Skip to content

Lots of spam signups on double opt-in list

edited January 2013 in Questions
For Issue. Please check the attached Image

Website Link:
Subscription Form appears at Home Page bottom and on
during the "Free Trial Download" box.


  • In my humble opinion, you should use some kind of captcha for newsletter signup form or use double opt-in and send confirmation emails from your own domain so that Amazon won't get any bounces. Downside to the latter - you have to implement your own double opt-in mechanism and pass only checked emails to sendy.

    Some bots can also be eliminated by adding csrf token to form or checking referer's address. But some kind of captcha is the only way to eliminate all of them.
  • edited October 2012
    There is one more way to deal with it. Also custom. Get MX record of email domain, connect to this smtp server, try to send email without sending an email.

    Tool that explains it:

    Technique explained:

    But yet again, this is a custom work. Something that could be integrated with sendy at some point in my opinion. A very nice replacement (or addition to) double opt-in method. Checked few emails from your screenshot - no valids found so it would filter out a lot of them.

    Yet, again, this is not all rainbows and stuff. Your IP can be blocked by SMTP if you check a lot of emails.
  • Sorry for so much posts in short span of time. I was simply in the middle of researching this issue in past hours. This may be not as dire as it seems with Amazon SES.

    "Q: Will I be affected by any bounces or complaints that are caused by other Amazon SES users?
    Even if other Amazon SES users cause bounces or complaints, your ability to send email should remain unchanged.

    There is one exception. Whenever a recipient address generates a hard bounce for any Amazon SES user, Amazon SES considers that address to be temporarily unreachable, and blocks all users from sending to it for the next 14 days. For details, go to the Amazon SES Developer Guide."

    Chances are, these emails have already generated a hard bounce, therefore it won't increase your bounce rate. But if these emails are completely random. Well, some kind of client or server side protection should be added...

    Other services like MailChimp don't really have any protection here other than global hard bounce base like with SES. But they don't care that much about bounce rate of their users' emails.

    I wonder what are Sendy creators thoughts on this topic.
  • Thanks @Vith for your thoughts on this.

    @neeraga I see you have a very popular website, that explains the amount of spam you're getting.

    With a situation like, you should use the API to subscribe users instead, so that you can check for spam bots on the client side before sending the name & email to Sendy.

    One of the best way without using Captcha for client side validation is
  • Thanks Vith for giving the ideas to work. Really appreciate your comments.

    @Ben, The approach at nfriendly seems to be really great. Thanks for the link. I would try to edit the subscribe.php file, so that it doesn't accepts the Spam Emails, I would ask you for help if required.

    Probably it would be really great for other Sendy users as well, if the nfriendly thing is implemented in the Sendy itself.


  • Until Sendy supports it (although if it does, others would also want captcha support and in my opinion, it's more of a website frontend-backend functionality), I would recommend using API. Basically - call subscribe yourself from your backend.

    But if you really want, you can of course modify subscribe.php to match your needs (it's just an issue with every new version - you have to update file and change it again).

    Just to get you going, starting from line: 79.

    //check if email is valid
    $validator = new EmailAddressValidator;
    if (!$validator->check_email_address($email) || $_POST['url'] != '')
    echo 'Invalid email address.';
    $feedback = 'Email address is invalid.';
    Url is your magic field, one that is hidden in your frontend. Feel free to change it. This change makes this field a required one (it has to be empty but it has to be there as well). You can add isset check if you don't want to make it this way.

    Spambots will get email address is invalid error, which is of course incorrect but you don't want to feed them any relevant information. It's better if they mark your site as incomprehensible or that there are errors with it.
  • Interesting. I've not seen this behaviour with Sendy or other email tools, but contact forms sometimes get this seemingly random stuff.

    One correction: MailChimp does care about the bounce rate. Their threshold is similar to the one at AWS.
  • edited October 2012
    @nettiapina, I was under different impression as they don't provide any spambots protection and their form creator doesn't allow captcha insertion. You have to create custom forms instead. I would guess that they treat double opt-in bounces differently (as any email that signs up but doesn't confirm it is not even tracked) which is the case here and SES has no means to differentiate between these.
  • @Vith, is there any additional parts of the script you provided above to get it to work?
  • @derivativemedia, I don't believe so. subscribe.php is the script used for subscribe links and API calls. I haven't tested it though as I prefer to do it without modifying Sendy code by simply using my own forms and call API myself.
This discussion has been closed.