[NSFW] Warning! This is a very dangerous plugin!

Hi @dzyanis,

Thanks for contacting us.

That’s Strange! Is there any active user register workflow on your end that might be adding subscribers to the list? (Email Subscribers > Workflow). Could you please confirm it once?

Reffering to fake domains, are you seeing spam signups from particular domains?

If yes then,?Enter domain names (one per line) that you want to block. (screenshot shared click here).

Eg: Add mail.ru and other spammy domains to the box. Subscriptions to mailing lists will be blocked by this action.

If you can verify the above suggestion, please let us know how it goes.

Thank you!

Hello. Answering your questions:

1. Here is the list of my workflows:
Send welcome email when someone subscribes [status: active]
Send confirmation email [status: active]
Notify admin when someone subscribes [status: active]
Notify admin when campaign is sent [status: active]
User deleted [status: Not active]
User updated [status: Not active]

I believe these workflows are from installation time and there no new was added.

2. For example, yesterday I got two new subscribers, this is how they look like:
Cesar Fadel [[email protected]]
Mrs. Tara Fritsch [[email protected]]

And these are fake emails because users’ names are different from the names in email before @. Also, I know that because I have a very specialized professional technical blog in mechanical engineering, no any random people want to subscribe on my technical posts. And of course, these two emails wasn’t confirmed and will not. It is 100% bots.

If be honest with you, now I’m pretty sure this is action from your plugin, from you, to push people to buy your plugin, because your PRO versions have additional security, like a captcha.

• This reply was modified 2 years, 3 months ago by Steven Stern (sterndata).
• This reply was modified 2 years, 3 months ago by Steven Stern (sterndata).

I really want to use this plugin, but now I am concerned. Is the free version not safe to use?

@khanm You can try to use the paid version since it contains a captcha. I am still getting ghost users in the free version and the only way to proceed is either to find another plugin or use the paid version of this plugin (but this is also not 100% guaranteed to avoid bots).

Hi @dzyanis ,

We have added lots of security-related functionality and features to the free plan as well, Also, we don’t use this type of practice to sell the pro plan.

There might be some other issue, we would really appreciate it if you allow us to solve your concern related to the plugin.

On a priority basis, I will investigate your site and determine why the issue is occurring.

We have a private support channel here. Could you please reach out to us there? Further communication will continue there.

Please mention this thread URL while contacting us.

Let us know if you have any further queries.

Thank you!

After the investigation of the issue, the plugin maker informed me that the plugin has an API “to allow adding of subscribers programmatically”. This API has a bug that allows bot attacks that might be exploiting this API endpoint. As a result, bots add emails of different users who are not subscribed to your blog newsletters. If your blog will send emails to these users, they most likely will report spam from the domain of your blog. Finally, the reputation of your domain will go down and email providers will put your domain on the blacklist.
There is no possibility to switch off the API so this plugin is very dangerous.

In version 5.4.10 (1. Sep) there was added an option do disable subscription API.