How can I prevent bot signups on my email newsletter form?
Summary
What email marketers say14Marketer opinions
Email marketer from Neil Patel explains rate limiting form submissions from a single IP address. This can help prevent bots from submitting multiple forms in a short period.
Email marketer from Email Geeks shares that after switching on mandatory Turnstile checks, the Yahoo random email addresses stopped. The addresses also all ran the JavaScript timer on the page, each taking three seconds.
Email marketer from Wordable shares implementing double opt-in. This ensures that only users who confirm their email address are added to your list, reducing the chance of bots.
Email marketer from Patrick Coombe's Blog explains to use a "honeypot" field. This is a field hidden from users but easily detectable by bots. If the honeypot field is filled, it's likely a bot.
Email marketer from Quora answers to use a content delivery network (CDN) which commonly have bot blocking abilities. They are able to check and challenge any requests for potential malicious intent.
Email marketer from Web Hosting Forum says to implement a minimum time that form can be completed in, if it is completed faster then it must be a bot.
Email marketer from G2 answers that they have used Email Hippo with their forms to prevent fake email addresses and bot sign ups.
Email marketer from OptinMonster answers that to use a custom question on your email form with a question that bots can't answer, but a human can. This ensures they are human and helps prevent bot signups.
Email marketer from Email Geeks shares useful steps in addition to or other than CAPTCHAs to handle the problem of bot signups including hidden fields that get auto-filled by bots and real-time email validation calls via API when the opt-in form gets filled out.
Email marketer from Reddit mentions using email verification services to check if an email address is valid and active before adding it to your list. This can weed out bot-generated or disposable email addresses.
Email marketer from Email Geeks shares experience of seeing similar spammy accounts from yahoo/Microsoft domains that bypassed captcha but were ranked as likely bots. They resolved to enhance captcha/form processing.
Email marketer from Email Geeks shares a layered approach to forms and email address collection including using edge proxies, detailed form validation in HTML/JS and on the server side with API calls, and double opt-in.
Email marketer from Email Geeks shares that they now fire off the Cloudflare Turnstile CAPTCHA when someone has typed more than three characters of their email address to avoid it executing on pageload.
Email marketer from StackOverflow says to use Javascript to validate the email address on the browser before sending, and use server-side validation to validate once received to check that an email address meets the criteria.
What the experts say2Expert opinions
Expert from Word to the Wise shares to implement challenges such as CAPTCHAs or other forms of human verification to deter automated signups.
Expert from Word to the Wise explains that using confirmed opt-in is key. This requires the subscriber to actively confirm their address by clicking a link in an email, vastly reducing bot signups.
What the documentation says4Technical articles
Documentation from Cloudflare details that Bot Fight Mode uses various techniques, including behavioral analysis and machine learning, to identify and block malicious bot traffic. It can be configured to block, challenge, or log suspected bots.
Documentation from Google reCAPTCHA explains that reCAPTCHA uses advanced risk analysis techniques to distinguish between humans and bots. It offers different versions, including invisible reCAPTCHA, for a better user experience.
Documentation from Akismet answers that the Akismet API checks submissions against a constantly-growing database of user-submitted spam, so you can block the worst spam before it's even published.
Documentation from OWASP (Open Web Application Security Project) explains preventing automated account creation by using CAPTCHAs, account lockout policies, and email verification to reduce bot signups.