || $cyrillic )
        {
            remove_action( 'parse_request', 'es_plugin_parse_request' );
        }
        return !1;
    }
}

@njjose , @thnilsen , @sapozhnik , @servicedeskpronovo , @olliemax , @gopiakshay , @ureir , @biketom , @haagamble , @x96816 , @arishai , @riclefebvre , @t2m , @ladyfelidae , @thepsychicapprentice , @setyl

Apologies for the inconvenience caused.

We did release a fix yesterday but looks like it is still not fixed for some users. We are looking into it on priority and will soon release a new version.

Sad to say it didn’t work for me either. I installed it about half an hour ago and already have 2 new spam subscribers. Thanks for all your efforts to get it fixed.

Hello All,

Ok so we have a hacker running a brute force routine..

I think unfortunately The fix has to come in two forms…

1. For the group selector plugin (input fields protected)
2. For the core Plugin, change the direct Db injection method.

So do we think the spammer has broken the encryption method to use a Db path to sent and target each website??

If so then they can just keep changing the values and hitting you with it regardless when your core plugin is active, deactivating the group selector plugin will not make any difference if they already have your Db details.

Until a better Sign up ULR or verification URL can be utilised along with an expiration (short life) this is not going to go away.

I also think the variables in the Double Opt-In Confirmation Link need some form of better protection.

As a precaution I have disabled my group selector plugin so this no longer shows on our site to collect interested parties.

We have been hit with this as well. sigh

Doing the double opt-in
and exporting the email list

and hoping it is fixed with latest plugin update (2 days ago?)

If not is the only recourse to delete the plugin? (not deactivate – delete?)

@x96816

Apologies if you have already found the unsubscribe area but you can unsubscribe from your profile under subscriptions..

@dragonsjaw there’s no need to delete the plug-in. Deactivating it is enough.

Currently, I’ve deactivated it and I re-activate it just before posting a new article. (I double check the subscribers list before posting.) So it is transparent to my regular subscribers, as they are receiving the notification emails as usual.

But I’m in a very specific configuration: closed subscriber list and I’m the only contributor to the site…

Yup same issue .ru email addresses every 5-10 minutes. Started at the same time. Clearly affecting everyone.

I didn’t have the name field on, so I turned it on and it makes no difference. The spam comes through either way.

Hey Guy’s,

Seed for thought..

One thing I forgot to mention isI have closed down rpc via a plugin.. disable XML-RPC.

This will of course cause issues for people using the jetpack as they use the XML RPC method a lot.

But this might help try and stop the back door route if it is being used.. in my opinon it is a no brainer to install activate and see if it stops the remote subscriptions being issued remotely.. if not you can always deactivate and uninstall it.