Usually, those fake data submissions or spam subscriptions are performed by automated systems (as, for example, bots) with the intent to publish links or to reach users via email to promote something.
To prevent those submissions there are many tools available, such as captchas, IP or address blacklists, email validation etc.
Important notes:
- some methods to prevent spam and other malicious attempts to submit data can create technical incompatibilities or other issues, so make sure that you test them before enforcing them. For example, the Cross-site request forgery (CSRF) block that you can enact by using a token, it is not applicable if forms are part of cached pages.
- Some methods to prevent spam subscriptions could make your subscription process less fluid, as the user is asked to process more actions (for example when captcha is used).
What's inside
1. Before we start, here you have some useful tips!
There are two easy steps that you may want to take when you set up your newsletter, as they are generally free and help in managing spam subscriptions.
The first, is to control the IP addresses. Subscriptions always start with a remote IP address and there are many free services that list bad IP addresses. Many providers do also offer protection from traffic coming from unsecured addresses. Ask your provider which system is using to address this kind of problems, as they are not only related to fake subscriptions but even to bad traffic, hack attempts and so on.
The second recommendation is to install a firewall plugin. Firewall plugins, as for example WordFence (but there are many others), are able to block untrusted traffic and some hack attempts.
2. Tools available in Newsletter
Newsletter has several tools that intercept and block fake subscriptions. This security system is active by default, but you may check the page “security” to make sure that all the anti-bot tools are in place and to change its configuration.
Antibot
The Antibot feature adds a hidden step in the subscription flow that is aimed to block the subscriptions generated by bots. This middle step is coded with javascript, so if the bot doesn’t execute javascript it should be blocked. However, bear in mind that modern bots can execute javascript, so this protection is only partial.
Important note: this option should be disabled just if you have custom forms coded to use AJAX, because otherwise the Ajax font will not work, or use the API.
Akismet integration
Akismet is a spam checking service available with the plugin Akismet preinstalled on every WordPress blog. It can be activated freely, you just need to signup to get a free license.
If the plugin is active, Newsletter can use it to check every subscription and block it if Akismet signals a high probability of spam. The Akismet integration can be enabled in the security panel, inside the Newsletter dashboard.
Important note: Akismet uses the subscriber name, email address, and IP address to decide whether a subscriber is spam or not. We don’t know how Akismet decides if a subscription is spam or not and we can not control it. Therefore, we can not check or explain the reasons behind Akismet decisions.
Captcha
Newsletter provides a simple captcha system that can be enabled if bots are hitting hard. The captcha is not shown on subscription forms but adds a second subscription step where the captcha is displayed. That grants that every subscription is validated by a captcha even when the form is located in another site, for example when you are using a single blog as the central collector for subscriptions coming from other sites.
IP blacklist
This is a set of IP addresses, one per line, which must be blocked. If a subscription comes from one of those IPs, the connection will be interrupted.
IP address (like 145.34.232.12) which will be exactly matched with the remote IP;
- partial IP address (like 134.56.21.) which uses a “starts with” matching;
- a CIDR format (like 134.34.226.0/24) which match the most significative 24 bits;
- IPv6 format (like 2001:67c:289c:0:0:0:0:25) which uses a “starts with”;
Email address/domain blacklist
The address black list helps in blocking subscriptions from specific email addresses and/or domains. The match is “ends with” and they must be entered one per line.
So, if you want to block every subscription from the domain “mail.ru” just enter @mail.ru
since that is how those addresses end. If you want to block a specific address, add it to the list (eg. name@domain.com
).
This filter is applied only to web or API subscriptions, not to imported addresses using the import feature or the Advanced Import addon.
Antiflood
The antiflood system blocks repeated subscriptions with the same email address or from the same IP address.
A subscription flood happens when some automated system tries to subscribe a great number of email addresses (usually fake) in a short time. This represents a problem, since for each subscription you will send a confirmation or welcome email, and this means sending a great number of emails which will probably generate bounces or complaints.
This system can set how quickly two subscriptions for the same email address or the same IP address can be accepted. For example, if you set the antiflood to 5 seconds, this time represents the minimum interval Newsletter will wait to accept a second subscription matching the same address or IP address.
Important notes:
We suggest setting the antiflood system to 1 minute or more. By default it is set to 5 seconds, allowing you to perform all the initial tests without trouble. The only issue that you can face if you increase the antiflood value, could be with subscriptions coming from the same office, where people share (usually) the same external IP address.
If you have more than one subscription form on your site on different pages and with different purposes (for example different forms to subscribe to different lists), the antiflood system may prevent a new subscription through a different form if performed too quickly. Read more about repeated subscriptions here.