For the past few days, bots have been signing up to my site. All have email addresses that are just numbers, and are signing up from the /membership page. Two of them came from the same tmomail domain, and the third is a MetroPCS email.
2 Likes
Might be worth having a look here:
There is a new configuration option in Ghost, that was rolled out with v5.107.1 yesterday, which can help with this. Depending on where you host your site, you might want to reach out to them to see when/how that option will be supported.
2 Likes
I’m Ghost Pro (like Stromfeldt), perhaps something is getting through their firewall?
Hi everyone,
There has indeed been an increase in spam signups across multiple Ghost sites originating from email domains like tmomail.net and txt.bell.ca.
These domains serve as email-to-SMS/MMS gateways, converting emails into SMS or MMS messages delivered to phone numbers.
To address this, we’ve introduced a configurable blocklist for email domains in Ghost. This blocklist is already active on all Ghost (Pro) sites, and our logs show it has successfully blocked thousands of spam signups since. We’re actively monitoring the situation and will continue to fine-tune the blocklist as needed.
Self-hosters can apply the same blocklist to their Ghost sites, by adding a list of blocked email domains to their config, under spam.blocked_email_domains. For example:
"spam": {
"blocked_email_domains": ["tmomail.net", "txt.bell.ca"]
}
We appreciate your patience as we work to mitigate this issue.
Sag
Product Engineer @ Ghost
9 Likes
Yes, same here on some of my client’s sites.The new blocklist is excellent.
I plugged in chatGPT to verify the e-mail of new users, and integrated with Make. If the e-mail is classified as spam, the user is deleted.
Here’s the prompt, it returns a JSON with SPAM or VALID.
Analyze the provided email address and classify it as either SPAM or VALID based on the following criteria:
If the email address contains only numeric characters in the local part (before the @), classify it as SPAM.
If the domain is associated with disposable email services or SMS-to-email gateways (e.g., tmomail.net, txt.att.net), classify it as SPAM.
Otherwise, classify it as VALID.
Respond with the classification in JSON format withouth any markup or formatting using the following structure:
{
"email": "example@domain.com",
"classification": "SPAM or VALID"
}
Example Input:
6562048787@tmomail.net
Example Output:
{
"email": "6562048787@tmomail.net",
"classification": "SPAM"
}
This scenario triggers on Ghost New Member and sends a Welcome e-mail if VALID and deletes the member if SPAM. Also sends notification to site owner.
1 Like
This doesn’t seem to be working. I keep getting signups on my Pro hosted site. How do admins add domains to this block list when it is working? I don’t see an interface in Ghost (Pro) for that.
Just got another one as I am writing this.
I have a self hosted version, did the config suggestion and I am still getting sign up bots. Same domain as last post txt.att.net The spam filter is not working on this domain it seems…
1 Like
I just saw one for txt.att.net also, for a Magic Pages customer. (He apparently left my account live, so I’m getting his sign-up spam! Oops.)
I’m now getting replies from these subscribers using the word STOP in the reply wanting to opt-out. For Ghost Pro users, what’s the best way to add domains to the block list as they pop up?
The plot thickens! So they did validate their accounts (clicked the magic link), and now they’re trying to opt out of email? What the heck? What’s the angle here? I’d think that we were seeing an attempt to get sites in trouble by sending unsolicited SMS messages, except that then your magic links wouldn’t have gotten clicked. I’d think this was a comment spam plan, but then why would they be opting out? I don’t get it…
(RE your actual question about Ghost Pro, I suspect you should email support directly, at support@ghost.org)
Just got another one. I’d really like to be able to stop this. I have sent mail to support. Blocking all signup attempts with email addresses who’s handle is a ten digit string would be great. I honestly don’t care if this prevents signups from “legitimate” humans that have such an email address.
3 Likes
Same here, I’ve had the odd one or two in recent weeks, but there’s been a sudden influx over the last few days. Mainly from txt.att.net.
Hey, following up on the last few comments regarding blocks for @txt.att.net:
@Whiskey_7_Back_Roads had their config fixed in another thread
@timtrautmann is on Pro. There was a specific issue on the block for @txt.att.net and this is being fixed right now.
@jonwright I think your site is self-hosted. Sag wrote a guide for self-hosters to manage blocks, and that is here: An uptick of bots signing up - #4 by Sag
5 Likes
I’m self-hosted and have now updated my config files to block some of these domains…
"spam": {
"blocked_email_domains": [
"tmomail.net",
"txt.bell.ca"
"txt.att.net"
"msg.telus.com"
"vtext.com"
"pcs.rogers.com"
]
}
However, I’ve just noticed that even though I’ve deleted all the members that have signed-up using these domains, Ghost is still trying to email them all the “
Complete your sign up to…” emails from my support@ email address - any idea how I can stop this please?
@jdaviescoates , you probably have messages already in your mail queue that haven’t perma-failed yet. Ghost has handed those messages off to your mailserver, and your mailserver doesn’t know anything about these domains being blocked at the Ghost level. (Email server retry messages, in case a delivery problem is only temporary.) With no action, this is likely to resolve in a couple days. To clear out messages in the queue, you’ll want to google something like “yourmailservername how to clear queued messages”.
3 Likes
Thanks Cathy, I’ll look into clearing my queue… (I’m using Cloudron which uses Dovecot, I think)
I am in the same boat. What is Ghost doing about this?
Newer versions allow you to configure a blocklist for domains that are not allowed to register. Signup spam protection
If you’re self-hosted, you might need to upgrade.
The update fixed the fake signups from the weird sms domains, great!
Have any of you also noticed signups from spam-like gmail addresses?
2% are obvious because they are random strings, but some are names and numbers and it’s hard to tell if it’s real or not…
Could we add a honeypot input or something?
There already is a honeypot input on portal. :) You could add it to any other forms you’re using, although I suspect that some of these bots actually skip the portal and just hit the sign up endpoint…