Showing results for 
Search instead for 
Did you mean: 

Magento 2.3.0 Massive Spam attack

Magento 2.3.0 Massive Spam attack

I just did a complete install of 2.3.0 on Sunday Dec 9. Today I see an email from a Chinese customer, so I go to the admin panel to look at the customer. To my surprise there have been over 2650 email customers all coming from "". all the email accounts are a 9 numbered account


I had guest login at the time, since removed Guest allowed from the site. Also asking for email confirmation and Capta for the site. But they still seem to be spamming the site.


Re: Magento 2.3.0 Massive Spam attack

Hi @Algrium

Is it a fresh installation of Magento 2.3?

Problem Solved Click Accept as Solution!:Magento Community India Forum

Re: Magento 2.3.0 Massive Spam attack

yes it was a fresh install.

I even tried to do a fresh install of version 2.2.5, got the same thing. I had 80 new customer accounts in a 2 hour period, all from the website. looks like it is Chinese in origin.

I am not getting any notification email on new accounts. but if i go to "All Customers" The Numbered email accounts show up there.


Re: Magento 2.3.0 Massive Spam attack



The following solutions may help you,

  • Solution 1 : Blocking via IP : each account subscription use a different IP from Colombia to Vietnam...

  • Solution 2: Blocking via User agent : it can be faked... It works if you want to limit crawlers blots.

  • Solution 3: Use HoneyPot : may works, but if the bot already focused you, I think it surely knows which fields to post (see:

  • Solution 4: Captcha (Magento or Google) : may works but some people said it was overpassed

  • Solution 5: Edit email template and Add the confirmation email :

    • Removing input data such as {{var}}, {{var customer.firstname}} from the /app/locale/[locale]/template/email/account_new.html template can prevent a bit being marked as spam.
    • Add the email confirmation : System > Configuration > Customer Configuration > Require Emails Confirmation > Yes
  • Solution 6: Update fields limitation rules from database : directly in the customer_eav_attribute table, update rows with attribute_id=5 [firstname] and attribute_id=7[lastname] and replace 255 by 25 :

    • a:2:{s:15:"max_text_length";i:255;s:15:"min_text_length";i:1;}
    • by : a:2:{s:15:"max_text_length";i:25;s:15:"min_text_length";i:1;}

For more info click here

Prema M

Re: Magento 2.3.0 Massive Spam attack

Tried them, non worked.

Still getting Spammed from

Even tried htaccess file:

order deny,allow

deny from

deny from

deny from

deny from

deny from

deny from *

Re: Magento 2.3.0 Massive Spam attack

After playing around with the different versions of Magento 2, I found 2.2.5 to be the most stable for the QQ.COM email spam attacker.


In version 2.2.5 The spammer only shows up as a online visitor and does not create a new customer account automatically.


In versions 2.2.6, 2.2.7, and 2.3.0 the email spammer automatically creates a customer account, bypassing the account login setup, creating the hundreds of customers per hour in the data base. I have tried using IP blockers, but the spam still gets through.


In version 2.2.5 the data base visitor log shows over 750 visitors in about a 2-day period, but nothing shows visibly on the admin side, except who is on line at that time. With the online visitor it does not show any information on the ID, First Name, Last Name or Email columns, only shows Last Activity and Type. Usually 5 – 10 online at a time when I look.

  1. I think the next version of 2.3.X should have the same method of showing all incoming mail as a visitor and not as a customer that automatically creates the hundreds of customers per hour.
  2. Have an admin option to manually or automatically purge the visitor database at any time, otherwise the data base would continue to grow unchecked. (Could be purged every hour, once a day, once a week, once a month type options)


Re: Magento 2.3.0 Massive Spam attack

Hi, For the solution you mentioned above. What should i do for Magento 2.2.6? the validate_rules is showing as "{"max_text_length":225,"min_text_length":1}", and there is also an "input_filter": "trim". should i remove "trim", and edit the 225 to 25? i tried it yesterday but the Russian spam still coming through?

Re: Magento 2.3.0 Massive Spam attack

I have tried editing validate_rules 5 and 7 to {"max_text_length":25,"min_text_length":1}.

On a shop running Magento 2.2.1 this works perfectly. However on a different shop running 2.3.4 the rules seem to be completely ignored. It's even possible to make names that are way longer than 255. Does anyone know what could cause this?