In a followup to the recent post about fake email subscribers, Update to Fake Email Subscriber Post, after working with Mailchimp’s support, I believe we have found the culprit, and potentially a solution.
Mailchimp confirmed that my API key was being used to add these fake subscribers, but it was unclear if the key had been discovered or if they were, in fact, coming from my signup form. So I changed to a new API key and disabled everything but my form for signup, with the new key. The fake subscribers still came in. But we could see they were not being added from Mailchimp, they were definitely hitting the API from my other site.
So I started digging into what was happening on the site. Again, there were no matching visits to the page, so it seemed odd to me that the signups were legit, and it turns out, they weren’t. Digging through some logs, I could see that the same bots submitting spam comments using a POST method without ever viewing the page, were using a POST method to submit subscribe requests. My addition of a captcha to the form had no effect on those submissions, the spammers had obviously found a way around that. To prove that, I enabled the same cptcha on comments to see if the spam comments were still being posted. Askimet was marking them as spam, but with the captcha they shouldn’t post at all, right? Wrong.
That particular captcha WordPress plugin was no match for the spammers. So off to Google we go. I found a recommendation for a plugin named Goodbye Captcha, that uses a captcha-style analysis to block spam attempts without the user actually seeing a captcha. I turned that on for comments, and the Mailchimp form.
In two days, it has blocked 11 subscribe attempts. (Yes, it has reporting, this is awesome!) I have had no fake subscribers added to my list.
Follow these topics: Blogging