The past few days have been spent diagnosing various email delivery issues from the AWS web cluster that is running our WordPress plugin store as well as our SaaS locator platform. During this process email routing was pushed from the servers through the AWS Simple Email System. SNS notifications were enabled to monitor the progress and provide some insight as to what was happening on the send mail side of things.
Not far into the mission something odd was showing up. Email delivery notifications were being transmitted from our documentation server — a basic WordPress install with almost no plugins running and a simplified theme. Yet in the “delivered” stack of SNS notifications there were random email addresses being spammed every 30-60 seconds.
The Culprit? Jetpack
Turns out the documentation site has Jetpack installed. It also has the default settings for the publicize sharing enabled. This includes email sharing.
After a good bit of research it was found that the mailing subsytem was being exploited through the front end interface for sharing a post via email. The Postfix mail logs provide immediate evidence of this.
The Solution? Turn Off Email Sharing
The solution was simple — turn off Jetpack email sharing of pages and posts.
It was clear as day when we toggled this setting on and off. Using linux tail to monitor the mail log file in real time the email sharing feature was turned off. In an instant the constant flow of outbound email messages stopped. Turn it on — they started right back up.
Until Jetpack has a better way to detect and prevent email spamming from this feature, TURN IT OFF. Your fellow Internet citizens will be happy you did.
The spammers are doing nothing more than adding a fully qualified “FROM” email address in the sharing box. This allows them to get their spam message across along with a web link that some email programs will turn into a clickable link.
Here is an example From entry:
"value": "\"Get up to 40,000 dollars - https://rebrand.ly/Prizes2020\" <email@example.com>"
And the matching reply-to header:
"value": "\"000 dollars - https://rebrand.ly/Prizes2020\" <firstname.lastname@example.org>"
The main issue with this type of attack is getting an entire server cluster and/or domain name blacklisted. Once blacklisted legitimate email such as server notifications, WordPress notifications, or even simple contact forms will not be delivered to their target audience. This can cause all kinds of issues for the domain that has enabled Jetpack Publicize Email Sharing.
Save yourself the headaches that come when your WordPress site is discovered by this spamming app — before it becomes a bigger problem.