TryGhost
Multiple users signing up with name "adwdasddwa"
Issue Summary
Across a couple of Ghost sites I run (self-hosted + 1x on Ghost.org) I have seen a few new members signing up with valid looking emails but the name "adwdasddwa". It appears I am not the only one
Steps to Reproduce
n/a
Just have a Ghost website
Ghost Version
5.89.0+moya
Node.js Version
Unknown
How did you install Ghost?
Hosted
Database type
MySQL 5.7
Browser & OS version
Firefox/Chrome/Edge & MacOS/Windows/Linux
Relevant log / error output
No response
Code of Conduct
- [X] I agree to be friendly and polite to people in this repository
Thanks for reporting this, if you're using a Ghost(Pro) site please don't hesitate to contact [email protected] - we're aware of this issue and problem solving it currently.
@erik-ghost - does this mean there is also a fix being released for the open source version too?
@curi The sign ups with "adwdasddwa" as the name are not legitimate and you can safely delete them.
@kisamoto I'll be able to say more about that once we're a bit farther along problem solving this issue, and I will provide an update once I have something concrete for you.
Why is this marked as solved? What is the solution? These fake signups are burning through my email credits.
@erik-ghost can we keep this open rather than 'completed' until there is a fix deployed please?
@erik-ghost Thanks for opening this back up. I've had to disable new user signup as the only way to stop the flood of fake requests. I've been getting about 100 per hour.
We've released a version of Ghost that includes spam protection. It's still experimental, so you'll need to add a config flag to enable the protection:
verifyRequestIntegrity: true
This is a temporary flag, by the release next week we should have this enabled by default.
We wanted to make sure you had the ability to use this as soon as possible!
Let us know if you have any trouble with this
@sam-lord I've noticed with the flag enabled this seems to block all email signups. It seems that req.body.integrityToken is not being passed in at all by the front end.
On further inspection I can see the version from apps/portal/package.json has not been bumped and Ghost is still serving @tryghost/portal version 2.39.0 via the cdn.jsdelivr.net/ghost/portal@~2.39.0 <script> tag. Was this version meant to be bumped or is there a release process that I was missing here?
Do the people creating these spam signups have access to the email addresses they're signing up, or do they have a way of cheating the confirmation step?
Are any spam signups happening without the adwdasddwa name or are all other signups currently legitimate?
Do the people creating these spam signups have access to the email addresses they're signing up, or do they have a way of cheating the confirmation step?
Are any spam signups happening without the adwdasddwa name or are all other signups currently legitimate?
As far as I can tell, they don't control the recipients. Many of them are reporting the magic link emails as spam which I'm worried about impacting my email reputation. Every signup has included the 'adwdasddwa' name.
@sam-lord My signups are not functioning with that flag enabled.
"The request could not be understood." is the response with this flag enabled.
Hey, sorry for the delay on this, I've been dealing with another bout of covid. I just released v5.90.1. Principally, this has the Portal release that was necessary for the config flag to work. Go ahead and give that another try.
@9larsons no problem - any chance this release will be pushed to https://hub.docker.com/_/ghost anytime soon? Thanks.
@JamesMarino The Docker image is not maintained by us but I saw the commit was merged 4 hours ago, so it should come through soon
I have confirmed that I can now request an account and am no longer being bombarded with fake account requests. Thanks.
