Email marketers know the best distribution lists you can have are the ones grown organically, with a huge source being via sign up forms on your website. This means you can be certain that that person really wants to sign up…right? You might also have forms to capture such things as contact or blog comments to help you communicate with your users better. But just how safe are your forms really? If you haven’t added any protection to them against spam bots and malicious phishers, then sadly, not safe at all. The implications of this can often be dire for your success as an email marketer. Feedback from your users is a helpful way to know if you are collecting real new subscribers or not:
Someone else signed up for this email
Someone hacked my email and signed me up on many lists, including yours.
Don’t know who signed me up for this
Your site is being used by hackers to email bomb. you need to add measures to prevent this such as captcha to avoid robots to sign up for your email list.
If your own users are telling you to add protection, you know you are being targeted!
What do these spam bots / malicious phishers want?
Most people are probably aware of spam bots already, but one example could be an automated programme with no other purpose than to trawl the web looking for vulnerable forms and filling them out, sometimes with fake, and sometimes with real addresses. The dastardly plan of the bot programmers is typically to generate more traffic and thus revenue. Or sometimes to inject advertising or malicious links that people may inadvertently click if they receive them from the form submission. The worst kind is people using your forms to make SQL injections to try to steal or damage your data.
What are these dire implications?
Maybe dire was a bit melodramatic, but the impact can still be very negative. Sending your emails to people that never signed up is obviously a big no-no, especially in a post GDPR world. High reports of spam will severely affect your ability to deliver your emails into the inbox as your reputation takes a hit. This also means that any analysis you run is unreliable – you may think you’re pulling in x many new subscribers each month when it’s actually y, and that can impact decision making. Likewise, reporting will be skewed as you will likely get no engagement from fake signups which devalues your campaigns.
How do we protect ourselves from these spam bots?
If you use a form that adds information to a database you must protect yourself against SQL injection attacks. These are when the attacker enters malicious SQL code designed to do things like dump the entire contents of a database on their own server to steal your data. Or they could just do nasty things like try to delete your database. The best way to prevent this is to use prepared statements to execute your SQL rather than a straight execution e.g. with PHP:
if ($stmt = $conn->prepare("insert into EmailList (Email,Firstname,Lastname) VALUES (?, ?, ?)"))
{
$stmt -> bind_Param('sss', $email,$firstname,$lastname);
$stmt -> execute();
$stmt -> close();
}
You can also look for things likely to be found in malicious code in your captured variables before inserting them into your database, like single quotes. Here, from the technical mind of xkcd is an idea of how it works:
But, what if the input looks good, but is fake?
There are a bunch of tricks to defeat spam bots:
-
- Setting a hidden field that humans can’t fill out, but spam bots will and then eliminating those submissions at that point.
- Use double-opt in to ensure your subscribers are genuine – all this requires is a link in an email which will only subscribe them if they click it and is not massively different to simply sending a welcome email.
- Checking for patterns in the email and other fields which indicate they are sequential or automated such as numerical characters in first names, or hexadecimal characters and manually scrubbing your data.
- Running proper email hygiene processes to remove unengaged data which won’t prevent fake emails being added but will kick them out as quickly as possible.
- Capturing the IP addresses of the form submissions to spot if one IP is producing multiple form inputs then block that IP address.
- Add Captcha to your forms. There are various forms of Captcha, some which can be very annoying and off-putting to the user where you have to enter a code made up of mangled characters from an image which are quite hard to read and I invariably always get wrong at least once, or clicking on all the squares that contain a store front, which often leaves me red faced as I seem to have an inability to identify such things. But Google’s ReCaptcha is a good option, and the one I would recommend, as it simply requires a click of a box from the user which is barely a blip on the user journey and will destroy spam bot submission attempts. The only downside is it won’t stop real people from submitting to your forms where you will have to be extra vigilant.
You can check our our website to see Captcha in use:
How we use ReCaptcha and all it requires is the tick of a box
Or for comments:
How we use character based Captcha – not quite as good as ReCaptcha but still pretty simple.
Eliminating fake form submissions is a battle to get the right balance with keeping your users’ experience as simple as possible whilst removing the threat of these spam bots and malicious phishers, but it is an important endeavour to maintaining a good quality email distribution list and a healthy sender reputation.