Support » Plugin: MC4WP: Mailchimp for WordPress » Spam subscriptions

  • Resolved Chris Hardie

    (@chrishardie)


    Hi. I’m currently seeing 20-50 spam subscriptions to my MailChimp list every day. The source for each one is listed as “API – Generic” and the only API key I have in use is for my MailChimp for WordPress plugin. The form is configured with double opt-in and reCaptcha, which I’ve confirmed is in place for through various test sign-up attempts. But assuming that the spambots haven’t mastered that workflow, there seems to be some kind of back door where a spammer can use the mc4wp API key to get on the list without going through those steps.

    I see this pattern in my web server logs all day long, and suspect it’s related:
    GET /subscribe/
    GET /subscribe/?action=register
    POST /subscribe/?action=register

    I tried rotating my API key, no luck.
    I checked with MailChimp support and they say that unless I use the embed form generate directly from their system, they can’t do anything to help.

    Any advice on how to troubleshoot this further and make sure that the API key isn’t somehow being leaked via mc4wp? Thank you.

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Contributor Lap

    (@lapzor)

    Hi Chris,

    What version of our plugin are you on?
    Do you have any integration enabled, like the “WordPress registration form integration” or “Comment form integration”?

    You can add a captcha to the form itself like this:
    https://kb.mc4wp.com/add-captcha-field-forms/

    Thanks for letting us know.

    Hi, I’m on the latest version, 4.1.9. I don’t have any integrations enabled. I’m aware of the captcha option but was hoping to avoid that since there’s also double opt-in and captcha on the Mailchimp side.

    The spammy sign ups also look slightly different from the legitimate ones, in that they have no Mailchimp list “group” selected where as the legit ones have at least one selected (as configured in the plugin settings and form). It indicates that they’re somehow bypassing the normal field requirements/values to add a subscription directly.

    Plugin Contributor Lap

    (@lapzor)

    Could you please send me an email at support at mc4wp.com and refer to this thread. I will assign this to our developer and he might have some more questiosn for you.

    Thanks.

    Email sent – thanks.

    Plugin Contributor Lap

    (@lapzor)

    Assigned to Danny. I will close the ticket here in the meantime.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Spam subscriptions’ is closed to new replies.