We are using CE1.9.2.4 with all patches installed.
We are having a serious issue with phony/false newsletter sign-up to the point we had to disable the newsletter sign-up block completely. Therefore visitors to our e-commerce site are not able to subscribe to our newsletter.
Our developer has told us "The newsletter code itself was not tampered by hackers. The vulnerability is in the core module itself. What we found was just a proof that hackers got in through this module but fixing this would require deep modification of the Magento core and also research time. Normally what people do is to just enable confirmation (which you already have) so the site is only sending out at most one undeliverable message to each."
Even with confirmation enabled we were still receiving dozens of fake sign-ups each day.
Our developer is now recommending about 5 hours of paid time to "One thing we can try is to install a software and analyze the pattern of those attacks by studying the logs and see if we can differentiate them from normal users. If there IS a pattern, we can then use a software called fail2ban to code and block those attacks."
Is the newsletter block code really vulnerable to this and is there no official patch or fix?
How do we solve this problem?
Note our site is protected by a firewall, and installing captcha also did not help.