Issues - subscribing to newsletter and creating new account

[addison74]

Using this command in Terminal I am able to add as many email addresses as I want into the database:

curl 'https://www.mydomain.com/newsletter/subscriber/new' --data 'email=johndoe@gmail.com'

The same thing is happening for creating new customer account using more data fields.

If I have the bad inspiration to set the options in Backend to confirm a subscription or an account Magento becomes a spammer. With Fail2Ban we catch daily around 60 new IP addresses based on a Regex filter. This is how the webserver log looks for such of requests:

"GET /customer/account/create/ HTTP/1.1" 200 82432 "-" "-"
"POST /newsletter/subscriber/new/ HTTP/1.1" 302 3874 "-" "-"

I gave it a try to this extension but I did not get any positive results. I am still able to use curl command without any issue. As I understand you are using a hidden input field in the forms but what happens if the controller is used directly based on the URL? Or maybe I am doing something wrong?

[Schrank]

Hey, thanks for your issue!

Unfortuantely yes - you understand something wrong. What we do is catch bots, which fill automatically without being smart forms and fill everything they "see" (assuming they don't interpret CSS).

And yes you are totally right. This extension is for a long time not anymore "state-of-the-art" and doesn't fix the problems todays bots do, or bots specialized in magento as demonstrated by your curl call.

TL;DR: If you want this module as a solution, you need another problem 😅