Opened 6 weeks ago
#63085 new defect (bug)
"Login details" spam sent by from the account registration page
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Login and Registration | Keywords: | |
| Focuses: | Cc: |
Description
Wordpress sites with open registration are used to spam me.
I am getting mails from WordPress installations that look like this:
Subject: [Legit site] Login Details Username: www.spammer.example.com - 1.2342 BTC To set your password, visit the following address: https://legitsite.example.net/wp-login.php?login=www.spammer.example.com%20-%201.2342%20BTC&key=oSxUtw01QIFHoxHvokfd&action=rp https://legitsite.example.net/wp-login.php
There are two problems:
- The username allows spaces, which means the spammer can enter a domain name and a custom text
- E-Mail clients autolink domains beginning with "www.", which is why all the 50+ registration spam mails I got have user names beginning with "www."
Two things should be fixed here by WordPress:
- Reject usernames with spaces
- Reject usernames that have "www." in them, because that causes the e-mail clients to autolink the URL
Note: See
TracTickets for help on using
tickets.