Chinese spammers abuse Jetpack plugin

All day long, Chinese spammers have taken advantage of an apparent flaw in Automattic’s (the makers of WordPress) Jetpack plugin. This morning, I noticed a slew of email bounces in my inbox, all with Chinese letters in them and a link to one of my blog posts. It turns out that the spammer has been clicking on the post’s “Share This” link and somehow entering their spam as the resulting email’s “From” address. Each email goes to a “qq.com” address, which is a Chinese mail provider.

The only way I could stop these emails was to turn off Sharing under Jetpack’s settings. Upgrading to the latest Jetpack (4.6) didn’t seem to help.

Apparently this has been an issue since 2014. I have no idea why this is the first time my site has become a victim nor why Automattic hasn’t figured out a suitable countermeasure yet.