I have the same issue. Specifically from ip address 5.188.203.23. I had to manually block them and disable mailpoet, sadly this spammer signed up several e-mail addresses, causing bounce e-mails to hit my spam inbox, which I rarely check.
My server is now considered a host for spam, and all my e-mails (to gmail addresses at least) are dumped into spam. I’m having to switch to Amazon SES to increase deliverability. This plugin will remain deactivated until a captcha can prevent the spammers.
2-stage e-mail verification does a great job at vetting the e-mails to be legitimate before they receive newsletters, but it does not combat the issue of bots tanking your server’s deliverability by signing up bogus email addresses.
Do you see the same issue with Mail Poet 3? _ It’s the same IP bothering our site.
We are currently improving the protection for mass subscription on MailPoet 3. We already have some safeguards in place to prevent that, but we are going to improve it even further for the upcoming versions.
Some users said the fake subscriptions decreased when installing these two plugins: https://wordpress.org/plugins/goodbye-captcha/ and https://wordpress.org/plugins/wp-spamshield/
Thank you for the reply. I’m pleased you’re looking at improving the signup security. I’ve been testing those suggested plugins, but both are quite intrusive with the possibility of breaking a well tested site. The second has a paid sign up mail poet extension. I don’t mind paying but I can’t easily test it before I pay.
The ideal solution would be you make your sign up widget a lot more robust and add the possibility of optional REcaptcha and other simple anti-spam measures. It seems it’s the same spam IP attacking lots of sites, so hopefully you have a handle on the method they’re using. It would be really useful for example to show the IP that the signup came from.
I still have mail poet disabled at present and have yet to find a solution that gives me the confidence to reeanble it. I love the plugin and think it’s a brilliant wordpress newsletter solution but you need to put security above all else and quite frankly react a bit faster than the head in the sand “we don’t need captcha” replies that I’ve seen when this issue has been raised multiple times over many months.
I tried blocking this IP through WP All in One security blacklist, but it didn’t stop the spammer (i’m not sure why). Eventually I contacted our Anti-Virus company Siteguarding and they have added a rule in their own firewall to prevent this particular IP from posting to the signup. But their advice was Mailpoet will always be vulnerable in the current form as there is no distinction between hackers and subscribers posting to the form. So I hope you can add a captcha or other security before the first stage signup email is sent. Thank you
Newest update (2.8, released 2017-11-20) implements reCaptcha. Hurray! Mailpoet is now re-activated on our site [:
I still had a spammer flood my client’s site yesterday and today. I have completely disabled MailPoet on that site and will see if that resolves the issue. If not, I’ll be forced to move all my clients’ sites away from this plugin.
Most unfortunate as all the other improvements in MP 3 are really impressive! But the bottom line is I can’t have spammers hijacking my clients’ site resources.
Again, I really hope the developers fix this!
Hi @agilityjeff,
Our suggestions to help you avoid fake subscribers:
1) Enable signup confirmation in your MailPoet > Settings > Signup Confirmation;
2) Add a Captcha to your subscriptions forms;
3) If you enable sign-ups in the comments (MailPoet > Settings > Basics): enable Akismet or similar anti-spam for comments;
4) Install the anti-spam plugin WP-SpamShield.
Hi,
I am having similar issues.
Can anyone confirm the following:
– does 2.8.1 prevent this kind of attack, even WITHOUT enabling reCAPTCHA?
– I have selected ‘Invisible reCAPTCHA’ when signing up, yet after I enable reCaptcha on the site and added the Site and Secret keys I got, I still see the reCAPTCHA form. Is this expected?
– does changing to MailPoet 3 solve any of the above (that is, prevent mass subscription attacks or use Invisible reCAPTCHA properly)?
Thank you.
JM
Changing to MailPoet 3 alone did not fix the issue on my client’s site. And in the case of my client, asking for a Captcha on a newsletter form just would not work – too ugly.
So for now, they’re doing without a newsletter signup until we can come up with a better solution.
I agree that the Captcha solution is horrible for a layout, for sure.
Have you tried Invisible Captcha when you generated the Site / Secret keys, just out of curiosity?
I did, of sorts. The site was running the WP Bruiser plugin.
The problem was that the spammers were utilizing wp-admin’s ajax functionality through MailPoet’s software … I don’t believe the Captcha, reCaptcha, or invisible Captcha was going to do much in that scenario.
I didn’t even have a form on the site. Just the plugin active was all they needed to get “in”.
Thanks for the input
Yes, I have noticed several hits on that file on my log files as well yet I am still to find any solutions or proper help online which is strange given our widely the plugin is used.
I am also facing fake signups in Mailpoet v2. I deleted all Mailpoet registration forms and also registration in comments is not possible but still get fake signups (they are not confirmed in Mailpoet). These signups are generating a lot of bounce mails.
I wonder how can people register without the form enabled?