Are Fake Signups Hurting Your Deliverability?
If you’ve noticed your open rates decreasing or your complaint rates increasing, it’s possible that the issue lies within your own signup form. Unfortunately, I see this problem time and time again. You might have heard this issue referred to as listboming, spambots, signup form attacks, or bot signups. Either way, here’s what’s happening:
Forms all over the Internet are being compromised by bot signups.
Why?
Understandably, this is the first question I’m asked when I let a sender know that this is happening to them. Why do these spammers care to compromise your email form? Well, it isn’t personal. These spammers are using scripts to push as many email addresses as they can through as many forms as they can. There are a few different reasons spammers do this, but the most common reason I’ve seen is to hide account takeovers.
Spammers obtain a list of login information (email address and password) for accounts they’d like to compromise. However, they don’t want the account owners to realize their account has been accessed. The spammers push the list of email addresses to as many forms as they can find, which floods the inboxes for the victims of the account takeover. This means, if the victims were to receive an email warning that their account has been compromised, they likely won’t see it because their inbox is now unusable.
Not only is this an awful situation for the victims of this attack, it turns email marketers into unintentional spammers.
How Listbombing Affects Deliverability
If your form is compromised by listbombing, it means you’re now emailing real people that never signed up to be on your list. You aren’t doing this intentionally, of course, but from the perspective of the recipient, you’re sending them email they never signed up for — spam.
Because the recipients didn’t actually opt-in to your list, they’ll likely mark your message as spam. In the email industry, this is called a complaint. Each complaint is a negative signal to mailbox providers and an elevated complaint rate will hurt your sender reputation. Once your sender reputation is damaged, messages will start going to the spam folder and open rates will decline. Once this damage is done, it can take quite a while to repair it.
Signs of Listbombing
Here are some common signs of listbombing I’ve seen:
A combination of letters and numbers in the “name” field(s)
ex: 3d8c64c197
The local part of the email address in the “name” field(s)
ex: jenny534 in the name field when the email is jenny534@example.com
A large amount of international domains that don’t make sense for your email list
ex: If you run a small ice cream shop in Kentucky, having a lot of signups ending in .ru (Russian addresses) would be a sign of listbombing
Subscribers complaining about the first email they receive from you after signing up on your form
It wouldn’t make sense for a true subscriber to sign up for your email list and then immediately mark your message as spam. This is a clear sign of listbombing
How to Prevent Listbombing
Even if you haven’t seen any signs of listbombing yet, it’s best to be proactive about protecting your sender reputation. Prevent listbombing by protecting your form with Captcha. I know that not everyone loves Captcha, but it’s much better than having poor deliverability. These days, you can even use invisible reCaptcha on your forms, minimizing any barriers to your subscribers.
It’s important to note that not everyone has success with Captcha. Be sure to monitor your list and be ready to adapt if you still see signs of listbombing. Some Captchas disappear when Javascript is disabled, allowing your form to continue being abused. Make sure your Captcha isn’t doing this.
Another way to keep your list bot free is by making your form confirmed opt-in. This means subscribers will need to confirm their opt-in via email before they are added to your list. While this is always a best practice, it still allows bot signups to receive at least one email from you (the confirmation), which makes Captcha a more ideal solution. The best protection is using both Captcha and confirmed opt-in.
If you’re struggling to get your form secured, reach out to your ESP for help!
How to Recover from Listbombing
If you’ve already been the victim of listbombing, you’ll need to secure your forms, clean the existing bots from your list, and repair your reputation. We’ve covered the steps to secure your forms, so let’s talk about cleaning the bots from your list.
Sometimes it can be impossible to distinguish a bot signup from a legitimate signup, so outright deleting subscribers isn’t a good option. Instead, you can send an opt-in confirmation email to everyone who:
Signed up through the impacted form(s)
Has not opened any emails
You’ll want to be sure to remove all subscribers who don’t confirm their opt-in, as they’re likely bots.
After sending this opt-in confirmation email, it’s time to repair your sender reputation. To do this, I’d recommend sending only to your most engaged subscribers for the next 2-3 weeks, then slowly adding in others. This will help boost your positive signals to mailbox providers and influence them to place your messages in the inbox. Reputation repair can take months, so continue cleaning your list of unengaged subscribers.