Huge influx of spam signups

Hi there — in the last month or so we’ve gotten thousands of signups from the five following domains, which I can’t find any information about anywhere. Open rate is 0% and none of the accounts ever show up again. I had thought it was associated with real people signing up with throwaway email addresses, but they are now coming in at such a high rate that they definitely seem to be spam or bots.

@strelirt.xyz
@rolstil.xyz
@lirvilt.xyz
@poltilt.xyz
@sch00l.info

Does anyone know anything about any of these domains and have any suggestions for how to block signups from them? We are purging the accounts pretty often but ideally we could block at signup without impacting other people.

Thank you,
Jason

1 Like

Hey Jason! Love your newsletter.

Observation: All those sites have the same A record, which appears to be in Latvia. (Whether it’s a fixed IP or will be something else tomorrow is a different question.) The abuse address for that IP is: ‘abuse@nbi.lv’

nbi.lv doesn’t have a web server responding, and it’s a pretty small netblock. Whether or not they read their email is anyone’s guess. On the other hand, it doesn’t take very long to send an email telling them that you’re getting sign up spam from these domains. Maybe they do something. Probably not.

I assume you’ve already raised this with Ghost Pro support? If you were self hosting, I’d tell you to block the IP they’re coming from and be done with them. Paging @jonhickman

1 Like

Hi, thank you! I’ve been following your work closely as well—thanks for everything you do to keep the community going. This is good information. Really appreciate it. Ghost Pro support is aware of it and looking into it but was curious if it’s just us or if other sites are getting hit as well/if this has been a solved problem already.

3 Likes

Some previous discussion here:

Perhaps what we really need is a way to put a captcha in the flow somewhere. (Hopefully opt in.) It’s not particularly hard to get an integrity token programmatically (I do it!), unfortunately.

@Jason404media I had a similar problem, and ended up using CloudFlare WAF to block the user agent until the attacker gave up:

It looks like the intent behind the spam signups you’re getting might be different, though.

In my case, my Nginx logs showed that the send-magic-link endpoint was being hit directly, without going through the Ghost frontend. Ghost is working on tightening up that endpoint, which should help.

I’d like it if there was an option to validate signups against a deliverability API like Reacher, before the confirmation email is sent.

In my case, the spam signups were hurting my email sending reputation, so the damage was done before a member created webhook would be run. But if you’re just trying to remove bad signups, you could probably use a custom integration to delete members that matched certain criteria.

1 Like

Thanks for the update @curiositry, part of the reason I’m going through the time sink transition to Ghost is to avoid/reduce the spam and bot attacks I get using WP. Protecting email sending reputation hopefully is increased in priority at Ghost as a core element of the platform.

1 Like

Thank you both for this. Will look into integrations that autodelete.

To be clear: We have now been on Ghost for ~16 months and our proportion of spam is incredibly low. This is the first influx we’re dealing with and it’s ultimately not that big of a deal. I wholeheartedly recommend using Ghost over WP for this reason and others

4 Likes

@Jason404media … 404 was one of the reasons that made me look at Ghost seriously. Until then I thought Ghost was just a newsletter tool, not a potential minimalist website solution. Thanks for that. I wager 404 is getting attacked intentionally due to your responsible tech investigative/advoacy critical coverage. So hopefully a fix is found that doesn’t reduce email sending reputation.

2 Likes