At this point, it really feels like something Ghost needs to address at a platform level, because this problem is not sustainable for site owners to fight individually.
Whether this activity is coming from Ghost competitors, third parties abusing Ghost endpoints, or targeted attacks against specific sites is still unclear—but what is clear is that the effort required to track and mitigate it is extremely time-consuming. We’ve traced and reported multiple server clusters, had some providers confirm shutdowns, only to see the same behavior resume the same day from entirely different regions (e.g., Germany → dozens of US servers → China).
Using fingerprinting and session analysis, we can see this is coordinated automation operating at scale—rotating infrastructure, macOS-based servers, VPNs, and Tor exit nodes. Blocking individual ASNs or regions simply causes the traffic to reappear elsewhere almost immediately. Even when mitigations work temporarily, the attackers adapt faster than site owners reasonably can.
The larger issue is that Ghost’s public membership endpoints make this kind of abuse disproportionately easy, while protections (CAPTCHA, Turnstile, rate gating, verification controls) are left to custom, external, or brittle workarounds. That puts the burden entirely on individual users, while sender reputation, CRM data, and domain trust are at risk.
Regardless of who is behind this, the reality is that it affects all Ghost users, and it’s probably time for Ghost to treat automated signup abuse as a core platform concern, not an edge case.
We’ve managed to track and contain parts of it, but doing this manually is not scalable—and most site owners won’t even realize what’s happening until their sender reputation is already damaged.
Our complaint is documented in a separate thread, but it’s the same underlying issue. Addressing this has been time-consuming and repetitive, and we’ve had to switch to invite-only multiple times as a result.
https://forum.ghost.org/t/email-form-abuse-on-ghost-no-captcha/61687