Can you post your config file, minus any secrets?
Two thoughts:
You’ve got to restart ghost for it to take effect.
If you’re using Docker, you probably need to set environment variables instead.
Thanks for the reply, Cathy. Upon testing, I think the block list is working. I am still receiving bounce notifications from submissions from 48 hours ago, so it confused me :)
Yeah, email is like that!
I am using Ghost with docker compose.
Is this the correct way to pass the spam options?
docker-compose.yaml
database__connection__host: db
spam__blocked_email_domains: "['tmomail.net', 'txt.bell.ca', 'txt.att.net']"
environment in the container:
database__connection__host=db
spam__blocked_email_domains=['tmomail.net', 'txt.bell.ca', 'txt.att.net']
I am not 100% sure if this works 
Thank you! Been wondering how AI will affect spam like this in helping spammers exploit or be used to ruin other services.
1 Like
Yes, that’s the environment variable I use on all sites. Working well there 
1 Like
I am not sure if this works.
I tried to sign up with one of the spammers emails and the logs say that they send the email with magic link.
I was under the impression, there would be a popup or some text saying, that the domain is not a valid one. At least I saw something like that in the code.
Restart? Make sure you’re running latest Ghost?
Ahhh…I know what’s going on. I had the same issue at first. Just focussed on the left side of the variable you posted 
The only way the value was properly parsed for me was without spaces around the comma and double quotes:
["tmomail.net","txt.bell.ca","txt.att.net"]
rather than what feels more natural, coming from Javascript:
['tmomail.net', 'txt.bell.ca', 'txt.att.net']
3 Likes
I am self hosted and have it like your first post and still getting thru with the txt.att.net
Thank you!
With this config in my docker-compose.yaml it is now working:
spam__blocked_email_domains: '["tmomail.net","txt.bell.ca","txt.att.net","vtext.com"]'
Now I am able to see either a message in the browser console or a small popup? that tells me that the sign up failed.
2 Likes
Thank you. Thank you. Thank you.
Was getting nuked over here.
Also, what is going on here with how the spammers signing up.
Here is from the Docker log…
[2025-01-25 17:22:26] INFO "GET /members/api/integrity-token/" 200 1ms
[2025-01-25 17:22:27] INFO "POST /members/api/send-magic-link/" 201 919ms
[2025-01-25 17:22:55] INFO "GET /members/api/integrity-token/" 200 1ms
[2025-01-25 17:22:56] INFO "POST /members/api/send-magic-link/" 201 1316ms
with my Make “eraser” spammers have a 2 seconds lifespan…
[2025-01-25 17:32:31] INFO "GET /?action=signup&success=true" 200 141ms
[2025-01-25 17:32:33] INFO "DELETE /ghost/api/v3/admin/members/6795202f1fbeaf00018e47c4?formats=html%2Cmobiledoc" 204 351ms
If you’re overwhelmed with spam signups I’d be happy to help you set this up.
1 Like
If I get my developer to implement this on my self-hosted site is there a way for me to update the domains in the block list in header code injection?
No, this is an option on the server. Only the configuration file or environment variables will have an impact on the list
If it’s helpful to anyone, here is the complete list of domains the spammers have been using on my site.
You should be able to copy/paste this to your config.production.json and restart ghost.
"spam": {
"blocked_email_domains": [
"vtext.com",
"txt.att.net",
"tmomail.net",
"mymetropcs.com",
"msg.telus.com",
"pcs.rogers.com",
"fido.ca",
"txt.freedommobile.ca",
"mail.com"
]
},
Test by signing up with one of the blocked addresses should result in an error popup and a message in your logs:
This email domain is not accepted, try again with a different email address
3 Likes
Thanks everyone, this was helpful! Getting raided by a bunch of txt.att.net accounts on my end, which assume are some “AI agents/operators” scraping the web to add gated content to their datasets. 
At first, updating the config & restarting didn’t work. I had to first update ghost (ghost update). The relevant release this was activated on is 5.107.1.
Strange this isn’t supported on mailgun side though.
2 Likes
That is because the sign up emails are not send my mailgun.
Mailgun is only for the mass emailing, so the newsletter.
The signup mails are from your smtp server.
I have Mailgun configured for everything.
I have updated with the new spam block above, and updated ghost, stop, restarted and I can still sign up with txt.att.net. Not sure if I am doing something wrong or missing something?? Self hosted in cloud, Ghost doctor shows no problems or errors
Which version are you running? Can we see the relevant part of your configuration?