The Rise of the Spam Bots

Email marketers know the best distribution lists you can have are the ones grown organically. A major source is via sign-up forms on your website. This means you can be certain that that person really wants to sign up…right? You might also have forms to capture such things as contact or blog comments to help you communicate with your users better. But just how safe are your forms really? If you haven’t added any protection to them against spam bots and malicious phishers, then sadly, not safe at all. The implications of this can often be dire for your success as an email marketer. Feedback from your users is a helpful way to know if you are collecting real new subscribers or not:

Someone else signed up for this email

Someone hacked my email and signed me up on many lists, including yours.

Don’t know who signed me up for this

Your site is being used by hackers to email bomb. you need to add measures to prevent this such as captcha to avoid robots to sign up for your email list.

If your own users are telling you to add protection, you know you are being targeted!

What do these spam bots / malicious phishers want?

Most people are probably aware of spam bots already, but one example could be an automated programme with no other purpose than to trawl the web looking for vulnerable forms and filling them out, sometimes with fake, and sometimes with real addresses. The dastardly plan of the bot programmers is typically to generate more traffic and thus revenue. Or sometimes to inject advertising or malicious links that people may inadvertently click if they receive them from the form submission. The worst kind is people using your forms to make SQL injections to try to steal or damage your data.

What are these dire implications?

Maybe dire was a bit melodramatic, but the impact can still be very negative. Sending your emails to people that never signed up is obviously a big no-no, especially in a post GDPR world. High reports of spam will severely affect your ability to deliver your emails into the inbox as your reputation takes a hit. This also means that any analysis you run is unreliable – you may think you’re pulling in x many new subscribers each month when it’s actually y, and that can impact decision making. Likewise, reporting will be skewed as you will likely get no engagement from fake signups which devalues your campaigns.

How do we protect ourselves from these spam bots?

If you use a form that adds information to a database you must protect yourself against SQL injection attacks. These are when the attacker enters malicious SQL code designed to do things like dump the entire contents of a database on their own server to steal your data. Or they could just do nasty things like try to delete your database. The best way to prevent this is to use prepared statements to execute your SQL rather than a straight execution e.g. with PHP:

if ($stmt = $conn->prepare("insert into EmailList (Email,Firstname,Lastname) VALUES (?, ?, ?)"))
$stmt -> bind_Param('sss', $email,$firstname,$lastname);
$stmt -> execute();
$stmt -> close();

You can also look for things likely to be found in malicious code in your captured variables before inserting them into your database, like single quotes. Here, from the technical mind of xkcd is an idea of how it works:

xkcd Exploits of a Mum

But, what if the input looks good, but is fake?

There are a bunch of tricks to defeat spam bots:

    • Setting a hidden field that humans can’t fill out. But spam bots will. You can then eliminate those submissions.
    • Use double-opt in to ensure your subscribers are genuine. All this requires is a link in an email which will only confirm their subscription upon clicking. This is not massively different to simply sending a welcome email.
    • Checking for patterns in the email and other fields which indicate they are sequential or automated. For example numerical characters in first names, or hexadecimal characters. Look for these and then manually scrub your data.
    • Running proper email hygiene processes to remove unengaged data. That won’t prevent fake emails being added but it will kick them out as quickly as possible.
    • Capturing the IP addresses of the form submissions to spot if one IP is producing multiple form inputs. You can then block that IP address.
    • Add Captcha to your forms. There are various types of Captcha. Some can be very annoying and off-putting to the user, such as those where you have to enter a code made up of mangled characters from an image. These are often genuinely hard to read and I invariably always get them wrong at least once. There are also types that involve clicking on all the squares that contain say a store front. I’m often left red faced as I seem to have an inability to identify such things! But Google’s ReCaptcha is a good option, and the one I would recommend. It simply requires a click of a box from the user, which is barely a blip on the user journey and will destroy spam bot submission attempts. The only downside is it won’t stop real people from submitting to your forms where you will have to be extra vigilant.

You can check our our website to see Captcha in use:

How we use ReCaptcha and all it requires is the tick of a box

Or for comments:

How we use character based Captcha – not quite as good as ReCaptcha but still pretty simple.

Eliminating fake form submissions is a battle. You have to strike the right balance between keeping your users’ experience as simple as possible, whilst removing the threat of these spam bots and malicious phishers. But it is an important endeavour to maintaining a good quality email distribution list and a healthy sender reputation.