Jetpack Sharing email can be abused for spam

@apachelance This issue is definitely high on our priority list. I’ll post again here as soon as we make progress on this. We’ll also mention it on our release changelog and release post when the problem is fixed.

Thanks for your feedback.

Any updates on fixing this issue?
(I see the issue is 4 months old and IMHO is is quite urgent)

thanks.

BTW: A side effect of this known ‘hole’ are that spammers seems to use it as a potential DOS attack too.

• This reply was modified 7 years, 10 months ago by nextpulse.

@nextpulse We haven’t found a good way to prevent this yet, but we’re looking into it.

Until then, I’d recommend implementing ReCaptcha by following this guide:
https://jetpack.com/2013/04/15/recaptcha-email-sharing-button/

Hello,

I’ve just experienced similar problems with spam emails to qq.com. Instead of adding reCaptcha would it be possible for me to just disable the email sharing option via jetpack settings?

Many thanks

Instead of adding reCaptcha would it be possible for me to just disable the email sharing option via jetpack settings?

Yes, you can remove the button from your enabled sharing buttons under Settings > Sharing in your dashboard.

Thanks for your reply! I’ve just done this and it seems they are still sending spam messages. I’m not sure how that’s possible if the email button is removed?

@videocollective Could you post an example of such an email here or send it to us via email so we can confirm it indeed uses the Email sharing button?

Thanks!

Just experienced same attack flooding my sendgrid account with 5k spam emails to qq.com.

We’re also experiencing the same issue. Several thousand emails to qq.com addresses in the last few days.

I hate to pile on, but we too experienced this issue with thousands of emails being sent via our SendGrid account. We disabled the sharing functionality and now temporarily block IPs that make the request. This was a month ago, but we’re still blocking a lot of IPs.

It would be nice to have this functionality back, in the event there is anything that can be done by the plugin to discourage this.

Hi All,

I had the same issue flooding my SendGrid account this week, and I’ve traced it to some hacked files in the wp-content > cache folder (WP Super Cache).

I had SendGrid bcc: me on the emails being sent. I saw that the sharing email was sharing of one specific post on the site (an attachment post).

This one post was related to the hacked PHP files in the cache folder.

I don’t know if this is useful to anyone as no one here has mentioned setting their SendGrid settings (on the SendGrid website) to bcc yourself to see what the contents of the emails to the @qq domain are, but that might be enlightening if you find that it is one specific post or set of posts. If indeed it is, I would dig deeper and see if per chance there are some hacked cache file related to that. It was true in my case, but I don’t know how the puzzle pieces go together.

Angela

This one post was related to the hacked PHP files in the cache folder.

Could you tell us more about this so others can look for a similar file in their WordPress installation?

Thanks!

I saw this problems half a year ago – I saw in my logs that thousands of thousands POST requests from a botnet were made. Luckily my clients didn’t needed the email share feature so I disabled it. To reduce the server load (because POST requests aren’t cached by the Cachify plugin) I wrote a small htaccess snippet to block the requests (ending in a 403 response). This solved the problem itself but the requests from the botnet didn’t stop.

So I wrote a small fail2ban filter to block access to the whole server via iptables. Within minutes, over 1000 IP addresses were blocked … and counting.

The user agent string is on every request the same:

Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36

Here a request from my log file:

XXX.XXX.XXX.XXX - - [11/Apr/2017:11:22:26 +0200] "POST https://URL/?share=email&nb=1 HTTP/1.1" 403 270 "https://URL/?share=email&nb=1" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"

Here is a list with a bunch of IPs: you can clearly see that most IPs are from the same range (from china): https://pastebin.com/msgNmrqS

I hope this can help to find a suitable solution.

• This reply was modified 7 years, 7 months ago by pixelbargmbh.
• This reply was modified 7 years, 7 months ago by pixelbargmbh.

I too have noticed this issue from the logs. Only after customer complaining that their emails (out) on that domain were being blocked at greater than 150 per hour, (and they might send a couple in that time). Shared Hosting. Error logs pointed to Jetpack.
What I spotted was multiple items like:
#1 /home1/username/public_html/ecom/wp-content/plugins/jetpack/modules/sharedaddy/sharedaddy.php(28): wp_mail(‘[email protected]’, ‘[Shared Post] A…’,
etc. (I have changed some details to keep information secure)
My solution at the time has been to temporarily disabled Jetpack to be safe. Would be nice to get it back again.
I had a feeling it was related to the PHPMailer issue (end of December). A reference here https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/
Anyway Jeremy – I hope this info helps (please feel free to ask me more).