Salesforce

Remove fake signups and protect your lists

Printable View
« Go Back

Information

 
Body

While list growth is usually something to celebrate, a sudden spike in subscribers could be a sign of trouble. Subscribe forms that don't include reCAPTCHA — to verify that the signup is being submitted by a human — are vulnerable to spambots.

A spambot is an abusive computer program that signs up a large number of real or fake email addresses to thousands of mailing lists. They can cause issues with your reporting, sender reputation, and deliverability.

This article explains how to identify and remove spambot signups from your subscriber list, and how to protect yourself against future attacks.

Symptoms of a spambot attack

Spambot attacks can significantly damage your sender reputation, and reduce your delivery rates. Typically, victims see an increase in spam complaints, bounces and unsubscribes, as well as decreased open rates.

Spam complaints increase when real email addresses are added by spambots without the owner's permission, or knowledge. Imagine your email landing in hundreds of inboxes of people who have never heard of you, or have no idea how you got their address. Some people may delete your email or unsubscribe instead of making a complaint, but this still negatively affects your sender reputation.

Even unopened emails are bad news. In email deliverability terms, low open rates are a clear signal that your recipients are not engaged with you, your brand, or your content. Lack of engagement is a factor in the delivery of future emails, and can even lead to your messages being blocked.

High bounce rates are another side effect of spambot signups. Sending to a list corrupted with hundreds of fake email addresses results in hundreds of hard bounces. If bounce rates are sufficiently high, email servers may reject or block your emails entirely, and you could start to see bounces from legitimate recipients.

Spambots also increase your risk of acquiring spam trap email addresses, because some use email harvesting techniques to find addresses to add to your list. One of these techniques is "scraping" websites for email addresses, which is a sure fire way to collect pure spam traps.

Identify and remove fake signups

As explained above, there are many signs to alert you of a potential spambot attack. If you think a spambot may be attached to your subscriber list, you should identify the fraudulent addresses and remove them.

Identify fake signups

In some cases it's easy to spot fake signups because the addresses look very spammy. Or, you might see a batch of signups that share a common characteristic, such as a consecutive number string, a random alphanumeric string, or domains that contain the same word, for example:

  • skitchonline.net
  • skitchstudio.co
  • skitchstudios.org
  • skitchdesign.net

Start by exporting your list, including all subscriber fields so you can look for oddities. Here are some other things to look out for:

  • A daily influx of new subscribers — A spike of new signups from the same domain at the same time every day, using addresses from free webmail hosts like Hotmail, Yahoo, and Gmail.
  • Many signups within minutes/seconds — A large volume of email addresses added in an unlikely amount of time can be cause for concern.
  • Invalid email addresses — If you're using a single opt-in list it's normal to occasionally collect invalid email addresses, but more than a couple for every 10-15 signups is a warning sign.
  • Personal instead of corporate addresses — An uptick in @hotmail.com or @outlook.com subscriber addresses is normal for some lists. But if your business model is B2B and you typically attract corporate email addresses, this could spell trouble.
  • Corporate instead of personal addresses — The opposite of the aforementioned; an increase in corporate addresses when most of your subscribers are personal.
  • Sudden, frequent signups from foreign domains — If your subscriber list primarily contained .com addresses and you suddenly see, for example, an influx of .co.uk or .ru addresses, a spambot could be active on your list.

If you can determine a pattern, the next step is to create a segment using that pattern to isolate the fake signups. See the instructions below.

Isolate the fake signups on your list

You can build segments to isolate fake signups, based on information like "Date subscribed", "Name", "Email address", "Location", custom fields, or a combination of these.

For example, if a name, phrase or set of numbers are repeated in the signup details, you can segment them by creating a rule based on name or email, then choose "contains" as the condition.

The segment builder, showing a rule designed to find email addresses containing "skitch"

Remove fake signups from your list

Permission required to use this feature: lists and subscribers

Instead of just deleting spambot email addresses from your list, it's a good idea to add them to your suppression list. After you've created a segment to isolate the fake signups, follow these instructions:

  1. Click Lists & subscribers, then select your affected list.
  2. Click Segments in the left menu.
  3. On the "Segments" page, click the segment you created for fake signups.
  4. Click Export segment below the segment builder to download a CSV file containing the fake addresses.
  5. Click Lists & subscribers in the top navigation.
  6. Click Suppressions in the left menu.
  7. Click Add to suppression list, then copy and paste your addresses from your exported segment into the field.
  8. Click Add to suppression list to confirm your changes.

reCAPTCHA-enabled signup forms

While spambots are always evolving, you can protect yourself by using a signup form with reCAPTCHA, which requires signups to verify that they're human. Our signup forms and HTML form have reCAPTCHA built-in.

Other CAPTCHA-enabled signup forms that you can use with Campaign Monitor include:

HTML subscribe forms

On 1 March 2018 we released a security update to our HTML form, to provide extra protection against spambot attacks. If you're using this type of subscribe form to collect signups and have not updated the code since 1 March 2018, we recommend replacing the existing code on your website.

To do so, follow our instructions to generate the subscribe form code. When you click Get the code, newer, more secure code will be generated which you can then add to your site. reCAPTCHA is built into the newer version of this form, and shows whenever a spambot is suspected. You can make reCAPTCHA show to all subscribers by editing the generated HTML subscribe form code.

If you believe your existing HTML subscribe form has been affected by a spambot, please contact support.

TitleRemove fake signups and protect your lists
URL Namefalse-signups-spambots
Powered by