I just found out that this blog was being used to send spam email to accounts over at qq.com, a Chinese instant messaging software service and web portal.
Apparently, this is due to a bug on Jetpack’s Sharing feature that despite being known for at least three years, still hasn’t been fixed.
The link above points to a support thread over at WordPress.org describing the issue in more detail and contains a handful of workarounds for mitigating it.
Of the workarounds, I find two are worth mentioning here.
- Disable the email Sharing Button. Although a little extreme, it may be justified if you don’t have the inclination to mess around with configuration files or if the usage volume of the feature by legitimate users is low enough;
- Adding reCaptcha to the Email Sharing Button. This one involves adding a couple of lines to
The thing is, the instructions for adding reCaptcha were written before the release of reCAPTCHA v3 and JetPack (version 7.8 as of this writing) isn’t currently compatible with it, so when setting up reCAPTCHA, you should choose reCAPTCHA v2 or else you will receive the message bellow:
I’ll be monitoring the logs for a couple of days to see if enabling reCAPTCHA will suffice. If not, I’ll just disable the email sharing button altogether.
It’s kind of lame that the default settings of an email sharing button would open up a website for being used to send spam. But even lamer is seeing people telling others to not complain about it on the basis of the plugin being free.
Please remember that if you using this plugin for free, all requests future need to be in reasonable manners, as nobody paying for it. Consider that, they are doing very good job for users who are using this plugin for free and there is solution for it already.
Freemium ain’t free. It’s a marketing gimmick and has been working very well for Automattic, makers of JetPack and WordPress – the latter of which by some accounts powers over 1/3 of the top 10 million web sites on the internet.