How can I identify and prevent spam/bot traffic at email subscription points?
Summary
What email marketers say14Marketer opinions
Marketer from Email Geeks suggests that depending on scale, one can run analytics based on typical sign-up behaviour to flag suspicious behaviours for manual inspection, using data-points like location, time, referrer, etc.
Email marketer from Reddit suggests analysing the time it takes a user to fill out the form, and identify if it is quicker than a human could reasonably do so.
Email marketer from HubSpot shares that blocking known spam IP addresses from accessing signup forms can help reduce the amount of bot traffic and prevent fake subscriptions.
Email marketer from LinkedIn suggests blocking signups from countries that aren't likely to be the right target audience.
Email marketer from Reddit shares that using honeypot traps, which are hidden form fields only bots will fill out, can help identify and block bot submissions without affecting the user experience for human subscribers.
Marketer from Email Geeks mentions that the hidden form field is not as effective as it was and warns against relying on RECAPTCHA (even v3) because of the growth of captcha farms (people hired to do the work of bots but are actually humans). A good tool but, like everything, far from perfect.
Email marketer from Mailchimp shares that enabling signup form security features, such as CAPTCHA and double opt-in, can help protect against spam and bot traffic, ensuring only genuine subscribers are added to the list.
Marketer from Email Geeks states that Mailchimp supports hidden fields and that it is not an "enterprise feature" by any means.
Email marketer from StackExchange shares that implement JavaScript validation to only allow emails with valid formats through and also look for common disposable email address providers.
Marketer from Email Geeks suggests certain types of role and other accounts should never be subscribed, such as abuse@, postmaster@, support@, and others, and ideally, they should be caught at the form level.
Email marketer from Neil Patel explains that implementing CAPTCHA on signup forms can help differentiate between human users and bots, preventing automated spam submissions.
Marketer from Email Geeks shares that CAPTCHA and confirmed opt-in are standard practices and suggests using a hidden form in the HTML for the signup to deter automated sign-ups.
Email marketer from Sendinblue shares that using double opt-in requires subscribers to confirm their email address before being added to the list, verifying the user's intention and preventing bots from subscribing with fake or harvested emails.
Marketer from Email Geeks suggests that one piece of PHP could serve the form (with the hidden value), then check it, and only pass on the subscribes that didn't have it filled to the ESP API.
What the experts say7Expert opinions
Expert from SpamResource suggests performing reverse DNS lookups on the IP addresses of subscribers. If the IP address doesn't have a valid reverse DNS record, or if it resolves to a dynamic hostname, it could be a sign of a bot or spammer.
Expert from Email Geeks states that ESPs that can't handle subscription checks are a problem, and that subscription checks need to be server side, as most dumber bots aren't handling JS.
Expert from Word to the Wise mentions that it is important to have a strong transactional realtionship. As this will help filter out bots.
Expert from Email Geeks recommends talking to the ESPs abuse desk before the dev team and asking them what they're doing about subscription bombing and how one can help.
Expert from SpamResource explains that one approach is to use a tiered CAPTCHA. Start with a simple CAPTCHA, and if the user fails, present a more complex one. This helps weed out simpler bots while providing a smoother experience for legitimate users.
Expert from Email Geeks suggests capturing an audit trail for each signup, including timestamp, remote IP, and browser metadata. Also suggests considering zerocaptcha and fraud tracking blacklists. Adding a hidden form in the HTML, especially with Javascript, will deter many bots.
Expert from Email Geeks says that the easiest thing to add is a hidden form field with a value in it; if the POST doesn't have that value, discard it. More subtle approaches include actual text fields hidden by CSS, and discarding the submission if the contents change.
What the documentation says4Technical articles
Documentation from Project HoneyPot provides a distributed system for identifying malicious bot networks, you can use a tool like this to identify networks of bots signing up.
Documentation from OWASP explains that implementing rate limiting on signup forms restricts the number of requests from a single IP address within a specific timeframe, preventing bots from flooding the system with spam subscriptions.
Documentation from Google reCAPTCHA explains that reCAPTCHA uses advanced risk analysis techniques to distinguish between humans and bots, offering various challenges or background analysis to prevent automated abuse on signup forms.
Documentation from Cloudflare explains that using bot management tools, which analyze traffic patterns and identify malicious bots, can help prevent automated spam subscriptions and protect signup forms from abuse.