We run several Ghost sites and have recently seen a sharp increase in email form pollution on one or two specific sites. These sites are receiving roughly 100 automated signup attempts per day, consisting of a mix of corporate email domains (e.g., campbells.com) and Gmail addresses, including Gmail dot-variants (e.g., n.o.n.a.m.e@gmail.com).
While the corporate domains appear legitimate on the surface and email confirmations often complete, these are not genuine signups. Using session replays and traffic analysis, we can see that both the corporate and Gmail addresses originate from the same server infrastructure, frequently in rapid succession, which strongly indicates coordinated automation rather than organic user behavior. A limited number of accounts confirm, but there is no real engagement—no meaningful logins, page scanning behavior, comments, mouse movement, or continued activity.
Mailgun has advised that some corporate confirmations may be triggered by corporate email security scanners pre-scanning messages, which can register as “opened” or “confirmed” even when no real user exists. That explains some confirmations, but it does not explain the broader automated and repetitive behavior we’re observing.
Across multiple sessions, the traffic consistently uses VPN and Tor exit nodes, rotates rapidly, and operates at very high speed—often hitting the site 10–15 times within seconds, submitting forms, triggering confirmations, and then moving on. Even when individual sources are blocked, the activity quickly reappears from different infrastructure or regions.
This activity is polluting our membership/CRM data and has begun to damage our sender reputation after years of a clean history. As a result, we’ve temporarily disabled the membership portal and paid-tier signups on the affected site and enabled additional Cloudflare protections while continuing to investigate.
We’re trying to determine whether:
-
Other Ghost site owners are seeing similar mixed corporate + Gmail abuse patterns, or
-
This is a targeted, coordinated attack against a small number of sites
If anyone has encountered something similar, we’d appreciate insight into how you identified it and what mitigations were effective (Cloudflare controls, Turnstile/CAPTCHA, aggressive rate limiting, form hardening, or other approaches).