JETPACK shareing email can be abused for spam

Im trying to keep this blog up-to-date, install all updates for WordPress and used plugins and allow access via HTTPS only but …

This blog is kept up-to-date meaning that wordpress itsself and all used plugin are installed in the most recent version. For quite a while access to this blog is allowed via HTTPS only and of course i use different passwords for the normal and the admin user. And the settings in the Limit-Login-Attempts plugin are very strict and all these steps helped to prevent thousands of unauthorized logins to this blog.

And running you own WordPress installation you probably run the JetPack plugin , which cover a lot of different functions under the hood of one plugin. Besides other functions JetPack offers the so called  Publicize function. With this function you can share your blog posts on the different social media like Google+, FaceBook or Twitter , but also offers that your readers can share your article in the same way.

These settings take care of your audience  can share a blog post on Google+,FaceBook, Twitter and via email. For the last 2 days i keep receiving emails with the title  “Undelivered Mail Returned to Sender“, emails that pretend to come from my system and not being deleivered to the final receiver. These emails contain an attachment which of course i dind’t open  😉

Because of a hint from provider a got to the cause of the problem:

Because of this hint it was pretty obvious that a shareing function was involded. It little bit of research with Google brought up a discussion on wordpress.org. According to this discussion the problem is known for 4 months now and besides the advice to use reCaptcha and they have no own solution so far, there are no further hints. So i took the advice and setup  reCaptcha for the shareing email function to end spamming.

Whats really annoying to me is that Jetpack is able to present little videos and other text on each update but no advisory on this known problem This would have been something very easy to accomplish.

What do think about this, should plugin providers warn about any problems they know off?

ciao tuxoche