Spam bomb, powered by your website?

Mainly by using WordPress sites and newsletter sign up forms a huge amount of unwanted email is being sent. In most cases the owners of these sites don't know they are contributing to this problem.

In the rest of this blog post we will look at the reason for this abuse, how you can see if you are contributing to this problem too and how you can prevent it.

Unwanted email sent from hosting packages

Recently we've been getting more complaints (via Feedback loops) about unwanted emails being sent from the web hosting packages of our customers. We always look into these complaints seriously.

When spam is sent from our servers, either because someone is abusing a hosting package ordered under a false name or because one of our customers gets hacked, this will have a negative effect on all our customers.

Every spam email sent out will have a negative effect on the reputation of our mail servers, this can cause legitimate emails of our customers to end up in the receiving parties spam folder.

New kind of spam

Most spam filters no longer have any problem differentiating between legitimate emails and offers of Viagra and free money. Most of the recent emails that were marked as spam did not match this image of spam.

At first sight they are regular emails, emails that ask for confirmation of your newsletter subscription, or that confirm that you created a WordPress account.

It seems this is one of the new weapons in the arsenal of the modern internet trolls. By automating the signing up process it's possible to send confirmation emails from thousands of different websites to a single email address.

This completely floods the mailbox of the targets. Wired wrote a really good article about this. Besides protecting the reputation of our mail servers there is another reason for us to take action: these emails create a lot of discomfort for the recipients.

Sending outgoing email from your website

Basically every form that allows a website visitor to send an email to an email address of their choice is vulnerable. Think of the "share with a friend" buttons, newsletter subscriptions or contact forms that send a copy of the message to the sender.

The best way to prevent abuse is to simply not create the possibility of sending outgoing email from your website. When this isn't an option at the very least the form should be protected in some way against automatic submissions.

Block the sending of spam via WordPress

The most abused option for sending spam is currently the "New user registration" option in WordPress. Do you have a WordPress website and can you sign up for a new user account on the login page?

Register new user
This is where you register new users

Then your WordPress site is ready for abuse.

It's easy to disable this function. Log in to the WordPress-back-end and navigate to: "Settings" > "General".

There you can remove the check mark for "Anyone can register".

WordPress Settings

When you've done this you will see the registration button disappear from your login screen, and when you visit the URL for new user creation ( directly you will see this:

Register Disabled

Congratulations! You have just protected your WordPress site from this type of abuse!

Do you have problems following these steps and do you think new user registration is still turned on for your site? Please contact us.

Other CMSes, Newsletters and Contact forms

Another often occurring method for sending these kinds of unwanted emails is via the sign-up form for a newsletter or via a contact form. Since there is no standard format for these things we cannot offer a one-size-fits-all solution for this.

However, generally it will be sufficient to add a Captcha (I'm not a robot) or a trap field to the submission form.

Maybe you are using a different CMS from WordPress that also allows for new user sign-up? Usually this can be disabled via a simple toggle in the settings.

For different CMSes we suggest you search (we prefer DuckDuckGo for this) for "disable new user registration" followed by the name of the CMS, like Joomla, Drupal or Magento.