Odd SPAM form submission across multiple customers, multiple installs.

[Jamie Whittingham]

So several customers have reported submissions such as this:

https://www.dropbox.com/s/lvydyjelhwaleh2/Screenshot 2017-06-13 17.48.44.png?dl=0

They come from a variety of IP addresses, often the same IP is used on multiple submissions over the course of weeks. We have seen submissions in excess of 1,000 across multiple customers in the last few weeks.

Anybody see these before or have any idea where/why they are coming from?

 

[frm.mwz]

So several customers have reported submissions such as this:

https://www.dropbox.com/s/lvydyjelhwaleh2/Screenshot 2017-06-13 17.48.44.png?dl=0

They come from a variety of IP addresses, often the same IP is used on multiple submissions over the course of weeks. We have seen submissions in excess of 1,000 across multiple customers in the last few weeks.

Anybody see these before or have any idea where/why they are coming from?

Consider that the link used is an internal one, from a logged-in customer->list->subscriber doing an 'update'.

 

[twisted1919]

@Jamie Whittingham - You can try and enable the recaptcha extension for those forms to prevent automatically submissions.

 

[Jamie Whittingham]

Consider that the link used is an internal one, from a logged-in customer->list->subscriber doing an 'update'.

sorry, no they are all from unique IPs. I have a list of IPs that they come from if you'd like. Often the same IP uses different emails after a few days.

 

[Jamie Whittingham]

@Jamie Whittingham - You can try and enable the recaptcha extension for those forms to prevent automatically submissions.

That works for the embeded forms, but if using the form in another manner, like a page builder, it doesn't work. Had been advising one customer to use their own reCaptcha to prevent it, but then I started seeing it in other customers on other installs as well.

 

[frm.mwz]

sorry, no they are all from unique IPs. I have a list of IPs that they come from if you'd like. Often the same IP uses different emails after a few days.

How would anyone get to the link structure as posted in your picture above as restated (with other chars) here:
http://mailwizzdomain.com/customer/index.php/lists/er201ezdhru3s/subscribers/ie7892rtdg451/update
http://mailwizzdomain.com/customer/lists/er201ezdhru3s/subscribers/ie7892rtdg451/update
?
Have you tried reaching such from the outside without login?
Attached please find how that ends up (unless you have a security breach).
Same IP after a few days could be an indication that someone has a reason for changes.

@Jamie Whittingham - You can try and enable the recaptcha extension for those forms to prevent automatically submissions.

But how can that link (structure) be used from the outside without login?

Comparing the above link from internal customer logged-in subscriber update, these are different link structures:
# subscribe: http://mailwizzdomain.com/lists/er201ezdhru3s/subscribe
# pending: http://mailwizzdomain.com/lists/er201ezdhru3s/pending-subscribe
# confirmation: http://mailwizzdomain.com/lists/er201ezdhru3s/confirm-subscribe/ie7892rtdg451
# approve: http://mailwizzdomain.com/customer/lists/er201ezdhru3s/subscribers/ie7892rtdg451/subscribe
# profile update: http://mailwizzdomain.com/lists/er201ezdhru3s/update-profile/ie7892rtdg451

Hope this helps to clarify. Please let me know what is missing.