[wp-trac] [WordPress Trac] #63085: "Login details" spam sent by from the account registration page
WordPress Trac
noreply at wordpress.org
Tue Mar 11 19:47:13 UTC 2025
#63085: "Login details" spam sent by from the account registration page
------------------------------------+-----------------------------
Reporter: cweiske | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version:
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
Wordpress sites with open registration are used to spam me.
I am getting mails from WordPress installations that look like this:
{{{
Subject: [Legit site] Login Details
Username: www.spammer.example.com - 1.2342 BTC
To set your password, visit the following address:
https://legitsite.example.net/wp-
login.php?login=www.spammer.example.com%20-%201.2342%20BTC&key=oSxUtw01QIFHoxHvokfd&action=rp
https://legitsite.example.net/wp-login.php
}}}
There are two problems:
1. The username allows spaces, which means the spammer can enter a domain
name and a custom text
2. E-Mail clients autolink domains beginning with "www.", which is why all
the 50+ registration spam mails I got have user names beginning with
"www."
Two things should be fixed here by WordPress:
1. Reject usernames with spaces
2. Reject usernames that have "www." in them, because that causes the
e-mail clients to autolink the URL
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63085>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list