Spam bomb, powered by your website?

Jesse Kester

Published on: March 07, 2018 13:10

Mainly by using WordPress sites and newsletter sign up forms a huge amount of unwanted e-mail is being sent. In most cases the owners of these sites don't know they are contributing to this problem.

In the rest of this blogpost we will look at the reason for this abuse, how you can see if you are contributing to this problem too and how you can prevent it.

Unwanted e-mail sent from hosting packages

Recently we've been getting more complaints (via Feedback loops) about unwanted e-mails being sent from the web hosting packages of our customers. We always look into these complaints seriously.

When spam is sent from our servers, either because someone is abusing a hosting package ordered under a false name or because one of our customers gets hacked, this will have a negative effect on all our customers.

Every spam e-mail sent out will have a negative effect on the reputation of our mail servers, this can cause legitimate e-mails of our customers to end up in the receiving parties spam folder.

New kind of spam

Most spam filters no longer have any problem differentiating between legitimate e-mails and offers of Viagra and free money. Most of the recent e-mails that were marked as spam did not match this image of spam.

At first sight they are regular e-mails, e-mails that ask for confirmation of your newsletter subscription, or that confirm that you created a WordPress account.

It seems this is one of the new weapons in the arsenal of the modern internet trolls. By automating the signing up process it's possible to send confirmation e-mails from thousands of different websites to a single e-mail address.

This completely floods the mailbox of the targets. Wired wrote a really good article about this. Besides protecting the reputation of our mail servers there is another reason for us to take action: these e-mails create a lot of discomfort for the recipients.

Sending outgoing e-mail from your website

Basically every form that allows a website visitor to send an e-mail to an e-mail address of their choice is vulnerable. Think of the "share with a friend" buttons, newsletter subscriptions or contact forms that send a copy of the message to the sender.

The best way to prevent abuse is to simply not create the possibility of sending outgoing e-mail from your website. When this isn't an option at the very least the form should be protected in some way against automatic submissions.

Block the sending of spam via WordPress

The most abused option for sending spam is currently the "New user registration" option in WordPress. Do you have a WordPress website and can you sign up for a new user account on the login page?

Register new user
This is where you register new users

Then your WordPress site is ready for abuse.

It's easy to disable this function. Log in to the WordPress-backend and navigate to: "Settings" > "General".

There you can remove the check mark for "Anyone can register".

WordPress Settings

When you've done this you will see the registration button disappear from your login screen, and when you visit the URL for new user creation ( directly you will see this:

Register Disabled

Congratulations! You have just protected your WordPress site from this type of abuse!

Do you have problems following these steps and do you think new user registration is still turned on for your site? Please contact us.

Other CMSs, Newsletters and Contact forms

Another often occurring method for sending these kinds of unwanted e-mails is via the sign-up form for a newsletter or via a contact form. Since there is no standard format for these things we cannot offer a one-size-fits-all solution for this.

However, generally it will be sufficient to add a Captcha (I'm not a robot) or a trap field to the submission form.

Maybe you are using a different CMS from WordPress that also allows for new user sign-up? Usually this can be disabled via a simple toggle in the settings.

For different CMSs we suggest you search (we prefer DuckDuckGo for this) for "disable new user registration" followed by the name of the CMS, like Joomla, Drupal or Magento.