Security Issues? Automatic unknown subscribers

  • We are MailPoet 2 users who are seeing continual unknown registrants (all from the same domain). We delete them, and they get re-added automatically.

    Is it possible there’s some sort of security issue with this plugin?

Viewing 7 replies - 1 through 7 (of 7 total)

  • same problem for me too.
    2 sites.

    Hey,

    Unfortunate to hear that you’ve been targeted by spammers.
    But this is the internet, and such attacks tend to happen for everyone.

    One thing you can do, which other users found success with, is to enable ReCaptcha in your plugin’s settings.
    I’m sure you’ve ran into it elsewhere in your daily browser, but you can read more about it here: https://www.google.com/recaptcha/intro/index.html

    Doing so should add ReCaptcha to your subscription forms, blocking automated subscription attacks (which usually don’t solve captchas).

    You can read more about this approach in our Knowledge base articles:
    For MP2 users: https://docs.mailpoet.com/article/25-fake-signups-what-to-do
    For MP3 users: https://beta.docs.mailpoet.com/article/219-fake-signups-what-to-do

    Best regards,
    MailPoet Team.

    Thread Starter thomascj

    (@thomascj)

    We could certainly try recaptcha.. but how is this even happening? We do not have open subscriptions, and no information about the list has ever been posted on our website.

    Since you mentioned using MailPoet 2, that could suggest a different way of dealing with subscriptions than how MailPoet 3 deals with them.
    If you have a subscription form already created – that could potentially allow such behavior, even if it’s not shown anywhere.

    If it is an option for you – you could upgrade to MailPoet 3.

    Thread Starter thomascj

    (@thomascj)

    That is actually the answer — there were some basic (unused) forms we didn’t even know about. I deleted them and suspect that will resolve it for us.

    FWIW we do plan on upgrading to MP3, but have a communication being developed/drafted now. Once we’ve finished that one we’ll be completing the upgrade to MP3.

    @wysija

    I do have the same problem on my blog for the last few days.

    The thing i analysed so far is, that those fake-signups aren’t coming from the Website-Interface. the attackers seem to be targeting the php-libraries directly or using the html-form in a way, a normal user couldn’t.
    Those fake-signups are assigned to no “list” on my wordpress-blog, normally when you signup, they get assigned to the list “newsletter”, even if they aren’t confirmed yet.

    So, maybe you could put a simple option-field in the settings of Mailpoet (i’m using latest version 2) like “deny subscriptions without explicit subscription-list” and check/validate this within the library directly, shortly before sending subscription-mail? This would solve the problem for all of us and it is really really easy to implement.
    I read on other forums too that many users are having spammer-problems with Mailpoet 2 the last days.

    Would be glad to hear that this might be a solution you can implement next days ??

    • This reply was modified 6 years, 8 months ago by xspyrox.

    This issue is also being discussed at the WP forum for MailPoet Newsletters (previous)

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Security Issues? Automatic unknown subscribers’ is closed to new replies.