Showing results for 
Search instead for 
Did you mean: 

Magento misused to send Spam

Magento misused to send Spam

I have an issue here with a Magento shop: It gets abused to send spam mails by using new customer registration.

This shop uses e-mail confirmation to activate customer accounts. The spammers fill in there spam message in first and last name field and up to now the e-mail template contained name variables so the spam message got send to the mail adress which was provided. We did change the template, so the spam message doesn't get send out any longer.

But there is another issue: Each attempt created a new customer account (which wasn't confirmed) but has a full postal adress. It also has a fake name containing the spam message.

I wonder how this postal adresses got created. In the normal process a customer has to register first, then click on the confirmation link in the confirmation mail and after that he can go into the account and store a postal adress. If the confirmation link hasn't been clicked the customer has only a name and status is "Not confirmed, cannot login".

But the spammers somehow could bypass this system and register a customer with adress but without confirmation. So I'm looking for the bypass mechanism to stop this too.

Just for clarification: I can handle the problem with the mails sent. I want to find out how the registration got accessed by automted scripts. Server logs show that there where always 3 steps involved:

POST /shop_de/customer/account/createpost
GET /shop_de/customer/account/index/
GET /shop_de/customer/account/login/referer/(key_here)/

I couldn't log the POST data which were sent with the first request.

Any suggestions would be grately appreciated.





Re: Magento misused to send Spam

Follow up: I could identify the mechanism behind this.

Even if you shut off complete adress on new customer registration, one can transmit this data to Magento. Just have a look in


and you can find all the input fields.

We could now easily build a php script with cUrl to register customers in Magento shop systems:

First step: read the form_key and session cookie

Second step: Send a generated POST request with all the input fields filled and a new customer account is generated.

Depending on store configuration an e-mail will be send to the e-mail adress submitted: Either confirmation link mail or welcome mail. Since the name fields are only restricted to a length of 255 signs an attacker can place whatever message he wants and if names are used in e-mail templates this will be put into the mails.

Changing the mail templates will avoid sending out spam messages. But still there will be mails sent to the mail adresses and many fake customer accounts in the store system.

I hope this might help anvbody also affected to look in the right direction for solutions.


Re: Magento misused to send Spam

I have a similar spam issue. After some new spam registration I deleted that customers and added reCaptcha to registration form. Spamming stopped after that.

BUT if I register new customers, I'll get spamming Text automatically added to shipping/billing address, even if I register over backend form. Corrupted database connected to original magento 1.9.3 files has no effect. Still registration with cyrillic spam text (Country=Romania, State= some US states) in it.

I couldn't find a propper solution to stop that.

Any ideas what it could be?

Re: Magento misused to send Spam

Are you running a magento 1.9.x system? Which version exactly? Regards Lo.