[Resolved] Jetpack Social Sharing feature exploited to send thousands of spam messages
We received an urgent message from one of our network administrators this evening that a form on a blog post on our Alumni magazine blog was being used by a Russian spammer to send thousands of spam messages.
The dead giveaway was the “…thinks you may be interested in the following post:” line at the end. When I tested the Email sharing feature, the message was just three lines of text. However, the spammer was able to figure out how to prepend a 913-character message that I will excerpt below. There is nothing lascivious, just some goofy text wishing someone happy birthday, then philosophizing that life is a book. жизнь – это книга!
My guess (without any testing) is that there is no limit on the number of characters in the name field. So for the name field, they entered the long spam message, then for the email field, they entered “firstname.lastname@example.org.”
Spammers, and DDOSers, and hackers — oh, my!
Tat yana Etepneva ! C днем рождения! Искренне тебя поздравляю и хочу тебе сказать, что жизнь – это книга. Есть люди,которые ее пишут.
Есть те, которые читают и живут так, как кто-то прописал…
[dot dot dot]
(email@example.com) thinks you may be interested in the following post:
Jacobs-Jenkins ’06’s Play Opens in New York
I previously had the Email share button nested under the More button. I have removed the Email service, and the emails seem to have subsided. If you need logs, I would be able to obtain them Monday morning.
Our blog network is running Jetpack 2.9.2 on WordPress 3.8.1
- The topic ‘[Resolved] Jetpack Social Sharing feature exploited to send thousands of spam messages’ is closed to new replies.