The security module is a set of tools aimed to block fake subscription from bots. Since version 5.3.0.
Note: subscription (and signup, comment post, …) by bots affects every site and or service that exposes a form. Subscription middle steps, IP blacklists, antiflood, captcha and so on are methods that try to contain the spam. Sometime those methods create more friction in the conversion flow the user starts, hence you should try to find a trade-off between the number of fake subscription and the difficulty to subscribe.
A subscription always starts from a remote IP address. There are many services that list bad IP addresses and many providers offers protection from traffic coming from unsecure IP addresses. Ask your provider which systems it has in place for those kind of problems. It’s not only a matter of fake subscription, but even of bad traffic, hack attempts and so on.
Since version 5.3.2.
Akismet is an spam checking service available with the plugin Akismet preinstalled on every WordPress blog. It can be activated freely, you just need to signup to get a free license.
If active, Newsletter can use it to check every subscription and block it if Akismet returns an high probability of spam. The Akismet integration can be enabled in the new security panel.
Note: we don’t know how Akismet decides if a subscription could be spam or not, so we cannot check or explain the reasons behind Akismet decisions.
Akismet uses the subscriber name, email address and IP address of the subscription attempt to make its decision.
There is a simple captcha system one can enable on situations where a bot is hitting hard the subscription process. We’re are improving it adding even known captcha services like the Google Captcha.
Is a set of IP addresses, one per line, which must be blocked. If a subscription comes from one of those IPs the connection will be interrupted.
IPs can be specified as:
- full IP address (like 126.96.36.199) which will be exactly matched with the remote IP
- partial IP address (like 134.56.21.) which uses a “starts with” matching
- a CIDR format (like 188.8.131.52/24) which match the most significative 24 bits
- IPv6 format (like 2001:67c:289c:0:0:0:0:25) which uses a “starts with”
The address black list helps in blocking subscriptions from specific email address domain. The match is “ends with”. So if you want to block every
@mail.ru just add that string in the blacklist.
Since version 5.1.0.
The antiflood system blocks repeated subscriptions with the same email address or from the same IP address.
A subscription flood happens when some automated system tries to subscribe a great number of email addresses (usually fake) in a short time. This is a problem since for each subscription you will send a confirmation or welcome email. The result will be a great number of email sent which probably will generate bounces or complaints.
The antiflood option is available in the subscription configuration panel and you can set how quickly two subscription for the same email address or the same IP address can be accepted. For example, setting the antiflood at 5 seconds, that will be the minimum interval Newsletter will wait to accept a second subscription matching the same address or the same IP address.
We suggest to set the antiflood to 1 minute or more. By default it is set to 5 seconds to not interefer with your initial tests. The only problem you can face with a long time antiflood setting could be with a burst of subscriptions from the same office where people share (usually) the same external IP address.
Why an address can subscribe twice
Because you can have more than one form inviting to subscribe for different reasons and collecting the email address on different list. Hence I can decide for example to subscribe today to your site to receive your newsletter, and tomorrow I will subscribe again to have your latest free ebook.
Antiflood and antibot: differences
The antibot option forces an intermediate step during the subscription process which is automatically executed by a real browser. It is becoming every day more inefficient, since many bots are now able to simulate a real browser. The combination of an antiflood and an antibot can keep the fake subscriptions low. More protection can be gained asking the provider to block traffic from blacklisted IP addresses (most of them already have those filters active).