Proposed Solution to spam signups, even with reCaptcha

AlexH1974 · ‎07-11-2019

This post is in support of a proposed feature in ticket 25028870 raised with Customer Account Review Team.

It is a duplicate for: https://community.constantcontact.com/t5/Need-help-with-something-else/SPAM-Signups-even-with-reCAPT...

=====PROBLEM DESCRIPTION=====
Setting up a new website with a Constant Contact Form for registering your email address to a mailing list, we started getting fake emails from bots within 5 minutes of the site going live and saw 15 overnight. For example:

rufatnagaev@list.ru
Johnette-Rignall@streamarticles.com
Christian.Saywell542@magic.freog.com
Johnette-Rignall@streamarticles.com
Johnette-Rignall@streamarticles.com
Percy_Shockey@cloud.frequiry.com
Millard-Brand619@sites.opbeingop.com
Holly.Strzelecki909@sites.opbeingop.com
Kevin_Wicker@next.relucius.com
ohnette-Rignall@streamarticles.com
Lenard.Price139@magic.freog.com
jeraldbruni@knol-power.nl
olga@japantravel.network
Johnette-Rignall@streamarticles.com

Note duplicates, use of subdomains and unusual TLD such as .network or foreign TLDs. These emails were compiled from an automated email sent from Wordpress which is what displays the sign-up form.

Note that typically these email addresses are often found by Constant Contact later on and cleaned off, however, they are still able to sign up successfully. The page is protected with reCaptcha v2 so we believe that these are actually human verified and are used in the hope of harvesting email addresses on mailing lists. I'm not sure what other reason spammers would have for doing this.

======FEATURE REQUEST=====
The solution would be to use a content filter or content filter and RBL to do a synchronous lookup of multiple attributes related to the signup, such as browser IP address, email address and domain to assess spamminess. From that, the signup could either be blocked with an error message, or blocked with a success error message. A third-party service could quickly act as a best-effort Policy Decision Point on the sign-up to prevent this - Cloudmark Insight API would be an example of a service which would do this, or Constant Contact may already have their own intelligence to check against, such as IP RBLs or suspect domains.

The workaround put in place to solve this just now is verification email, however, this is an extra step for users, which I feel is unnecessary for the user and causes signup fallout.

Please could this be considered for a future release?

Candace_M · ‎07-22-2019

Awesome idea! Thank you for contributing to our feedback forum with this idea. I will be opening it up to voting so users like yourself can vote and comment on this idea!

Caitlin_M · ‎06-16-2022

We are updating this status to Not Currently Planned due to improvements we have made regarding bot signups. The best way to combat these types of signups is to turn Confirmed Opt-In on. When Confirm Opt-in is activated, contacts who sign up for your mailing list through one of our sign-up tools are sent an automatic Confirm Opt-in Email to the email address they provided asking them to confirm their subscription. Contacts must click the confirmation link in the email to be added to your list.

We have also found that if you have used one of our legacy sign-up tools in the past, such as the embeddable Join My Mailing List, using one of our more updated list growth tools (inline, popup, basic landing page form, landing page campaign, etc) helps to combat bot signups.

Proposed Solution to spam signups, even with reCaptcha

Introducing our new Feedback area

What's New?