Support » Plugin: MailPoet - emails and newsletters in WordPress » Amazon SES – Mailpoet – Captcha

  • Resolved planky



    Due to a brute force attack on my newsletter sign up page, Amazon is threatening to disable SES on my account due to the high bounce rate. They provided examples of the emails being sent were the sign up confirmation email. As this attack is sending thousands of sign up requests (6000 on the 23/09), which then MailPoet sends the confirmation email. Normally I’d enable captcha, but MailPoet is rather shortsighted in its belief that this is not needed due to sign up confirmation and accessibility issues (

    Does anyone have a solution to this?


    • This topic was modified 2 years, 5 months ago by planky. Reason: words fail
Viewing 15 replies - 1 through 15 (of 15 total)
  • These are the questions I have to answer from Amazon before the restrictions are lifted:

    – What you determined was the root cause of your high bounce rate.

    – What changes you have made in your systems or processes. (Please be sure to implement the changes before emailing us.)

    – An explanation of how those changes will prevent similar issue(s) in the future.

    Mailpoet is the cause, but I can’t answer the other two as it appears Mailpoet has no way to deal with this.


    Same here since 21st of September on MailPoet2.

    Newsletter subscription form is used for Mailbombing.
    Elasticemail support re_enabled my account – however I had to disable the subscription form.
    Once re_enabled hundreds of subscription confirmation EMails are sent out bombing support@.. EMail addresses of hosting companies.

    I removed MP completely from site as WPBruiser is offline too at the moment.
    Now I have a very disappointed customer.

    CAPTCHA or some other protection is IMO essential!

    We are having the same issue. Anyone find a solution?

    It happened to me as well… I installed WP-SpamShield and that seemed to ease it. It seems as the “subscriber” action still continues on the background, (they are being blocked) But e-mails are not being sent.

    Same here, started around the same day (Sept 21). Had to remove the mailpoet subscription form from two sites, and because of apparent caching of the form on the spammer/hacker’s side, I also had to disable Mailpoet completely on one of the sites to stop the onslaught. Four days later and I’m still getting streams of delivery delay notifications and now my SMTP provider is clamping down.

    Mailpoet’s blah-blah article about how captcha is no good, etc has a bit of a blind spot in that they apparently never anticipated some kind of brute force attempt which would involve hitting your subscription form a million times with fake email addresses which create a storm of ‘undeliverable’ emails if you use double opt-in, or fill your message list with a bazillion bogus emails if you don’t. Properly-used captcha would prevent both of these scenarios.

    Mailpoet, if you are listening, and you give half a crap, please fix this!!!!

    I ended up migrating the newsletters over to Mailchimp as I couldn’t leave the form disabled and needed a solution which hasn’t been forthcoming. I realize that is unlikely to be an option for everyone though.

    It would not be overly complicated to add captcha support, or at minimum a hidden field that if filled (as bots tend to fill all fields) would not send.

    Lack of response from the author is a disappointing, but such is the nature of free things.

    On my sites all POST requests are coming from :

    • This reply was modified 2 years, 5 months ago by kech61.
    • This reply was modified 2 years, 5 months ago by kech61.

    I’ve used and continue to use Mailchimp for a variety of things, but in this particular case I’m making extensive use to Mailpoet’s ability to automatically send out a newsletter email from a blog post and I hate to lose that – is there a plugin or hack that allows Mailchimp to do the same thing?

    I the meantime I’ve installed WP-SpamShield and am going to put the subscription form back up and see if that stems the tide to an acceptable level.

    I moved from Mailchimp to Mailpoet for various reasons. The automated blog post feature being one of them. Mailpoet 2 ran well on my Dreamhost account, without any issues apart from the sending service that I was using being unreliable. However, I’ve been trying Mailpoet 3 on one site and am now having massive problems with its CPU usage that so far hasn’t been acknowledged. I was really looking forward to using the integrated sending service that would solve all my sending issues. But I can’t roll it out to all of my sites as it is. I may have to look for another alternative if this isn’t fixed soon. I don’t appear to be experiencing any Brute Force attacks on my subscription form, but maybe they are what is causing the CPU issue. I have various security plugins installed to stop those, but maybe its still running procedures in the background.

    • This reply was modified 2 years, 5 months ago by lynnmonk.
    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Plugin Review Team Rep

    @lynnmonk – On DreamHost, make sure you have Extra Web Protection enabled in your Panel. That will protect you from most DDoS attacks (it’s our firewall).

    @ipstenu. Thanks. Yes I generally have that enabled on my sites. I just double-checked and it is already enabled as I suspected. This is really annoying as I’ve been looking for 18 months for a suitable system to replace my old web software that was rendered obsolete by the update to PHP 5. I thought this would finally be the solution … but apparently not. 🙁

    So it seems that neither Mailpoet 2 nor the new Mailpoet 3 is supported then?

    @bike if you seem does MP2 or 3 support captcha, MP’s official position is that captchas are no good and they do not support them in any version that I know of. WP-SpamShield seems to have fixed the issue for me (or perhaps it just stopped on it’s own).

    People, this is not even remotely due to the plugin. What’s needed here is brute force protection, which you can get with iThemes Security, Wordfence and the likes, or form protection, which you can get with various other plugins (or both). Jetpack also offers some protection.

    A more radical approach would be a CDN service, like CloudFlare, which offers network protection and an application firewall. Similar features may be available with your hosting, but they’ll typically cost.

    What you can do with MailPoet is use the throttling feature, so that your site doens’t send too many messages and you have enough time to catch them, and definitely subscribe to your bounce messages from Amazon through an SNS service.

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Amazon SES – Mailpoet – Captcha’ is closed to new replies.