How can I prevent non-human interaction (NHI) during email signup and confirmation?
Summary
What email marketers say11Marketer opinions
Email marketer from LinkedIn details progressively profiling users by requesting additional information over time. This makes it harder for bots to mimic human behavior and provides more data points to identify suspicious activity.
Email marketer from MailerCheck shares that Implementing a confirmed opt-in (COI) process requires users to click a confirmation link in an email before being added to your mailing list. This helps ensure that the user is a real person and that they actually want to receive your emails.
Email marketer from Email Geeks suggests including an MFA code in the COI email as another measure of mitigating NHI risk.
Email marketer from Email Geeks shares the tactic of using hidden fields to exclude non-human interactions.
Email marketer from Medium explains that employing Javascript challenges can deter bots by requiring the execution of Javascript code to complete the signup process. Bots that don't execute Javascript will be unable to proceed, reducing non-human signups.
Email marketer from ActiveCampaign details using custom fields in signup forms to collect specific information that bots are unlikely to know or provide accurately. This allows you to filter out suspicious signups based on the responses.
Email marketer from Litmus shares implementing email authentication protocols such as SPF, DKIM, and DMARC to verify the sender's identity and prevent email spoofing. This helps ensure that signup confirmation emails are delivered to legitimate recipients and not intercepted by bots.
Email marketer from Stack Overflow responds that implementing honeypot fields (hidden form fields) can trick bots into filling them out, identifying them as non-human. Legitimate users will not see or interact with these fields, so any submission with a value in the honeypot field is flagged as suspicious.
Email marketer from Reddit responds that using robust email validation to verify the format and existence of an email address before allowing signup to remove obvious bot entries is useful. Services like Clearout can help determine if an email address is disposable, role-based, or otherwise suspicious.
Email marketer from Cloudflare details that Cloudflare's Bot Management uses machine learning to identify and mitigate bot traffic, differentiating between good bots (search engines) and bad bots (scrapers, spammers). It analyzes HTTP requests to identify patterns and anomalies indicative of bot activity, allowing you to block, challenge, or log suspicious requests.
Email marketer from Bouncer responds using an email verification service can identify and remove invalid, disposable, or otherwise risky email addresses. Real-time verification can prevent bots from signing up with fake or temporary email addresses.
What the experts say4Expert opinions
Expert from Spam Resource explains that Monitoring for suspicious signup patterns, such as a high volume of signups from the same IP range or using similar email addresses, can indicate bot activity.
Expert from Word to the Wise responds that bots harvest addresses to find valid email addresses for spamming. One method to avoid this is obscuring email addresses on a website. This may not directly prevent NHI on signup but reduces the email addresses being obtained to use for spamming.
Expert from Email Geeks shares multiple strategies to prevent non-human interaction (NHI) during signup, including declining signups from IPs on Spamhaus, verifying addresses with Alfred, requiring Javascript be enabled when clicking the confirmation link, and using a captcha. He suggests putting a javascript requirement and a soft bot check on the landing page for the confirm.
Expert from Spam Resource explains that using real-time blocklists (RBLs) to check the IP address of users during signup can help identify and block known spammers and bots.
What the documentation says5Technical articles
Documentation from StopForumSpam details that you can integrate with StopForumSpam's database to check if an IP address or email address has been associated with spam activity. This helps identify and block known spammers and bots from signing up.
Documentation from Akismet explains using Akismet's API, you can analyze form submissions for spam-like content, and identify potentially malicious interactions. Akismet uses machine learning to recognize patterns and characteristics of spam, helping you filter out non-human signups.
Documentation from Google reCAPTCHA explains that reCAPTCHA analyzes user behavior to differentiate between humans and bots. It uses an advanced risk analysis engine and adaptive challenges to keep malicious software from engaging in abusive activities on your website.
Documentation from OWASP shares using rate limiting to restrict the number of requests a user can make within a specific time frame, preventing bots from overwhelming the system with signup attempts. They also suggest implementing CAPTCHAs to verify that the user is human before allowing them to proceed with the signup process.
Documentation from Imperva shares using behavioral analysis to detect anomalies in user behavior, helping to differentiate between humans and bots. This includes monitoring mouse movements, keystroke dynamics, and other interactions to identify patterns indicative of bot activity.