Double Opt-in Is Not Enough To Prevent Bot Signups

I have been getting a lot of spam sign ups recently through my opt-in form. A few weeks ago I suddenly started to get new "subscribers" in strange patterns; 5-6 signups within a matter of an hour, every 3-4 days. Fake, definitely fake. ...Aren't they? In case you're wondering, I'm talking about the form you see in the side bar as well as the one at the bottom of every post for my readers to subscribe to my newsletters.

Fake Email Addresses

There is nothing to prove that these "subscribers" are bots​, except that all the email addresses have something in common which makes it look suspicious;

​See, they are all Yahoo domain, and the local part consist of 10-13 letters followed by 4 digit number.

​But they were all signed up at different IP addresses, all over within the States - Oregon, Arizona, Utah, Delaware, Florida, Texas and so on... Again they're most likely to be "fake" IP locations.

Double Opt-In Is Not Enough For Security?

If you are already my subscriber, you know it has a double opt-in (confirmed opt-in) system - where ​a confirmation email is sent to the new subscriber to verify it really is them. The helpdesk at GetResponse was initially adamant that these were bots - saying bots cannot confirm email.

Bots or not bots - is irrelevant to me, I just wanted to find out how to prevent it from happening. Well, it may be relevant - I have been a victim of cyber attacks a few times in the past. Imagine someone crazy spends all day, every day signing up with me manually...that'd be even creepier!

GetResponse's security team had a further look at the list of my recent subscriptions, and suggested that I should add a captcha to the webform. Also to monitor their activity for several days, and if they don't show any activity, simply delete them from the list.​

...which was the case. These spams signed up with me, and didn't do anything, did not open my "welcome" email, so I've deleted these addresses.

No "Brilliant" Options To Block Spam Signups

I have two different signup forms using different methods. I don't have an excellent option to solve the problem right now and, have taken two separate steps temporarily;

• The webform shown in the sidebar is created using a GetResponse template (as of August 2016), which allows me to add a captcha option. When a new subscriber enters their email address and clicks "Sign Up Now", they are now required to enter captcha, then they'll receive a confirmation email to verify.
• Whereas the form at the bottom of this article is part of Thrive Opt-In, connected to GetResponse using API. It's formatted by Thrive, with GetResponse's plain html code integrated. Unfortunately GetResponse does not allow you to add a captcha option to it. Instead I've added a "name" box to see what happens.

This is a form before the spam bot attack.

Captcha is a strong, universally accepted method to prevent bots from signing up or logging in. However contrary to what GetResponse initially suggested, bots can click a link in email to "verify" the address. I know that adding an extra "name" box in the webform will only block the existing bots to sign up for the next few weeks (if not days).

I really don't like the idea of inconsistency - my visitors can either (a) sign up using the sidebar form without providing their name but must enter the captcha or (b) sign up using the bottom form without captcha but must provide their name. This is really a temporary solution for now. I'll keep searching for something better - if you have a good idea, do let me know!