cancel
Showing results for 
Search instead for 
Did you mean: 

Proposed Solution to spam signups, even with reCaptcha

0 Votes

Proposed Solution to spam signups, even with reCaptcha

This post is in support of a proposed feature in ticket 25028870 raised with Customer Account Review Team.

It is a duplicate for: https://community.constantcontact.com/t5/Need-help-with-something-else/SPAM-Signups-even-with-reCAPT...

=====PROBLEM DESCRIPTION=====
Setting up a new website with a Constant Contact Form for registering your email address to a mailing list, we started getting fake emails from bots within 5 minutes of the site going live and saw 15 overnight. For example:

rufatnagaev@list.ru
Johnette-Rignall@streamarticles.com
Christian.Saywell542@magic.freog.com
Johnette-Rignall@streamarticles.com
Johnette-Rignall@streamarticles.com
Percy_Shockey@cloud.frequiry.com
Millard-Brand619@sites.opbeingop.com
Holly.Strzelecki909@sites.opbeingop.com
Kevin_Wicker@next.relucius.com
ohnette-Rignall@streamarticles.com
Lenard.Price139@magic.freog.com
jeraldbruni@knol-power.nl
olga@japantravel.network
Johnette-Rignall@streamarticles.com

Note duplicates, use of subdomains and unusual TLD such as .network or foreign TLDs. These emails were compiled from an automated email sent from Wordpress which is what displays the sign-up form.

Note that typically these email addresses are often found by Constant Contact later on and cleaned off, however, they are still able to sign up successfully. The page is protected with reCaptcha v2 so we believe that these are actually human verified and are used in the hope of harvesting email addresses on mailing lists. I'm not sure what other reason spammers would have for doing this.


======FEATURE REQUEST=====
The solution would be to use a content filter or content filter and RBL to do a synchronous lookup of multiple attributes related to the signup, such as browser IP address, email address and domain to assess spamminess. From that, the signup could either be blocked with an error message, or blocked with a success error message. A third-party service could quickly act as a best-effort Policy Decision Point on the sign-up to prevent this - Cloudmark Insight API would be an example of a service which would do this, or Constant Contact may already have their own intelligence to check against, such as IP RBLs or suspect domains.

The workaround put in place to solve this just now is verification email, however, this is an extra step for users, which I feel is unnecessary for the user and causes signup fallout.

Please could this be considered for a future release?

1 Comment
CTCT Employee
Status changed to: Voting Open

Awesome idea! Thank you for contributing to our feedback forum with this idea. I will be opening it up to voting so users like yourself can vote and comment on this idea!