Last Updated on
Updated for Newsletter 6.3.9
Spam subscriptions/submission is a fact for every service open to the public, being it a newsletter subscription form or a comment submission form.
Usually those fake data submissions are performed by automated systems (bots) with the intent to publish links or to reach users via email to promote something.
To prevent those submissions there are many tools available: captchas, ip or address blacklists, email validation and so on.
Not all methods can be applied. For example the CSRF block via token is not applicable when forms are part of cached pages.
More, some methods could result in a friction to the submission since the user is asked to make more step to reach the end, like when a captcha is used.
A subscription always starts from a remote IP address. There are many services that list bad IP addresses and many providers offers protection from traffic coming from unsecure IP addresses. Ask your provider which systems it has in place for those kind of problems. It’s not only a matter of fake subscription, but even of bad traffic, hack attempts and so on.
A firewall plugin is recommended. For example WordFence, but it is not the only one, is able to block untrusted traffic other than blocking hack attempts.
Tools Available in Newsletter
Newsletter has few anti-bot tools aimed to intercept and block fake subscription. This security system is active by default, but you may want to check the “security” page to be sure it is on and possibly change its configuration.
This block should be disabled only if you have custom forms coded to use AJAX, since it won’t work with this middle step.
Akismet is an spam checking service available with the plugin Akismet preinstalled on every WordPress blog. It can be activated freely, you just need to signup to get a free license.
If active, Newsletter can use it to check every subscription and block it if Akismet returns an high probability of spam. The Akismet integration can be enabled in the new security panel.
Note: we don’t know how Akismet decides if a subscription could be spam or not, so we cannot check or explain the reasons behind Akismet decisions.
Akismet uses the subscriber name, email address and IP address of the subscription attempt to make its decision.
There is a simple captcha system one can enable on situations where a bot is hitting hard the subscription process.
The captcha is not shown on subscription forms but adds a second subscription steps where the captcha is displayed. That grants every subscription submission is validated by a captcha even if the form is located in another site when you are using a single blog as central collector for subscriptions coming from other sites.
Is a set of IP addresses, one per line, which must be blocked. If a subscription comes from one of those IPs the connection will be interrupted.
IPs can be specified as:
- full IP address (like 22.214.171.124) which will be exactly matched with the remote IP
- partial IP address (like 134.56.21.) which uses a “starts with” matching
- a CIDR format (like 126.96.36.199/24) which match the most significative 24 bits
- IPv6 format (like 2001:67c:289c:0:0:0:0:25) which uses a “starts with”
Email Address (Domain) Blacklist
The address black list helps in blocking subscriptions from specific email address domain. The match is “ends with” and they must be entered one per line.
So if you want to block every
@mail.ru just add that string in the blacklist.
The antiflood system blocks repeated subscriptions with the same email address or from the same IP address.
A subscription flood happens when some automated system tries to subscribe a great number of email addresses (usually fake) in a short time. This is a problem since for each subscription you will send a confirmation or welcome email. The result will be a great number of email sent which probably will generate bounces or complaints.
You can set how quickly two subscription for the same email address or the same IP address can be accepted. For example, setting the antiflood at 5 seconds, that will be the minimum interval Newsletter will wait to accept a second subscription matching the same address or the same IP address.
We suggest to set the antiflood to 1 minute or more. By default it is set to 5 seconds to not interfer with your initial tests. The only problem you can face with a long time antiflood setting could be with a burst of subscriptions from the same office where people share (usually) the same external IP address.
Why an address can subscribe twice
Because you can have more than one form inviting to subscribe for different reasons and collecting the email address on different list. Hence I can decide for example to subscribe today to your site to receive your newsletter, and tomorrow I will subscribe again to have your latest free ebook.
Repeated subscriptions can be controlled from the subscription configuration page.