I recently took on a new client. One of their past issues which we are trying to fix is that he is getting New User notifications regularly from people in his organization however he is not sending them out.
Somehow emails are automatically being generated to individuals who are not current users but have emails with the client (ie. email@example.com). The emails are coming from firstname.lastname@example.org. They receive the following email:
Subject: [samplesite.com] Activate cameron
You've been invited to join 'The Sample Site' at
http://samplesite.com with the role of Author.
If you do not want to join this site please ignore
this email. This invitation will expire in a few days.
Please click the following link to activate your user account:
When I clicked the link it automatically created the user with an automated message saying that login and password info was sent to their email.
I thought it might be a plugin but perhaps its a malicious script running? Not sure how they would even be able to send emails to people that are not in the WordPress database.