I’m seeing a growing wave of spam in Members: lots of Free accounts being created (often from abroad—my audience is almost entirely in France), with names sometimes random (letters/numbers) and sometimes plausible.
After signup, these accounts generate many repeated login attempts, so their activity is filled with login events and it clutters my Members list/logs.
The emails also look real in some cases (I’ve received “out of office” auto-replies).
On the off chance that this is an older version of ghost: upgrade. They added a required integrity token for logins midway through 5.x.
Ghost only supports email domain blocks (and there’s rate limiting built in but mostly for failures). But if you’re self hosting, you could stick Cloudflare out in front, which gives you a bunch of anti-bot options.
It’s interesting that your spam members are apparently clicking the magic link (otherwise they wouldn’t be members). That’s different from some past attacks.
in addition to experimenting with Cloudflare, you could also turn off free memberships. You could offer instead a 1 euro plan, and/or offer a 100% discount on a paid plan, with the offer details posted in a human-readable format on the homepage. If the current attack is not specifically targeting your site, that may stop it.
I can actually attest to this issue (self-hosted, docker, auto-updates every week).
I keep seeing more and more random people sign up, different (real) companies - people that actually exist (after a not so thorough look-up). It’s not in huge waves. It’ll be a few every month or so (not enough to cause trouble)
Difficult to add these to the filters as it’s always random companies (email extensions).
It’s not exactly the same issue we had a few months ago with the mass sign-ups. Doubt these are real people, my blog is mostly a dormant hobby.
@lorenzo This same exact thing is happening to me.
There are 1-2 signups per day from domains that belong to companies. So the typical format is something like firstnamelastname@realcompany.com.
The issue is that they are a different company each time, so I can’t block the email domain. They always sign up on the same post. I’ve thought about just taking down the post entirely but I don’t know if that would actually solve anything.
The companies seem to be mostly located in the US, but when I look the email up in the Ghost Subscribers panel, the country is marked as Germany, Sweden, or the Netherlands.
In Outpost, I can see that they click on the Start Payment process. From Ghost, I can see that they login multiple times, similar to what @camilleroux noted. However, I can’t trace them in Plausible analytics.
My domain is with cloudflare, so I’ve been trying multiple things there but so far they are still getting through.
This just started happening this week. I’m on GhostPro. Any insight would be helpful!
In summary, I think those new fake members are tip of the iceberg. My observation is, some bots are making signup requests for way more high number of email addresses, and some of those email owners -somehow- clicks the signup link and completes the signup flow.
Maybe you can try to send a direct email to some of them (from countries you can talk in their language), and kindly ask how they decided to be a member.
@muratcorlu I read somewhere that potentially someone is using API to bypass the need to confirm the email address. The individuals all do the same thing, which makes me question if the real owner of the email address is clicking the confirmation email. If it was the real owner of the email address, I’d think there would be some variation in their clicking behaviors.
For example, I don’t think that the real owner of the email would try to sign up for the paid tier of my newsletter; yet every instance did click on that button. I can see that within Outpost, but that behavior wouldn’t be tracked within Ghost’s analytics.
So, it’s long been intentionally possible to create a member with the Admin API, which bypasses the magic link flow. But unless you’ve leaked your Admin API, that’s not what’s happening here. (And if they had your Admin API key, they could do a lot worse than this.)
I suspect the Ghost team would be very interested (security@ghost.org for security reports) in hearing about a bug that let someone skip confirmation.
Aside: I know that the new paid user flow at least sometimes skips email confirmation – could that be what’s going on here?
Thought #2 - is everyone impacted using Outpost, by chance? (I don’t know of any problems with their security, but if that were true, it might be a clue to where the problem is.)
@Cathy_Sarisky - there’s a reddit post that outlines almost exactly the same problem I’m having, but they’re self-hosted. I don’t know if self-hosted folks would use Outpost?
Should I change my API key/is there a way to change it?
I have emailed Ghost so I’ll update here when they respond if they offer more info.
But they don’t become a paid member at the end, right? Maybe those bots are just sending signup request with a random tier, or specifically paid tier (to make signup email as even more attractful). I still don’t see proof of a real intentional human behavior.
I don’t know how Outpost works btw. As far as I know, it’s a side service just using Ghost API and webhooks to add extra staff inside the flows. But still signin/signup should be handled by Ghost, I believe.
Correct, they don’t become a paid member in the end. I’m also not totally sure how Outpost works in the backend.
Outpost does handle a welcome email that’s sent to all free signups once they confirm their email, which is where I can see the link to upgrade to paid gets clicked each time.
Yeah, people clicks links but I don’t think that proves that they actually asked for a signup. People just click links to figure out what it is
Also, Ghost analytics can not track those behaviour if it’s a bot. Because Ghost tracker can only read client-side, browser based visitor events. But those bot IPs doesn’t actually navigate through the sites, instead directly hitting to integritytoken endpoint, then send-magic-link endpoint. And it’s done.
Exactly! I don’t think they asked for the sign up either. Just trying to figure out any kind of pattern to see if I can figure out what’s going on.
Interesting to know about the Ghost Analytics not being able to track bots – that explains why I’m not seeing a match in actions on the post that is marked as the source for these spam signups. Thanks for clarifying that!
Which could be that the bots are clicking email links? It could also be that the recipient’s email server is clicking links. (Some security software does this – link click tracking is pretty sketchy as a result.)
