After 8 hours, I reopened memberships to “anyone can sign up”, and within minutes I had 5 more sign ups from Vietnam. So, my guess is there’s a script hitting the membership endpoint. What to do? Use a bot challenge from Cloudflare?
1 Like
I would block the country or enable a bot challenge, Those arent something a Content software should try to manage using Cloudflare is the strongest way to deflect those.
1 Like
@gibbsdesign Have you looked in the logs? The spammers hitting the send-magic-link endpoint on my site always use a python user agent, which can be blocked using Cloudflare WAF or an Nginx reverse proxy (I have done both).
For me, Cloudflare bot fight mode wasn’t effective, and they were coming from multiple IPs in multiple countries so a geoblock wouldn’t have been adaquate either.
1 Like
The logs show send-magic-link endpoint being hit 189 times in the last 12 hours. Unfortunately, the user-agent isn’t python, which would be easy to block in Nginx, but looks like a browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36"
Respectfully, I would argue that Ghost has already implemented blocks by domain, and blocks by country could be a next step. Admittedly, it doesn’t solve everything, but it would cut down on 90% of the spam memberships I’m getting. However, I’m also experimenting with deflecting via Cloudflare. Thanks for your reply.
@gibbsdesign Ah, that’s too bad. I guess I got lucky. I remember noticing another anomaly about the spam requests, too. I think it was an extra slash at the beginning of the route or something like that. So you could check for other things that are different between the legit requests and the spammy ones. But maybe I was lucky in this regard as well.
1 Like
I just checked my old notes file on the differences between the spam requests and the non spam requests. In addition to the useragent, I noticed that the spam requests had:
"originalUrl":"//members/api/send-magic-link/"
And the legit requests had:
"originalUrl":"/members/api/send-magic-link/"
Maybe that’s the case in other attacks also 
I had that happen to me, and I ended up just adding the “domains” to my banned list and no problem since. Now if I can just get real people to sign up for the newsletter lol.