Hey, we’re aware of this since last week (22/09) and we are working on a fix that is currently being tested by several of our users.
We’ll be releasing an update once we confirm that our fix is working.
Thanks for your patience. We know it’s a pain.
Thanks,
I have installed WP Spamshield which seems to be working.
Not tech savvy at all so can’t be sure this is what I ultimately needed, but not spam at the moment.
FYI We just released a new version of MailPoet 2 (version 2.7.13) containing a patch to prevent this mass subscription attack.
Hi,
after updating to version 2.7.13, the problem apparently still exists. After dumping the HTTP traffic, I could successfully reproduce an exploit. Since it wouldn’t be pretty smart to exactly describe that here, how can I send you more information about that?
Sorry, unfortunately, I posted in a hurry. The problem I found is not a mass of signups, but spam being sent over wysija using an exploit.
I have the same issues as @grobmotoriker
Since Sept. 21st someone uses an exploit to send emails through Mailpoet. If I disable the Send with settings of Mailpoet it stops (because then it cannot use the Sendgrid API anymore.
Sendgrid account itself is not compromised. But changing password there does no solve it, because as soon as I enable the Sendwith settings of Mailpoet (with the changed credentials) it starts again.
Any idea how to stop this?
Grobmotoriker, were you able to fix it by manually altering code in class.sendgrid.php ?
Hello @sincereblue,
I don’t have experience with the WordPress source code and the site is administrated by a different company (we are just hosting it), so I didn’t really dig into the code. For the moment, they just disabled the Mailpoet plugin.
What I can tell you is that the exploit seems to completely bypass any authentication. I tested this with two websites on two different machines: the one that was sending spam, and a different machine which didn’t send spam so far, but, as it turned out, could also be exploited successfully. There is no authentication required, I could do this by just sending a simple POST request from my PC – and I didn’t even have any credentials for those websites. I think, this is a serious issue that should be fixed quickly.
Thx. One the affected machine, have you located if the exploiting post Requests are comping from a single IP? As a short term measure that could be blogged?
Or would it be possible to add a regular expression into the .htaccess to deny access for this POST request to the machine in the first place?
Well, in our case, the exploiting requests were originating from a single IP, yes. So, as a short term measure, you could try blocking that IP. I just checked, the IP didn’t change since the exploit started.
But of course, blocking the IP is not a safe thing, since the attack could start with a different IP at any time.
Ok, as short term measure I blocked one IP, I suspect
@grobmotoriker,
Could you please get in touch directly with us via this form: https://www.mailpoet.com/support/wordpress-forums/
We would like to better understand your case. If you could share the steps for reproduction – that would be very helpful.
Thanks!
Best regards,
MailPoet Team.
In case of use to others, in the past week WP Spamshield has blocked over 54,000 spam.
I’m not a techie so I don’t know if this will cause other issues for signups or in other areas, but that it is keeping the spam away is helping until Mailpoet get things sorted.
@gavflan,
That’s excellent to hear about the number of spam blocked by WP-SpamShield in the last week. π
Don’t worry, it won’t cause you any issues. WP-SpamShield is designed to protect all other forms, and we definitely support and protect MailPoet.
Rest assured, you’re in good hands. If you need more info on how WP-SpamShield protects other forms, feel free to check out the plugin documentation. If you ever need help, just let us know.
Have a good one!
— Steven
@wysija,
I’ve sent you detailed info about that over https://www.mailpoet.com/support/wordpress-forums/
Best regards
@gavflan Those are the email addresses of real people like myself. An attacker is using this vulnerability to perform a distributed denial of service attack on our email servers. They inundate my gmail account with so much email that gmail stops accepting emails to me. They are doing this to silence open source software developers that they disagree with.
@wysija Do you have any way of reaching out to your customers to encourage them to install the patch? The volume of this attack is so high that it will eventually damage your customers’ email reputation and they will have a hard time delivering emails from their domain in the future.
-
This reply was modified 6 years, 6 months ago by
deckar01. Reason: grammar
