This post is in support of a proposed feature in ticket 25028870 raised with Customer Account Review Team. It is a duplicate for: https://community.constantcontact.com/t5/Need-help-with-something-else/SPAM-Signups-even-with-reCAPTCHA-A/m-p/302345 =====PROBLEM DESCRIPTION===== Setting up a new website with a Constant Contact Form for registering your email address to a mailing list, we started getting fake emails from bots within 5 minutes of the site going live and saw 15 overnight. For example: rufatnagaev@list.ru Johnette-Rignall@streamarticles.com Christian.Saywell542@magic.freog.com Johnette-Rignall@streamarticles.com Johnette-Rignall@streamarticles.com Percy_Shockey@cloud.frequiry.com Millard-Brand619@sites.opbeingop.com Holly.Strzelecki909@sites.opbeingop.com Kevin_Wicker@next.relucius.com ohnette-Rignall@streamarticles.com Lenard.Price139@magic.freog.com jeraldbruni@knol-power.nl olga@japantravel.network Johnette-Rignall@streamarticles.com Note duplicates, use of subdomains and unusual TLD such as .network or foreign TLDs. These emails were compiled from an automated email sent from Wordpress which is what displays the sign-up form. Note that typically these email addresses are often found by Constant Contact later on and cleaned off, however, they are still able to sign up successfully. The page is protected with reCaptcha v2 so we believe that these are actually human verified and are used in the hope of harvesting email addresses on mailing lists. I'm not sure what other reason spammers would have for doing this. ======FEATURE REQUEST===== The solution would be to use a content filter or content filter and RBL to do a synchronous lookup of multiple attributes related to the signup, such as browser IP address, email address and domain to assess spamminess. From that, the signup could either be blocked with an error message, or blocked with a success error message. A third-party service could quickly act as a best-effort Policy Decision Point on the sign-up to prevent this - Cloudmark Insight API would be an example of a service which would do this, or Constant Contact may already have their own intelligence to check against, such as IP RBLs or suspect domains. The workaround put in place to solve this just now is verification email, however, this is an extra step for users, which I feel is unnecessary for the user and causes signup fallout. Please could this be considered for a future release?
... View more