How to handle spam accounts?

Does Ghost have anything in place to handle junk accounts that get created? Each of these accounts are suspicious:

Since you have to click the confirmation link in the email, how exactly are these fake accounts doing that?

What makes you think these are fake accounts? Are you seeing spammy comments?

If you create an Outlook account, and the name is taken, a combination of name+digits is often suggested. Either way, the emails are validated by someone.


  • Each email address contain a first and last name, which is not common.
  • Each have not only just a number, but a number of the same length, similar to a zip code.
  • Each use the domain

The odds of each of these attributes combined is nearly impossible.

1 Like

It’s certainly possible that someone’s got some automation written to create accounts on and to click links that arrive in email.

It’s less clear to me why someone would bother. What do they get? Scraping content? Hoping to leave comments with spammy links? I’m not sure! Is there any evidence of those accounts doing those things?

But… you could try turning on Cloudflare’s bot protection. No idea whether you’ll get useful detection or not, however!

1 Like

These Mails are in my opinion 100% fake. (Ok, comes from a fresh maded forum account :sweat_smile: )

Yess, names, same digits, location, date.
To use for this is easy, but you need to change ip / device-id after few, or bots are recently “ai”-powered to solve the ms-captcha :frowning:

however, maybe you find here a better solution: Add Captcha to Subscriber Form - Ideas - Ghost Forum

I’m looking forward to this topic :slight_smile:

This has been going on for some time (see this thread: Fake sign ups from the sign up page ). I know the team have been trying to come up with solutions, but as far as I know, nothing has rolled out yet. (After a lull of a month or so, I’m once again getting a couple of these every day.)

Why can’t the solution be as simple as purging all accounts, after X number of days, that have not clicked the confirmation link proving they are human?

An account isn’t created unless the sign-up is completed by clicking on the confirmation link.

So how is this happening? Some dude in his mother’s basement is creating numerous email accounts on, then using those new users to register on my website, and finally clicking on the confirmation link that is emailed to those spam accounts? If this is the case, does anyone have any idea what the spammer gets out of this process?

Also, maybe the Ghost dashboard needs a way to delete multiple accounts at once. I searched for, saw 20+ bogus accounts, but have no way to delete them other than going into the member details, one at a time.

I now regret adding my website to the “Explore” directory on the ghost website, as this is likely how the spammer found me.

Unless they were to post spammy comments, I don’t see that there’s much of an issue. If that happens, deal with it then.

It’s not a good idea to ignore the spam accounts, because having them will screw up the accuracy of the email newsletter statistics. These accounts are bogus, but still legitimate, in that they can receive the emails my server sends out. Right?

If you’re convinced that they are spam, then delete them. Unless I had a compelling reason not to, I would leave them, as I have numerous users who set up Gmail, Outlook, etc., email accounts, often using the format ‘firstnamelastname12345@,’ to gain access to free content.

They are harmless too, and if one were to start spamming my comments, I would take action.