Suspicious inscriptions

[Danieleeffe1]

I recently had several unsubscribe entries in my opemage installation.

All these inscriptions are almost simultaneous.

The registration form has google recaptcha v2

I suspect a hacker attack

Have you already had a similar experience?

If so, what should I do?

[tmotyl]

Please describe what do you mean more in details.

[addison74]

The investigation should start from the way an email address is unsubscribed. If it is done manually then a registered customer can do it from his account. It can also be done by accessing a link included in the newsletter you send.

If it is done automatically then we are dealing with a bot that exploits a Magento URL based on which it unsubscribes a list. I can't check at this moment the link in a newsletter to find the responsible controller. Once it is found search in your webserver access log file after this URL. IP addresses must be checked from where they came and blocked them in the system firewall (if linux use iptables, nftables, ipset, ufw, fail2ban, ...).

[Danieleeffe1]

Thanks for the reply

I checked the Apache access log as suggested

The registrations appear to have been made via the social login with Twitter account.

The IP address is the same for some and different for others

[addison74]

I don't understand anything anymore. Is it about subscription or unsubscribing action? If it is unsubscribing, how did the bot manage to unsubscribe for some addresses? I find it hard to believe that it was able to check a long list of email addresses and match a few. I think you are facing a subscription situation that I addressed in a post and I found a solution, Both by modifying the controller and by using the HoneySpam extension to which I have contributed a little lately.

[Danieleeffe1]

sorry, i don't know english and i use google translate. there have been some registrations on the site, they seem suspicious to me. my site is limited to Italy only, providing services and products only for the Italian market. new subscribers are Russian and have no reason to be subscribed. I ask if anyone knows if this could be a technique of attacking my site. Il gio 30 set 2021, 15:09 ADDISON ***@***.***> ha scritto:

…

I don't understand anything anymore. Is it about subscription or unsubscribing action? If it is unsubscribing, how did the bot manage to unsubscribe for some addresses? I find it hard to believe that it was able to check a long list of email addresses and match a few. I think you are facing a subscription situation that I addressed in a post and I found a solution, Both by modifying the controller and by using the HoneySpam extension to which I have contributed a little lately. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1838 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALCKSZQWFQ2VOCHH67TGWBDUEROPRANCNFSM5E7WFW7Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[addison74]

In general Google Translate does a good job for the languages of circulation. At least for the Italian it should not be a problem. It is important to use technical terms to make us understand the issue. Now I understand that it is about newsletter subscriptions. I was surprised that a bot is so clever that it manages to unsubscribe addresses in the database.

Maybe this could help you #1287.

[luigifab]

Sorry for this ad like, you can try deepl for translations.

[Danieleeffe1]

I have never written that this bot has deleted anything, I have written that it has signed up to the site as a customer even though I use Google recaptcha v2 in the registration form. the newsletter module is disabled Il gio 30 set 2021, 17:04 ADDISON ***@***.***> ha scritto:

…

In general Google Translate does a good job for the languages of circulation. At least for the Italian it should not be a problem. It is important to use technical terms to make us understand the issue. Now I understand that it is about newsletter subscriptions. I was surprised that a bot is so clever that it manages to unsubscribe addresses in the database. Maybe this could help you #1287 <#1287>. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1838 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALCKSZW34LOII5Q4PGVAUKTUER37PANCNFSM5E7WFW7Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[addison74]

This is your first phrase in the report "I recently had several unsubscribe entries in my opemage installation."

[Danieleeffe1]

sorry, google mistranslated Il gio 30 set 2021, 17:19 ADDISON ***@***.***> ha scritto:

…

This is your first phrase in the report "I recently had several *unsubscribe* entries in my opemage installation." — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1838 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALCKSZXKZQ2BBCKMMIHQC7LUER5ZVANCNFSM5E7WFW7Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.