Title: Bizarre Subscribe2 Exploit
Last modified: August 21, 2016

---

# Bizarre Subscribe2 Exploit

 *  Resolved [sffandom](https://wordpress.org/support/users/sffandom/)
 * (@sffandom)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/bizarre-subscribe2-exploit/)
 * I don’t know why this is being done to one of my Websites, other than that I 
   may have irritated someone no end. I don’t see any benefit to the other person
   from this kind of abusive activity. Nonetheless, I think you should be aware 
   of it in case this is happening to other Websites.
 * Someone is using IP addresses spread across China and Venezuela (and maybe a 
   couple of other countries, but most of this activity comes from China) to submit
   false Yahoo! email addresses to the subscribe2 plugin.
 * Between 1 and 200 submissions will be made quickly in bulk. When I see a new 
   batch come in I download the email data in CSV format and block the AS record-
   level IP address ranges for these overseas submission points. Whoever is doing
   this keeps finding new Chinese networks to exploit. It could be they are using
   the Subscribe2 form as a test bed to determine which machines they can use for
   future DDoS attacks.
 * The fake email addresses are always in the form of a 5-digit number “at” Yahoo.
   com. E.g., [45761@yahoo.com](https://wordpress.org/support/topic/bizarre-subscribe2-exploit/45761@yahoo.com?output_format=md).
 * My server’s email system quickly fills up with bounce messages from Yahoo! I 
   have to delete these fake registrations every 1-2 days and block more Chinese
   IP address ranges.
 * If in the future you can add some sort of throttling mechanism (many of the submissions
   use the same IP addreses, although I suspect they come in semi-random order) 
   that would be helpful.
 * [https://wordpress.org/plugins/subscribe2/](https://wordpress.org/plugins/subscribe2/)

Viewing 3 replies - 1 through 3 (of 3 total)

 *  [Matt Robinson](https://wordpress.org/support/users/mattyrob/)
 * (@mattyrob)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/bizarre-subscribe2-exploit/#post-4597374)
 * [@sffandom](https://wordpress.org/support/users/sffandom/),
 * I’m not sure if this will help but you could try adding the ‘yahoo.com’ domain
   to the blocked domains list in the Settings page under the miscellaneous tab.
 * also, it might be worth installing plugins like [Bad Behaviour](http://wordpress.org/plugins/bad-behavior/)
   and [Stop Spammer Registrations](http://wordpress.org/plugins/stop-spammer-registrations-plugin/)
   as they should stop bot activity.
 * I’ll see if I can think of a way of throttling using the form.
 *  Thread Starter [sffandom](https://wordpress.org/support/users/sffandom/)
 * (@sffandom)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/bizarre-subscribe2-exploit/#post-4597394)
 * Have the Stop Spammers plugin installed already. It catches a lot of this stuff
   but some is still getting through.
 * Blocking major domains like Yahoo!, Gmail, and Hotmail doesn’t work because legitimate
   users are blocked. We occasionally block those sites on our Web forums and inevitably
   receive complaints.
 * It’s a tough balancing act. And I’m not sure if throttling is the answer but 
   I don’t know what else to suggest at this point.
 * I should have mentioned that I think these registration attacks may be corrupting
   my WP database as well, because they happen so quickly.
 *  [Matt Robinson](https://wordpress.org/support/users/mattyrob/)
 * (@mattyrob)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/bizarre-subscribe2-exploit/#post-4597403)
 * [@sffandom](https://wordpress.org/support/users/sffandom/),
 * Give this a try. In the plugin folder find the classes/class-s2-frontend.php 
   file. In there look for this line:
    `$this->ip = $_POST['ip'];` And immediately
   after it add:
 *     ```
       $ips = $wpdb->get_col("SELECT ip FROM $this->public WHERE date = CURDATE() AND time > SUBTIME(CURTIME(), '0:00:30.000000')");
       if ( in_array($this->ip, $ips) ) {
       	return __('Slow down, you move too fast.', 'subscribe2');
       }
       ```
   
 * That should send a ‘slow down’ message to any user with an IP address that has
   added an email in the last 30 seconds.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Bizarre Subscribe2 Exploit’ is closed to new replies.

 * ![](https://ps.w.org/subscribe2/assets/icon-256x256.png?rev=2318630)
 * [Subscribe2 - Form, Email Subscribers & Newsletters](https://wordpress.org/plugins/subscribe2/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/subscribe2/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/subscribe2/)
 * [Active Topics](https://wordpress.org/support/plugin/subscribe2/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/subscribe2/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/subscribe2/reviews/)

 * 3 replies
 * 2 participants
 * Last reply from: [Matt Robinson](https://wordpress.org/support/users/mattyrob/)
 * Last activity: [12 years, 4 months ago](https://wordpress.org/support/topic/bizarre-subscribe2-exploit/#post-4597403)
 * Status: resolved