Many of you may have noticed an increase in the amount of "bots" that have been signing up to your forms. These addresses are typically very spammy, like 1237214@yahoo.com, but can also look completely normal. You might see a flood of a few thousand addresses sign up in a few seconds to a single form.
Understandably, this can be concerning, and can create deliverability issues if some of these signups happen to be live addresses that end up marking your email as spam. We'll try to answer some of the common questions you may have.
Why is this happening?
Malicious hackers create "bots" that sign up a single email address to thousands of online forms. This single address will get flooded with emails and rendered temporarily useless. Think thousands of messages a minute.
This is often done to disable the account so that other sensitive information can be stolen, or so that fraudulent financial transactions can be made without the email account receiving notices of this activity.
Typically, the bot will also sign up thousands of other addresses to obscure the ones they are targeting. These are usually fake, randomly generated addresses.
For the technically ambitious, here are a few sources to learn more:
- Defense and Mitigations from E-mail Bombing
- SubStop: An analysis on subscription email bombing attack and machine learning based mitigation
- How to Prevent Mailbombing & Protect Your Sender Reputation
FAQ
Is this only happening to ActiveCampaign?
No. This is happening to every mainstream email provider on the market.
Can ActiveCampaign fix this for me?
There is no switch we can flip to make your forms secure, especially if you are using single opt-in. Email forms are inherently vulnerable to these kinds of attacks.
What can I do?
There are 3 concrete actions you can take to solve the problem:
- Recommended. Add captcha to all forms. This instantly solves the problem. Very few bots can complete a captcha test, so this prevents many bots from entering your list. Captcha is free and easy to add to all ActiveCampaign forms.
- Add confirmed/double opt-in to your forms. If you do this, bots are still able to sign up to your list, but they will only receive one confirmation email, which they will never click. Confirmed opt-in limits the damage, but doesn't fix the problem entirely. This works especially well in combination with a CAPTCHA to drastically limit the number of bot signups.
- Add a hidden field to your form. If a bot fills out this field you will know it's a bot. You can even create an automation that automatically unsubscribes any contacts that fill out this hidden field. This is not a definitive solution, though, because smart bots will not fill out a hidden field.
Am I charged for these contacts?
If you are using single opt-in, yes. These contacts will be considered valid until you delete them or they bounce.
If you are using confirmed/double opt-in, the bot addresses will never confirm their email addresses and won't count toward your contact limit.