9 ways to prevent bot attacks and avoid spam sign-ups
Cesar, Customer Support.
Spambots are the Terminators of the internet. They’re machines that relentlessly pursue their target–your email signup forms–causing harm and disruption to your business.
Just like Sarah Connor and her allies fought to protect the future in the Terminator movies, it's crucial for email marketers to take proactive steps to prevent bot attacks and avoid spam sign-ups.
Strap in as we walk you through the essential strategies for keeping your email signup forms protected from these unwanted cyber intruders.
What is an email spam bot attack?
A bot attack is a type of cyber attack where automated bots are used to flood email signup forms with fake or spam sign-ups. The goal is usually to jeopardize the validity of the email list or spread malware to the recipients.
Sometimes these attacks are also used to abuse free trials, discount codes or other freebies given at signup.
These attacks can have a significant impact on your business, including decreased email deliverability, wasted resources storing or managing fake sign-ups in your email service provider (ESP), and damage to your sender reputation.
How to spot a bot attack
Terminators can sweat, bleed and smell just like a human, making them pretty hard to distinguish from real people. Spambots try their best to avoid detection too. Luckily, they aren’t high-tech cyborg assassins from the future, so they’re usually pretty easy to spot. (If you know what to look for).
High volume of sign-ups in a short period of time - For example, if you suddenly get hundreds of signups in the space of 5 minutes or even 5 seconds
Sign-ups with similar or identical information, such as names, email addresses, and IP addresses - If a bunch of sign-ups come in from the same domain or IP address it’s likely that they’re fake email addresses
Sign-ups using disposable email addresses - A disposable email address is a temporary email address that is used for a specific purpose and is discarded when no longer needed
Odd geographical distribution of sign-ups - If you get a sudden influx of subscribers from one specific country that’s out of the ordinary for your audience
Sign-ups with misleading or fake information - For example, if text fields such as name, last name, etc, are filled with gibberish
High bounce rate or low open rates - If you don’t catch spam sign-ups in time, your newsletters will see a decrease in open rates and an increase in bounce rates
If you notice any of these signs, it's important to take action quickly to prevent further harm to your business and email list.
How to prevent spam sign-ups
You don’t need any special weapons to eliminate these spam sign-up bots, but you do need to be proactive. Here are 9 ways to stop a spambot from ever saying “I’ll be back”.
The first 2 methods are super easy for anyone with a MailerLite account to implement, and they should stop the majority of spam signups. The rest of the tips are useful backups for when you want a little extra protection.
1. Enable double opt-in
Turning on double opt-in for your signup forms is the easiest way to stop spambots from infiltrating your email list. It means subscribers have to open and click a confirmation email before being added to your subscriber list.
Since spambots aren’t real people, they aren’t usually checking their emails. If double opt-in is enabled on all of your forms, it makes it much harder for bots to join your list.
Some spambots have become more advanced and can programatically confirm double-opt-in emails. But you should still turn on this feature since not all spam bots do this.
To turn on double opt-in in MailerLite, just open your form settings and toggle it on.
Hack: Double opt-in doesn’t have to disturb the subscriber experience. If you’re using forms to promote downloadable lead magnets, you have 2 options to let subscribers access the lead magnet faster:
Let subscribers access the download immediately after completing the form by adding a download link to the form’s success page.
Deliver the lead magnet as soon as the subscriber completes the double opt-in by going to the form’s Double opt-in settings and then clicking the Confirmation thank you page tab. Add the lead magnet’s URL to the box titled Or use your own landing page. This will automatically redirect the subscriber to the chosen URL.
2. Implement CAPTCHA
A reCAPTCHA is a simple test to determine if a website visitor is human or not.
Some versions of reCAPTCHA require users to take actions to prove they're not a bot. Ever had to check a box to prove you're not a robot? That was a reCAPTCHA in action.
Other versions work seamlessly in the background to perform the checks without requiring any action from the user.
It’s easy to add reCAPTCHA to any form in MailerLite. All you have to do is select your form, click the Settings tab, and check the box labeled “reCAPTCHA”.
The algorithm uses various signals to determine the user's likelihood of being a human. If it determines that the user is likely to be a human, the user is allowed to proceed, while if the user is determined to be a bot, their form won’t be submitted.
3. Verify your email list
Email list verification is the process of verifying the validity and accuracy of email addresses on your email list. It aims to improve email campaigns' deliverability by removing invalid, non-existent, or incorrect email addresses.
The process typically involves running the email addresses through a series of checks, such as syntax validation, domain name verification, and checking against a list of email domains or addresses that are known to be invalid, making it easy to spot and remove spam email addresses. Perfect for annihilating spambots. 👊
You can use an email verification tool (like MailerCheck) to automatically analyze your entire email list, remove invalid email addresses, and import the clean list back to your ESP in just a few clicks.
4. Verify email addresses in real time
You can also verify email addresses in real time by connecting your sign-up form to the MailerCheck API. This will instantly identify emails with typos or other errors, stopping them from joining your list.
You can set this up so that people who accidentally use a non-existent address, such as one with a typo, will see an error message and get another chance to submit the form. But bots trying to join your list with fake email addresses will be blocked from signing up.
5. Create honeypot fields
A honeypot is a trap set to detect and deflect spam email sign-ups. It's an invisible form field that only spambots can see. If the invisible field is filled in, you automatically know it’s a spambot, and you can add those addresses to a blocklist.
Adding a honeypot field to your MailerLite forms is as simple as adding a little bit of extra code to your form's HTML code.
First, create a new text type custom field and name it something obvious like “honeypot”. Then, add the honeypot field to your MailerLite form and give it a label like “Leave this field blank”. Make sure that the field is not required in order to submit the form.
Then, before embedding the form on your website, make these 2 small edits to the HTML code.
1. Change the field Class to “hidden” - Use CTRL+F to search for your honeypot field by name, then change class=”form-control” to class=”hidden”.
<input aria-label="honeypot" type="text" class="hidden" data-inputmask="" name="fields[honeypot]" placeholder="Leave this field blank" autocomplete="">
2. Set the style rule so that “hidden” means no display - Use CTRL+F to search for <style type="text/css"> Then add .hidden { display: none } right after the LOADER element.
<style type="text/css">
/* LOADER */
.ml-form-embedSubmitLoad {
display: inline-block;
width: 20px;
height: 20px;
}
.hidden { display: none }
.g-recaptcha {
transform: scale(1);
-webkit-transform: scale(1);
transform-origin: 0 0;
-webkit-transform-origin: 0 0;
height: ;
}
This will ensure that the field is invisible to humans, but still functional. That way, bots will mistake it for a legitimate field and fill it in. Then you can create a segment for subscribers with any value in that field and remove them.
6. Block known spam domains
If you track and record spam domains, you can create a blocklist of spam email signups in your MailerLite dashboard. When you get attacked by a specific domain, use the subscriber filters to create a segment based on the email field. Then create a segment using those filters.
Subscribers with that domain address will automatically be added to the blocklist segment. Then you can periodically unsubscribe the fake email addresses from your blocklist.
If you want to stop spambots at the source and block known spam IPS, here are a few ways to do that:
Use a web server firewall - Many web servers, such as Nginx or Caddy, have built-in firewalls that allow you to block specific IP addresses. The exact method of blocking IP addresses will vary depending on the web server you are using
Use a Content Delivery Network (CDN) - Services like Cloudflare or Akamai can be used as a CDN to block specific IP addresses at the edge of their network. This is a convenient option if you don’t have direct access to your web server
Use server-side code - If your website is built using server-side code, such as PHP or Ruby on Rails, you can block specific IP addresses in the code. You can use the server's IP address blocking features or write custom code to block specific IP addresses
7. Use two-factor authentication
Two-factor authentication (2FA) is a security process that requires a user to provide two forms of identification when logging in to a website or accessing a secure system. For example, a password and an SMS code. It’s like having two locks on your front door, making it harder for someone to break in.
Requiring a secondary form of authentication, such as a code sent via text message, is a great option to prevent bot attacks if you have forms where users sign in or sign up for a service.
There are several 2FA libraries available for different programming languages, such as Google Authenticator for PHP, or the Django Two-Factor Authentication library for Python. Choose the library that best suits your needs and the language you use to build your website.
8. Keep your software up-to-date
Make sure all software, including the content management system (CMS) and any plugins, are updated to the most recent version to minimize exposure to bot attacks.
Updates are frequently released by software developers to address known vulnerabilities and enhance the software's overall security. This usually involves fixing flaws that bots might use to access your website without authorization, steal sensitive data, or any other malicious activities.
9. Monitor sign-up activity
Even if you implement all of the precautions mentioned in this article, it’s still important to regularly monitor sign-up activity.
Keeping an eye on sign-ups is made 100x easier with the MailerLite Manager app for iOS. The latest version includes a feature that allows you to add your live subscriber count to a widget on your lock screen.
Instead of logging into the dashboard and reviewing your subscriber count, all you need to do is glance down at your phone! If you see a sudden spike in sign-ups, you’ll know it’s time to start investigating.
How to get rid of spam sign-ups
If some sneaky spam email addresses have wormed their way onto your list, don’t fret! It’s super easy to get rid of them. Here are 3 strategies to use:
Manually remove spam sign-ups
You can use the subscriber filters to find subscribers that you suspect of being spam based on their domain, engagement, or signup date. You can then select and unsubscribe the fake email addresses.
Automatically remove suspicious addresses
A common sign of a fake signup or spam account is that it doesn't engage with your email content. Use MailerLite’s subscriber filter settings to create a segment with email addresses that don’t interact with any of your emails.
You can then set up an automation that removes these accounts from your list when they join the unengaged segment.
If you want to give people in this segment a final chance to prove they’re not a bot, send a re-engagement email when they join the segment and then add a delay step in between the email and the unsubscribe step. This gives recipients one last opportunity to engage.
Do you really need to prevent fake signups?
Growing your list is hard! If you’re just starting out, it’s tempting to take any subscriber you can get. There’s always the chance that an email address isn’t a fake signup, even if it shows all the signs of being one…
Unfortunately, while leaving suspected fake signups on your list seems like a harmless thing to do, it can cause big issues, such as:
Decreased deliverability: Inbox providers can see when you send to email accounts that ignore your content. Do this too often and your overall deliverability will drop, increasing the chance that your messages will go to spam.
Bigger chance of bounces: To keep in the good books of inbox providers like Google and Yahoo, you must keep your bounce rate low. Sending to bot accounts can result in an increase in bounces and a deliverability drop.
Increased chance of sending to spam traps: Spam traps are email addresses managed by ISPs to identify spam senders. If you send to one, you’re more likely to be marked as a spam sender. There’s always a chance that some fake signups will also be spam traps.
Higher costs: Email marketing tools, including MailerLite, increase prices when you have more subscribers. Don’t pay more than you need to by keeping fake addresses on your list!
Since there are zero benefits to keeping fake signups and plenty of costs, we highly recommend that you take steps to remove them. Plus, they’re actually really easy to stop using the methods on this list.
Hasta la vista, baby
Spambots may not be as life-threatening as Arnold Schwarzenegger in a leather jacket, but they are just as relentless (and annoying). Luckily, it doesn’t take time travel to save your future from spambots. If you take a few proactive measures, you can avoid spam sign-ups for good. 👍
