Support » Plugin: MailPoet - emails and newsletters in WordPress » Does Mailpoet 3 stop fake signup?

  • Resolved lickthespoon


    I am a Mailpoet 2 premium user and currently frustrated at your zero response to my urgent fake signup request made through a support email. Your 2 part signup is being hijacked by bots to send first stage signup emails en mass to apparently valid email addresses causing a huge bounce list, unhappy email server host, and possible contribution to ddos attacks.
    After scouring server logs and trying to block the Russian ip I’ve temporarily deactivated mail poet to avoid being blacklisted whilst I work on a solution.
    You released a Mailpoet 2 throttling patch, but it doesn’t work in the pattern of this spammer.
    You imply in this forum that the problem doesn’t exist in Mail poet 3 – what’s different? I have a test site and am wiling to migrate if it has better security.
    But unless you’ve implemented a recaptcha or other logic in the signup widget it’s hard to see how. The throttling of multiple sign ups from a single ip hasn’t worked for me against this spammer.
    It’s disappointing that despite having acknowledged security flaws in the past and vowed to do better (I stuck with you) you still have no signup form protection.
    Every other contact form plugin has some form of recaptcha option. But unfortunately having said it’s not needed and two stage sign up is the best solution it’s now being used against you as a flaw.
    I’ve wasted several days on this and despite being premium for several years have been unable to get any support.
    Do you realise how frustrating it is that the only advice on the Mailpoet website is it’s not needed, no acknowledgment of any issue. I have daily anti virus scans, full https site, firewalls, numerous other protection, and yet your signup form is providing the perfect spammers tool!
    So if I migrate to mail poet 3 is your signup better protected or are you going to recommend using an alternative spam filter rather than take your own signup security seriously?
    Are you really going to abandon mail poet 2 with a sign up fix that doesn’t work and offer no support to protect signup?

Viewing 15 replies - 1 through 15 (of 19 total)
  • I have the same issue. Specifically from ip address I had to manually block them and disable mailpoet, sadly this spammer signed up several e-mail addresses, causing bounce e-mails to hit my spam inbox, which I rarely check.

    My server is now considered a host for spam, and all my e-mails (to gmail addresses at least) are dumped into spam. I’m having to switch to Amazon SES to increase deliverability. This plugin will remain deactivated until a captcha can prevent the spammers.

    2-stage e-mail verification does a great job at vetting the e-mails to be legitimate before they receive newsletters, but it does not combat the issue of bots tanking your server’s deliverability by signing up bogus email addresses.

    Thread Starter lickthespoon


    Do you see the same issue with Mail Poet 3? _ It’s the same IP bothering our site.

    We are currently improving the protection for mass subscription on MailPoet 3. We already have some safeguards in place to prevent that, but we are going to improve it even further for the upcoming versions.

    Some users said the fake subscriptions decreased when installing these two plugins: and

    Thread Starter lickthespoon


    Thank you for the reply. I’m pleased you’re looking at improving the signup security. I’ve been testing those suggested plugins, but both are quite intrusive with the possibility of breaking a well tested site. The second has a paid sign up mail poet extension. I don’t mind paying but I can’t easily test it before I pay.

    The ideal solution would be you make your sign up widget a lot more robust and add the possibility of optional REcaptcha and other simple anti-spam measures. It seems it’s the same spam IP attacking lots of sites, so hopefully you have a handle on the method they’re using. It would be really useful for example to show the IP that the signup came from.
    I still have mail poet disabled at present and have yet to find a solution that gives me the confidence to reeanble it. I love the plugin and think it’s a brilliant wordpress newsletter solution but you need to put security above all else and quite frankly react a bit faster than the head in the sand “we don’t need captcha” replies that I’ve seen when this issue has been raised multiple times over many months.

    Thread Starter lickthespoon


    I tried blocking this IP through WP All in One security blacklist, but it didn’t stop the spammer (i’m not sure why). Eventually I contacted our Anti-Virus company Siteguarding and they have added a rule in their own firewall to prevent this particular IP from posting to the signup. But their advice was Mailpoet will always be vulnerable in the current form as there is no distinction between hackers and subscribers posting to the form. So I hope you can add a captcha or other security before the first stage signup email is sent. Thank you

    Newest update (2.8, released 2017-11-20) implements reCaptcha. Hurray! Mailpoet is now re-activated on our site [:

    I still had a spammer flood my client’s site yesterday and today. I have completely disabled MailPoet on that site and will see if that resolves the issue. If not, I’ll be forced to move all my clients’ sites away from this plugin.

    Most unfortunate as all the other improvements in MP 3 are really impressive! But the bottom line is I can’t have spammers hijacking my clients’ site resources.

    Again, I really hope the developers fix this!

    Hi @agilityjeff,

    Our suggestions to help you avoid fake subscribers:

    1) Enable signup confirmation in your MailPoet > Settings > Signup Confirmation;

    2) Add a Captcha to your subscriptions forms;

    3) If you enable sign-ups in the comments (MailPoet > Settings > Basics): enable Akismet or similar anti-spam for comments;

    4) Install the anti-spam plugin WP-SpamShield.


    I am having similar issues.

    Can anyone confirm the following:
    – does 2.8.1 prevent this kind of attack, even WITHOUT enabling reCAPTCHA?
    – I have selected ‘Invisible reCAPTCHA’ when signing up, yet after I enable reCaptcha on the site and added the Site and Secret keys I got, I still see the reCAPTCHA form. Is this expected?
    – does changing to MailPoet 3 solve any of the above (that is, prevent mass subscription attacks or use Invisible reCAPTCHA properly)?

    Thank you.

    Changing to MailPoet 3 alone did not fix the issue on my client’s site. And in the case of my client, asking for a Captcha on a newsletter form just would not work – too ugly.

    So for now, they’re doing without a newsletter signup until we can come up with a better solution.

    I agree that the Captcha solution is horrible for a layout, for sure.

    Have you tried Invisible Captcha when you generated the Site / Secret keys, just out of curiosity?

    I did, of sorts. The site was running the WP Bruiser plugin.

    The problem was that the spammers were utilizing wp-admin’s ajax functionality through MailPoet’s software … I don’t believe the Captcha, reCaptcha, or invisible Captcha was going to do much in that scenario.

    I didn’t even have a form on the site. Just the plugin active was all they needed to get “in”.

    Thanks for the input

    Yes, I have noticed several hits on that file on my log files as well yet I am still to find any solutions or proper help online which is strange given our widely the plugin is used.

    I am also facing fake signups in Mailpoet v2. I deleted all Mailpoet registration forms and also registration in comments is not possible but still get fake signups (they are not confirmed in Mailpoet). These signups are generating a lot of bounce mails.

    I wonder how can people register without the form enabled?

Viewing 15 replies - 1 through 15 (of 19 total)
  • The topic ‘Does Mailpoet 3 stop fake signup?’ is closed to new replies.