Double Opt-in Is Not Enough To Prevent Bot Signups

Updated: August 27, 2016
by Ray Alexander

I have been getting a lot of spam sign ups recently through my opt-in form. A few weeks ago I suddenly started to get new "subscribers" in strange patterns; 5-6 signups within a matter of an hour, every 3-4 days. Fake, definitely fake. ...Aren't they? In case you're wondering, I'm talking about the form you see in the side bar as well as the one at the bottom of every post for my readers to subscribe to my newsletters.

Double Opt-in Is Not Enough To Prevent Bot Signups

Fake Email Addresses

There is nothing to prove that these "subscribers" are bots​, except that all the email addresses have something in common which makes it look suspicious;

​See, they are all Yahoo domain, and the local part consist of 10-13 letters followed by 4 digit number.

​But they were all signed up at different IP addresses, all over within the States - Oregon, Arizona, Utah, Delaware, Florida, Texas and so on... Again they're most likely to be "fake" IP locations.

Double Opt-in Is Not Enough To Prevent Bot Signups

Double Opt-In Is Not Enough For Security?

If you are already my subscriber, you know it has a double opt-in (confirmed opt-in) system - where ​a confirmation email is sent to the new subscriber to verify it really is them. The helpdesk at GetResponse was initially adamant that these were bots - saying bots cannot confirm email.

Bots or not bots - is irrelevant to me, I just wanted to find out how to prevent it from happening. Well, it may be relevant - I have been a victim of cyber attacks a few times in the past. Imagine someone crazy spends all day, every day signing up with me manually...that'd be even creepier!

GetResponse's security team had a further look at the list of my recent subscriptions, and suggested that I should add a captcha to the webform. Also to monitor their activity for several days, and if they don't show any activity, simply delete them from the list.​

...which was the case. These spams signed up with me, and didn't do anything, did not open my "welcome" email, so I've deleted these addresses.

No "Brilliant" Options To Block Spam Signups

I have two different signup forms using different methods. I don't have an excellent option to solve the problem right now and, have taken two separate steps temporarily;

  • The webform shown in the sidebar is created using a GetResponse template (as of August 2016), which allows me to add a captcha option. When a new subscriber enters their email address and clicks "Sign Up Now", they are now required to enter captcha, then they'll receive a confirmation email to verify.
  • Whereas the form at the bottom of this article is part of Thrive Opt-In, connected to GetResponse using API. It's formatted by Thrive, with GetResponse's plain html code integrated. Unfortunately GetResponse does not allow you to add a captcha option to it. Instead I've added a "name" box to see what happens.
Signing up form before spam attack

This is a form before the spam bot attack.

Captcha is a strong, universally accepted method to prevent bots from signing up or logging in. However contrary to what GetResponse initially suggested, bots can click a link in email to "verify" the address. I know that adding an extra "name" box in the webform will only block the existing bots to sign up for the next few weeks (if not days).

I really don't like the idea of inconsistency - my visitors can either (a) sign up using the sidebar form without providing their name but must enter the captcha or (b) sign up using the bottom form without captcha but must provide their name. This is really a temporary solution for now. I'll keep searching for something better - if you have a good idea, do let me know!

About the author 

Ray Alexander

ASD. Recovering alcoholic. LGBTQ+ advocate. Semi-retired. 15+ years of web-designing experience. 10+ years affiliate marketing. Ex-accountant. I'm nice and real. Ask me if you need any help in starting up your home business.

Thank you for your Comments!

Your email address will not be published. Required fields are marked

  1. Thank you for such a piece of useful information. I knew something was wrong when I received more than 40 signups in a matter of an hour then it stopped. When I complained he delivered the rest but no signups. None of them opened my emails. NIL zero. I complained again but he eidn’t reply. I knew they were all bot signups I removed them all from my list.

    1. Hi Michael, thanks for sharing your experience, assuming you’ve bought a solo ad traffic…it does indeed sound like the seller was sending bot traffic to your page, knowingly or unknowingly. I hope you’ll find some trustworthy sellers in time if you continue to use solo ads. I wish you all the best, thanks for your comment!

  2. It really is a shame that we have to put up with spam comments, spam sign-ups and everything else that goes along with having an online email sign-up form. It’s hard enough battling everything else in the internet marketing world without having all this rubbish to deal with. However, until someone comes up with a reliable spam catcher, we are at the mercy of these parasites. Rant over 🙂

    1. Hi Tony, thanks for the “rant” 🙂 Remember the days we didn’t have to lock the front door when leaving the house? Or am I too old? Yes you’re right, we just have to keep battling with meaningless intruders. At least spam sign-ups don’t damage your website at first instance. But as you say, they’re making us continually deal with rubbish clearing that’s just annoying.
      Thanks again for your comment, I appreciate it!

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}