Fake registrations, Spam

  • Resolved joshuaall

    (@joshuaall)


    4 years, 9 months ago

    Hello, i got the same Problem as already explained in this topic and it happens since months. The Spammers/Spam-Bots misuse the name-field to send short text & URLs (spam) to the Email they provide, using my website.

    My version of TheNewsletterPlugin is always up to date and this happens with all Security-Options beeing active.

    Please provide a quick fix by allowing us to set a limit for the name-Length and blacklist IPs that try to input URLs into the name field (and all other fields that are not supposed to contain URLs).
    I would very much appreciate it.

    • This topic was modified 4 years, 9 months ago by joshuaall.
Viewing 15 replies - 1 through 15 (of 18 total)
  • Plugin Author Stefano Lissa

    (@satollo)

    Hi, the ip black list is already there on security panel with the domain black list.
    Are you using a custom form or a contact form or a wp registration plugin to collect the subscribers?

    Or have you the “api addon” installaed?

    We made the checks on subscription fields mandatory on all subscription moving the check as low as possible in the subscription procedure.

    Le me know if still you have fake subscription after the update released yesterday.

    Stefano.

    Thread Starter joshuaall

    (@joshuaall)

    Hello, thanks for your answer.

    I am not using any addon (like the api addon) or custom form, only the {subscription_form}-Tag.

    i meant automatically blacklisting, it is quite hard to blacklist bots manually.

    will report back in a day if there are no spam-subscriptions anymore.

    Thread Starter joshuaall

    (@joshuaall)

    @satollo
    Even with the latest update there sadly are many spam mails:
    Post SMTP Log
    Newsletter Abonnents list

    this is annoying. the problem still exists.

    Plugin Author Stefano Lissa

    (@satollo)

    Hi, every subscription containing in the name http is blocked by default. So, can you share the blog address where the subscription form is installed to check that kind of subscriptions?

    Thanks, Stefano.

    Plugin Author Stefano Lissa

    (@satollo)

    Hi, I found the site address in a previous request. If I try to force a subscription with http in the name, it is blocked.

    Have you access to the “access logs” of your server?

    Stefano.

    Thread Starter joshuaall

    (@joshuaall)

    @satollo
    that is an interesting find, i just tried it and http in Names are blocked (i was sent to an non existing site).

    I just looked the newsletter logs: while my own tries are clearly blocked and logged in the antibot.txt there are no other cases of blocking as a result of “http” in the name.
    However in the subscription.txt the spam-subscriptions are logged as “New Email Adress”.

    In my access log i found following example of an spam-subscription (other spam hits are similar):

    176.59.108.30 – – [06/Feb/2020:20:38:28 +0100] “POST /?na=s HTTP/1.0” 200 1966 “https://frei-von-angst-und-zwaengen.de/” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36” frei-von-angst-und-zwaengen.de

    176.59.108.30 – – [06/Feb/2020:20:38:31 +0100] “POST / HTTP/1.0” 302 – “https://frei-von-angst-und-zwaengen.de/?na=s” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36” frei-von-angst-und-zwaengen.de

    176.59.108.30 – – [06/Feb/2020:20:38:34 +0100] “GET /newsletter-2/?nm=confirmation&nk=893-13def7485ba4e51e579f2d821cca626a HTTP/1.0” 200 29135 “https://frei-von-angst-und-zwaengen.de/?na=s” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36” frei-von-angst-und-zwaengen.de

    Does this information help in any way? Please tell if i could do anything else or provide further information.

    • This reply was modified 4 years, 9 months ago by joshuaall.

    Three more “new subscribers” today with these examples in the name:

    Возьмите Ваш лотерейный билет – https://xojajyjenify.ga/643335_B8jPcBt Действительно До 07.02.2020!

    Заберите Ваш лотерейный билет – https://qacovoxoqosa.gq/647010_FODGM Действительно До 07.02.2020!

    Заберите Ваш лотерейный билет – https://qacovoxoqosa.gq/647010_FODGM Действительно До 07.02.2020!

    Would love to find a way to stop this everyday.

    Plugin Author Stefano Lissa

    (@satollo)

    Hi, are you sure you have not another site/installation modified to store the subscriptions in the table of the original site we’re looking at https://dl-navigator.by/?

    What about this domain? https://frei-von-angst-und-zwaengen.de/

    Thread Starter joshuaall

    (@joshuaall)

    @satollo
    There is no other site or script or plugin that has access to the database and/or stores subscriptions on my website ??

    • This reply was modified 4 years, 9 months ago by joshuaall.
    Plugin Author Stefano Lissa

    (@satollo)

    Hi, try t change the database password for the blog receiving spam subscriptions. Maybe a test site using the same database? Changing the password we can even check this case.

    Stefano.

    Thread Starter joshuaall

    (@joshuaall)

    Hallo @satollo,
    i changed the password yesterday and there are still new spam registrations.
    They are somehow able to circumevent the http-blocks, as the access logs above and this screenshot (wordfence plugin) show!

    Plugin Author Stefano Lissa

    (@satollo)

    Hi, you need to check if the activity by wordfence actually is related to a fake registration with “http” in the subscriber name or not.

    Stefano.

    Thread Starter joshuaall

    (@joshuaall)

    @satollo Hi, thanks, but i did that ofc. Also my reply from nearly 4 days ago implies that i did.

    Joshua

    • This reply was modified 4 years, 9 months ago by joshuaall.
    Plugin Author Stefano Lissa

    (@satollo)

    And that subscriber, with id 915, has “http” in the first or last name?

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘Fake registrations, Spam’ is closed to new replies.