Home Forums Newsletter Plugin Support Forum Spammers using the newsletter plugin widget for spam subscriptions

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #242246
    nfnf-de
    Participant

    Hi there,

    since yesterday we are regularly receiving spam subscriptions via the Newsletter Plugin Widget. As we could find out, they are not using the form fields but are accessing the routine directly over [url]/?na=s, then it seems as if they are setting name, forename and email as post variable.

    As this code is the same for every user of the Newsletter plugin it they most likely can use every installation of this plugin for making spam subscriptions.

    For the time being we had to deactivate the plugin, as we can’t change the code of the widget.

    We would suggest to create an individual token for the subscription link (../?na=s) for every installation of the Newsletter plugin. That would make it more difficult for them to access the subscription routine automatically.

    We would love to reactivate the Newsletter Plugin as this is a great tool!

    Many thanks in advance!

    • This topic was modified 9 months, 3 weeks ago by nfnf-de.
    #242263
    Stefano
    Keymaster

    Hi, try to enable the captcha on security page and/or filter by ip or by domain name if they are using the same email address domain.

    Stefano.

    #242266
    nfnf-de
    Participant

    Hi Stefano,

    thank you so much for your fast reply!

    The captcha was enabled when the spam subscriptions came in and unfortunately they are using different IPs and Email addresses each time.

    I think this post has the same problem:

    A bunch of Spam Subscriptions – How can I use a Captcha or ReCAPTCHA

    Is there anything else we could do?

    Many thanks in advance!

    #242277
    Barclay Berger
    Participant

    I had same thing happen, i had no idea they could do this. Is there a way to disable users to subscribe. I manually add my users to the list. This seems like a huge security hole

    #242279
    wakeyjakey
    Participant

    We had this today as well…

    Worryingly, the Newsletter Plugin seems to have sent out emails, with the first line of our welcome email changed. The first line reads, “Hi ANNUAL DRAWING OF PRIZE FOR E-MAIL USERS – http://www.ugomezatydod.tk/b30356_prize2019_30356,”

    I think the plugin has sent 100s of emails inviting people to click on this phishing site – from our email address.

    God knows the GDPR implications of this!

    We tried adding the captcha but the spam kept on coming. Have had to disable the plugin.

    Can you advise?

    #242282
    nfnf-de
    Participant

    We found a workaround for this.

    As the spammers are targeting [url]/?na=s, you have to change this in the code of the plugin.

    This is for advanced users only! You have to be very careful when changing files of the plugin itself!

    To change it, go to the following files in the plugin folder of your wordpress installation, search for ‘s’ (case sensitive!) and change it to ‘sub’ or whatever you want:

    /newsletter/widget/minimal.php
    /newsletter/subscription/subscription.php
    /newsletter/includes/module.php

    We have reactivated the plugin this afternoon and until now there were no further spam subscriptions…

    • This reply was modified 9 months, 2 weeks ago by nfnf-de.
    • This reply was modified 9 months, 2 weeks ago by nfnf-de.
    #242843
    ahardy42
    Participant

    Hi, I have just finished setting up the newsletter plugin and I came across your post. I can see how spammers could have abused the URLs to add fake subscribers, but I don’t understand how they managed to hack the plugin so that it sent out the spam newsletter and phishing URL.

    Isn’t that part of the plugin API protected by your wordpress account authentication?

    It’s great that you posted a work-around for the fake account subscribe actions. Isn’t your site still vulnerable though, because the spammer just has to reregister themselves on your newsletter and the process emails will show them the work-around URL query parameters?

    Thanks and good luck!

    #243023
    ahardy42
    Participant

    It would be helpful to have a statement from Stefano or the Newsletter plugin team about this msg from Wakeyjakey in this thread above:

    Worryingly, the Newsletter Plugin seems to have sent out emails, with the first line of our welcome email changed. The first line reads, “Hi ANNUAL DRAWING OF PRIZE FOR E-MAIL USERS – http://www.ugomezatydod.tk/b30356_prize2019_30356,”

    I think the plugin has sent 100s of emails inviting people to click on this phishing site – from our email address.

    #243299
    Benjamin Bernard
    Participant

    I am having a problem with spammers as well… Just found out one of my emails in on 3 black lists…. ouch..

    Has this been patched? Is there an update?

    Google reCaptcha v3 is a must these days… This math question seems like it could be manipulated easily

    #243484
    antzx2
    Participant

    Hi!
    Is there the way to block subscription with specified name/surname? I use a simple form containing just an e-mail field and want to block spammers POSTs with filled name/surname variables.

    I tried to modify the next functions but it did’t help (maybe I haven’t enought skill):

    1. get_form_javascript() in /subscription/subscription.php
              if ($options_profile['name_status'] == 2 && $options_profile['name_rules'] == 1) {
                  //$buffer .= '    if (f.elements["nn"] && (f.elements["nn"].value == "" || f.elements["nn"].value == f.elements["nn"].defaultValue)) {' . "\n";
                  $buffer .= '    if (f.elements["nn"] && (f.elements["nn"].value == "" || f.elements["nn"].value !== "" || f.elements["nn"].value == f.elements["nn"].defaultValue)) {' . "\n";
                  $buffer .= '        alert("' . addslashes($options_profile['name_error']) . '");' . "\n";
                  $buffer .= '        return false;' . "\n";
                  $buffer .= '    }' . "\n";
              }
              if ($options_profile['surname_status'] == 2 && $options_profile['surname_rules'] == 1) {
                  //$buffer .= '    if (f.elements["ns"] && (f.elements["ns"].value == "" || f.elements["ns"].value == f.elements["ns"].defaultValue)) {' . "\n";
                  $buffer .= '    if (f.elements["ns"] && (f.elements["ns"].value == "" || f.elements["ns"].value !== "" || f.elements["ns"].value == f.elements["ns"].defaultValue)) {' . "\n";
                  $buffer .= '        alert("' . addslashes($options_profile['surname_error']) . '");' . "\n";
                  $buffer .= '        return false;' . "\n";
                  $buffer .= '    }' . "\n";
              }
    2. newsletter_check(f) in /subscription/validate.js
          //if (!newsletter_check_field(f.elements["nn"], newsletter.messages.name_error)) return false;
          //if (!newsletter_check_field(f.elements["ns"], newsletter.messages.surname_error)) return false;
          if (f.elements["nn"].value !== "") {
              alert(newsletter.messages.name_error);
              return false
          }
          if (f.elements["ns"].value !== "") {
              alert(newsletter.messages.surname_error);
              return false;
          }
    #243574
    antzx2
    Participant

    Looks like I found the solution for me.
    Maybe it will help for someone else – You need to add the next code to the top of the function subscribe($status = null, $emails = true) in /subscription/subscription.php

            if (isset($_REQUEST['nn']) || isset($_REQUEST['ns'])) {
                die('Wrong registration data');
            }
    #244001
    Stefano
    Keymaster

    Hi guys, I’m sorry if you’re experiencing those subscription spam problems. I would recap how we protect the blog from spam subscriptions and how they try to use the subscription to spam.

    First, they subscribe using as first name or last name an URL or something which resemble an URL (word[dot]word[dot][word). Email clients to help people automatically transform those texts which ARE NOT link in our email in active links.

    So, first of all, you should remove the {name} and {surname} tags from your confirmation and welcome emails. Anyway, subscription are not accepted when the first name or last name contains “http://”. Of course the security option “antibot” should be enabled. Almost surely in next release we made those checks required.

    After those checks we do an antiflood check to avoid multiple subscriptions from the same IP address. Then we send all subscription data to akismet to have a spam rating.

    Again, all those check are applied if the security panel has the antibot option active (and yes, you’re right, the wording needs absolutely to be reviewed!).

    The subscription is accepted only if it is and HTTP POST and there is an intermediate hidden form with a nonce.

    So, to help us in fighting those spammer, update to the latest Newsletter version, check the security panel settings and look at the spam subscriptions: the should be very limited.

    We’re even introducing a subscription block on names pattern like the one above (word[dot]word[dot]word).

    Thank you for your collaboration, Stefano.

    • This reply was modified 8 months, 2 weeks ago by Stefano.
Viewing 12 posts - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.