Ghost sign up and spam?

Interesting domain. It looks to be part of some kind of test suite, not the usual SMS gateways we saw before

Considering the risk of being blocked by Mailgun because of these fake signup attacks, I think it’s a good practice to use another email provider for transactional emails. Since we can just use any SMTP server, AWS SES or any other providers would be better and safer option.

And vtext.com which (to contradict my last email @jannis … not a typo ) which I’ve had several of in the last hour appears to be a now-defunct Verizon Message+ domain. Also now blocked …

Okay, I’m freaking out a bit here.

I just received an email from Mailgun invoicing me for sent messages, over 1,000 have been sent from my account over the last week or so.

It’s a tiny invoice, less than £1, but it’s very concerning. I’ve deleted every member with a dodgy email address, and am on the latest version of Ghost, with PikaPods.

Any suggestions on what I can do?

Edit, I’m on 5.107.2.

Deleting the members once they are there is too late. The emails (magic links) have already been sent at that point.

If you’re on PikaPods, you should have some kind of access to environment variables. Adding this one should do the trick and block them from signing up:

You can adjust the block list to what you see in Mailgun. @JuanDelgadillo posted a pretty comprehensive list in his comment, which should cover all domains that are currently known to be part of this spam:

Thanks @jannis, unfortunately PikaPods doesn’t offer that particular variable to edit.

I’ve disabled membership sign up on my site for now.

Ohhh…I didn’t know they restricted what kind of environment variables you could set.

If that is the case, I’d suggest reaching out to them or upgrading to v5.109.0 (if possible?). This version includes the ability to also set the block list through the admin directly (in Settings):

(Thanks for this, @Sag )

Cheers for that @jannis, will do.

I’m glad I am not the only one who experienced this. I updated all of my Ghost Sites and added the domains to the blocklist. Please tag me if there are any new domains that need to be blocked or other measures that I can take.

Same, I just got a bill from them and logged in to see what is going on. I have 7000+ failed emails in the last few weeks, even though I’m only getting a handful of fake signups appearing in Ghost. This is for a site with like 100 real members.

Like @jannis said, deleting the members is too late and is not the full picture of what is going on. For every spam member I have actually appear in the Ghost dashboard, I am sending over 1000 magic links that bounce/fail. So I think the suggestion to switch to SMTP for transactional emails is a good idea.

Seems bad that if you run a Ghost site and didn’t check this thread or read the release notes last week, you are liable to get banned from the only newsletter provider!

Anyone knows the reason behind this attack? Do they target only Ghost websites? What is the purpose?

@muratcorlu This is a great question. The three possibilities I can think of:

1. Someone trying to pre-clean a bought/stolen email list (wouldn’t help with knowing which addresses would bounce, but would give info on which email addresses were genuinely invalid/malformed)
2. A targeted attack (but it seems too widespread for this to be the intent) or an attempt to drive the price of some service (CDNs and firewalls? Email validation? a Ghost competitor? IDK, it doesn’t seem likely)
3. Some scheme to get member-walled content and republish it? This also seems far-fetched, since the magic links get sent to the email address, and the spammers don’t seem to control the addresses they’re entering, and thus would never receive the magic links.

It seems like we’ve seen several different black-hat behaviors recently. Some of these sms-gateway addresses do seem to be clicking the magic links. Unless we think there’s been so many garbage magic links sent out that these are just some minority of people who do click random links when received(?!), I’d add the possibility of comment spam SEO strategy. This forum gets multiple sign-ups every day that are clearly spammy, and the mod team follows along behind and cleans them up. If you aren’t seeing the spam on this forum, it’s a combination of automated flagging and the first person to see the stuff that gets through flagging it (which causes it to get hidden until the mod team can block).

It’s all very weird. We can all speculate, but I haven’t heard anything that really explains what’s going on…

Knock on wood, but my own site hasn’t seen anything obviously weird, except for the member (a real person and former client!) who today somehow triggered hundreds of open events over the course of a couple seconds. My open rate is now 500%+! [I’m guessing her email client glitched or something? Very strange.]

@Cathy_Sarisky Right, comment spam is another likely option. That would require access to the accounts the magic links go to, though, which doesn’t fit with accounts sending spam complaints when they get a magic link email (and I haven’t noticed any actual spam comments yet).

Hi everyone,

Ghost v5.109.2 includes a spam filtering setting, that allows publishers to block email domains directly from Ghost Admin. These email domains will be added on top of any email domains already blocked by config.

More details: Signup spam protection

spam-filter-setting1986×918 62.4 KB

OK, but in this case I don’t quite understand what the point of the Ghost spam prevention update is. Since the spammers don’t click on the magic link, they don’t finalise their subscription, so I’m not notified by Ghost and so they can continue to spam my Mailgun account without me being warned at any time and the following month I find myself with a Mailgun invoice, and I write to Mailgun support who promptly block my account for abusive use.

Why isn’t anyone talking about this infernal loop that has no solution?

This new feature is the solution to it. You can block domains that are spamming - this will not let them sign up in the first place (e.g. they will not receive the magic links, since it will never have been sent).

But yes, this does require active monitoring. Ghost has rolled out another update that prevents spam a few months ago. This was also circumvented. The nature of attacks like this is that you can always just make it harder and harder for them – but if somebody wants to penetrate a newsletter form, they will find a way sooner or later.

Bastien, I think you’ve misunderstood the new email domain block. The email block stops website visitors (well, bots) who are using specific email address domains from being able to sign up. They never get a magic link, so your outbound mailserver (or mailgun) never tries to deliver a message to them.

But you’re right, if you aren’t watching your mailgun/outbound mailserver, you don’t necessarily know when spammers have switched to a new email domain. If you are self hosting, you should be watching your mail server/mailgun account regularly. You should also be reviewing your server logs, running regular operating system and software updates, etc. If that sounds like too much work, there are multiple hosted options for Ghost that will handle all the server administration work for you, including dealing with Mailgun.

Thanks @Cathy_Sarisky . I don’t think it would be too much work. It would be enough to set up a small alert on mailgun, such as +10 day registration send an email. Does anyone know if this is native to Mailgun or if it is possible to create such an alert with Make or another automation service?

Mailgun has a webhook for bounced messages and failed deliveries. You might put something together that detects and alerts on those.