Spammers are using Wordpress installations with open registration to send spam e-mails to uninvolved users.
The mails are sent via the "Register" function that is linked on the Wordpress login page wp-login.php. The registration form has two fields: "Username" and "Email".
The username allows spaces, and this is where the spammers input a domain name and a promotional text. The domain name gets auto-linked by e-mail clients, making it easy for users to go to the spammer's site.
Such a spammy Wordpress registration e-mail looks like this:
Username: www.spammer.example.com - 1.2342 BTC To set your password, visit the following address: https://legitsite.example.net/wp-login.php?login=www.spammer.example.com%20-%201.2342%20BTC&key=oSxUtw01QIFHoxHvokfd&action=rp https://legitsite.example.net/wp-login.php
Everything after the Username: in that line is provided by the spammer.
Two things should be fixed here by Wordpress:
- Reject usernames with spaces
- Reject usernames that have "www." in them, because that causes the e-mail clients to autolink the URL
Let's see what the Wordpress developers say to my ticket.
Others with this problem
2024-11: Reddit: Spammed with 100+ Fake WordPress Login Emails (Help!)