Measures over spam signups

Murat Çorlu

Murat Çorlu

3 min read
Measures over spam signups
Photo by Pau Casals / Unsplash

Since around 1 month, there is a spam signup attack on many Ghost sites including of Synaps Media publications. In this update, I want to inform you as the measures we have on Synaps Media and possible effects of them.

Characteristics of the attack

Attacker is making signup requests with random looking (but actually valid) email addresses on random Ghost sites. It's like, filling Subscribe form on your main page with an email address, by someone who is not owner the email address. And your website is ending a signup confirmation email to that address (a.k.a. magic link). Most of the time you don't notice those requests, because real owners of those emails don't click to the approval link and convert to a real member. But attacker, tries to send magic links for those email addresses as much as it can from many Ghost websites. If those email owners complains about spam, these emails reduces reputation of site domain.

And in some cases, owners of those email addresses just clicks to confirmation link, and becomes a member of your website. If you recently noticed some new members with weird looking email addresses from unexpected countries, most probably these are the result of those spam requests.

Almost all of those requests come from Tor Network.

ℹ️
Tor is a privacy-focused network that people use to hide their real location and IP address while browsing the web. Instead of connecting to a website directly, traffic is routed through multiple servers around the world. This makes it very hard to identify who is making a request. Tor is commonly used for privacy reasons, but the same anonymity also makes it attractive for automated abuse and spam.

Intention of this attack is not clear. I opened a thread on Ghost Community Forum about this to share and discuss about the issue. According to the observations, this attack can be either because of pre-validating a list of email addresses to prepare for phishing attacks (If email owner clicks a link that he/she normally shouldn't, that is a big sign for the attacker to target this address for phishing). Another option can be that someone just trying to give some harm to Ghost ecosystem (because this looks really targeted for Ghost sites), for some unknown reason.

ℹ️
Phishing is a type of online fraud where attackers try to trick people into clicking links or sharing information by pretending to be a trusted website or service. This is often done via email. If an attacker knows that an email address belongs to a real, active person, that address becomes more valuable and more likely to be targeted by phishing campaigns.

Our action against this attack

Since the observation I had that almost all of the attacks come from Tor Network, we disabled signup requests from Tor Network on all Synaps Media sites. According to first observations, this action mitigated the issue completely.

Possible side effects

Blocking signup requests coming from Tor Network may have some side effects. The most obvious one is that users who browse the web through Tor will not be able to sign up as a member on your site. They can still read your content without any restriction, but the signup request itself will be blocked.

Tor usage among regular newsletter subscribers is generally very low. Still, if your publication specifically targets privacy-focused audiences or activists who actively use Tor, this is something to be aware of. At the moment, we believe the trade-off is reasonable compared to the risk of email reputation damage and spam complaints.

What you need to do (nothing)

This protection is applied automatically on all Synaps Media sites. There is no action required from you, and there is no configuration you need to change in your Ghost admin panel.

If we see the attack pattern change in the future, we may adjust these rules or replace them with a more fine-grained solution. We’ll keep monitoring the situation and update you if anything changes.

If you notice something unusual

If you think legitimate users are being blocked from signing up, or if you continue to see suspicious member signups despite this change, please let us know. Real-world feedback helps a lot to tune these protections without over-blocking.

Thanks for your patience, and as always, feel free to reach out if you have questions or concerns about this change.