Bizarre Subscribe2 Exploit

  • Resolved sffandom

    (@sffandom)


    12 years, 1 month ago

    I don’t know why this is being done to one of my Websites, other than that I may have irritated someone no end. I don’t see any benefit to the other person from this kind of abusive activity. Nonetheless, I think you should be aware of it in case this is happening to other Websites.

    Someone is using IP addresses spread across China and Venezuela (and maybe a couple of other countries, but most of this activity comes from China) to submit false Yahoo! email addresses to the subscribe2 plugin.

    Between 1 and 200 submissions will be made quickly in bulk. When I see a new batch come in I download the email data in CSV format and block the AS record-level IP address ranges for these overseas submission points. Whoever is doing this keeps finding new Chinese networks to exploit. It could be they are using the Subscribe2 form as a test bed to determine which machines they can use for future DDoS attacks.

    The fake email addresses are always in the form of a 5-digit number “at” Yahoo.com. E.g., [email protected].

    My server’s email system quickly fills up with bounce messages from Yahoo! I have to delete these fake registrations every 1-2 days and block more Chinese IP address ranges.

    If in the future you can add some sort of throttling mechanism (many of the submissions use the same IP addreses, although I suspect they come in semi-random order) that would be helpful.

    https://wordpress.org/plugins/subscribe2/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Matt Robinson

    (@mattyrob)

    12 years, 1 month ago

    @sffandom,

    I’m not sure if this will help but you could try adding the ‘yahoo.com’ domain to the blocked domains list in the Settings page under the miscellaneous tab.

    also, it might be worth installing plugins like Bad Behaviour and Stop Spammer Registrations as they should stop bot activity.

    I’ll see if I can think of a way of throttling using the form.

    Thread Starter sffandom

    (@sffandom)

    12 years, 1 month ago

    Have the Stop Spammers plugin installed already. It catches a lot of this stuff but some is still getting through.

    Blocking major domains like Yahoo!, Gmail, and Hotmail doesn’t work because legitimate users are blocked. We occasionally block those sites on our Web forums and inevitably receive complaints.

    It’s a tough balancing act. And I’m not sure if throttling is the answer but I don’t know what else to suggest at this point.

    I should have mentioned that I think these registration attacks may be corrupting my WP database as well, because they happen so quickly.

    Matt Robinson

    (@mattyrob)

    12 years, 1 month ago

    @sffandom,

    Give this a try. In the plugin folder find the classes/class-s2-frontend.php file. In there look for this line:
    $this->ip = $_POST['ip'];
    And immediately after it add:

    $ips = $wpdb->get_col("SELECT ip FROM $this->public WHERE date = CURDATE() AND time > SUBTIME(CURTIME(), '0:00:30.000000')");
if ( in_array($this->ip, $ips) ) {
	return __('Slow down, you move too fast.', 'subscribe2');
}

    That should send a ‘slow down’ message to any user with an IP address that has added an email in the last 30 seconds.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Bizarre Subscribe2 Exploit’ is closed to new replies.