Ghost CLI - 1.26.1
Ghost version - 5.107.2
You have nested the spam object under paths. It should be on the same level. You also have a typo in the property itself. Itâs blocked_email_domains (singular email), not blocked_emails_domains.
This should work:
...,
"process": "systemd",
"paths": {
"contentPath": ...
},
"spam": {
"blocked_email_domains": [
"txt.att.net"
]
}
}
1 Like
made the change and worked, thanks Brent
Just want to chime in here with a warning to Mailgun users: do not bring any of this to the attention of their support team, or theyâll permanently disable your account.
I naively asked about our sending reputation after getting hit with just a few of these spam signups, and they suspended our domain, then our account, and then sent this:
1 Like
Without context this does not mean much.
You might have a domain and spam people and this was just the last drop in the bucket.
You might be completely right and they are overreacting.
I didnât think context or defense was needed, but no, there were no drops in the bucket. Even if there had been, no explanation was given, so itâs impossible to know. I never got beyond automated responses.
Context always matters.
The problem is, any company can deny doing business with you.
That just sucks.
That is why I am a bit worried about mailgun, being the only option for ghost.
Makes it hard for self-hosters.
Can someone explain how these bots/spammers/scammers are able to sign up using a non-existent page /membership/?
You can use any page for sign up when you hit the API with a python client for example.
I guess ghost does not forbid sign ups on non existing sites.
And forbidding this would not even solve the problem, they could do the same on your root domain.
Hey everyone,
This is my blocked email domains list so far:
[
"txt.att.net",
"tmomail.net",
"vtext.com",
"mymetropcs.com",
"msg.telus.com",
"pcs.rogers.com",
"fido.ca",
"txt.freedommobile.ca",
"sms.sasktel.com",
"txt.bell.ca",
"email.uscc.net"
]
I just added email.uscc.net today, as I am closely watching over my instance logs. I am sharing the list so that we can help each other keep an up to date blocked list of spammy domains.
I am also looking at Ghostâs commits and seems that two new functionalities are being cooked:
- A user facing setting to allow publishers to update/add the list of blocked email domains directly from Ghost admin. This will most likely be added in the next release this week.
- A functionality to enable captcha as part of our sign up flows.
Really exciting developments, and looking forward to start using these against the spammy traffic.
3 Likes
Hey Andrej!
That is why I am a bit worried about mailgun, being the only option for ghost.
This is something to be concerned about indeed. Do you use your own mail server instead of mailgun?
I wonder how much of a challenge is to maintain your own mail server, and also if you face any issues with deliverability rates, newsletter falling in spam folder because of not high enough reputation etcâŚ
I have updated to the build with the spam filter, have added Juanâs version of the spam blocklist above, can confirm that if I try to test it myself I get an error â but other spam accounts are still somehow managing to sign up anyway? Not really sure whatâs going on.
Are these definitely new sign-up events, and not delayed bounces from before you updated?
Pretty sure theyâre new as I delete the spam accounts every time they sign up and these are newly registered members.
Possible youâre looking at magic links sent from before you updated? The block is on sending the magic link, not on them clicking it to activate, so itâs possible that you might still see some confirmations come in after you update.
Given that when you test manually, the block seems to be working, I might wait a bit to see if more subscriptions show up or not before deciding it isnât working.
I guess that could be true; Mailgun is saying that nearly 800 emails have been sent and I havenât had remotely that many signups (even with the spam ones) so I guess I likely have a lot of fake accounts sitting and waiting for activation.
Unfortunately, thatâs a very real possibility. If youâre self hosting, you might clear out the relevant database table. Thereâs also a recent post that describes some automation for deleting junk accounts after verification - worth a look!
Thanks Cathy, I am self hosted but Iâm not sure how Iâd go about clearing the database table. Iâm assuming itâs not a straightforward terminal command?
@mixvio I believe itâs the tokens table. It is automatically cleared every ~24 hours AFAIK. If you havenât gotten any legit signups in that timeframe you could probably clear everything in it using the mysql command line interface on your server (or PHPMyAdmin or whatever).
1 Like
Iâve added vtest.com to my MagicPages custom block list as Iâve had several signups from there since yesterday that just bounce off the Amazon mailservers. Since the email doesnât get through, these donât appear as new Ghost subscribers, but the address format (9-10digits@) is similar, so I presume itâs the same sort of scam. Iâve got ~5,000 subscribers, none of which use vtest.com.
1 Like