Got spammed with fake newsletter signups? Learn how to protect your forms using double opt-in, CAPTCHA, and Cloudflare. Backstory I woke up to 200 new subscribers on the newsletter of my site, videiro.com. Had it finally happened? Did my site finally go viral? Sadly no. After checking the new subscribers, I noticed that none had verified their email addresses, not even one, that’s definitely not a confidence. After some quick research, I understood that I had indeed been spammed. But all the emails look legit. Here are some examples: kathyolynn@yahoo.com lukeckins@gmail.com dispatch@gonealinc.com doug_fern@hotmail.com After some initial research (entering the emails into haveibeenpwned), it looks like most of these email addresses have been in some kind of hack or breach. So what was happening? How can I prevent it in the future? Someone decided to use compromised email addresses to spam my form. Either to pollute my newsletter, to see how far they could go, or just because they can? What I Learned When making anything publicly available on the internet, there will be spammers, there will be bots, and there will be people trying to hack it. That is why you should always be making it as secure as possible. It turns out that this kind of spam attack is more common than you think (especially since my blog’s newsletter also got spammed a couple of weeks later). Bots crawl the web and look for forms, usually newsletter or contact forms, and then start submitting “leaked” email addresses. But why? Here are some reasons I came up with: To pollute your email list (if this is a personal attack, which I don’t think it is in this case) To test the validity of the emails?? To annoy the leaked email addresses owners by having them subscribed to thousands of newsletters To annoy the website owner (me) How I Fixed It I have a couple of solutions to this problem. Step 1: Enable Double Opt-in The first and most important step is to make sure that all your newsletters are ‘double opt-in,’ meaning that the user has to confirm their email address before getting subscribed. On Listmonk (the newsletter software I am using), make sure that the list to which you are subscribing your users to is double opt in. This means that even if your form gets spammed, you can just remove all the addresses that haven’t verified their email (after a couple of days/weeks). Want to learn how to set up your own self-hosted newsletter with Listmonk? Check out my guide: How to set up a self-hosted newsletter using Listmonk. Step 2: Add Captcha or Cloudflare JS Challenge The second step I took was to enable some sort of captcha. Initially, I set up an HCaptcha via Listmonk. But I don’t think that is the best solution, as it’s kind of annoying. I am, however, using it for the videiro.com newsletter. If you're interested in how to do it, here’s how: Open the listmonk web UI Go to settings Under Security, enable captcha and enter a hCaptcha.com API key (you will first have to sign up at hcaptcha.com) However, with this setup, if you are using custom forms (like the email subscription form below), the submission process will be kind of broken. So instead, what I came up with and I am currently using on 4rkal.com newsletter is to use Cloudflare JS Challenge on a specific subdomain. The way that I have set up my email newsletter is that I have Listmonk running on newsletter.4rkal.com, a separate subdomain. This means that I can set that specific subdomain as “under attack” on Cloudflare and prompt users to sometimes complete a Captcha. To do this: Head to cloudflare.com Log in and head to the dashboard of your specific domain Under Security select WAF Then click on Create rule Give it any name Under Field select hostname and under Operator select wildcard, in Value enter the subdomain, in my case, that’s newsletter.4rkal.com. The expression should look like this (http.host wildcard "newsletter.4rkal.com") Under Choose action select JS Challenge Click on Save And that’s about it. Summary Getting your website spammed is never fun, but I hope this article might have given clarity to people going through the same problem as me. Subscribe Join my newsletter here: https://newsletter.4rkal.com/subscription/form Got spammed with fake newsletter signups? Learn how to protect your forms using double opt-in, CAPTCHA, and Cloudflare. Backstory I woke up to 200 new subscribers on the newsletter of my site, videiro.com . Had it finally happened? Did my site finally go viral? videiro.com Sadly no. After checking the new subscribers, I noticed that none had verified their email addresses, not even one, that’s definitely not a confidence. After some quick research, I understood that I had indeed been spammed. But all the emails look legit. Here are some examples: kathyolynn@yahoo.com lukeckins@gmail.com dispatch@gonealinc.com doug_fern@hotmail.com kathyolynn@yahoo.com lukeckins@gmail.com dispatch@gonealinc.com doug_fern@hotmail.com After some initial research (entering the emails into haveibeenpwned ), it looks like most of these email addresses have been in some kind of hack or breach. haveibeenpwned So what was happening? How can I prevent it in the future? Someone decided to use compromised email addresses to spam my form. Either to pollute my newsletter, to see how far they could go, or just because they can? What I Learned When making anything publicly available on the internet, there will be spammers, there will be bots, and there will be people trying to hack it. That is why you should always be making it as secure as possible. It turns out that this kind of spam attack is more common than you think (especially since my blog’s newsletter also got spammed a couple of weeks later). Bots crawl the web and look for forms, usually newsletter or contact forms, and then start submitting “leaked” email addresses. blog’s newsletter But why? Here are some reasons I came up with: To pollute your email list (if this is a personal attack, which I don’t think it is in this case) To test the validity of the emails?? To annoy the leaked email addresses owners by having them subscribed to thousands of newsletters To annoy the website owner (me) To pollute your email list (if this is a personal attack, which I don’t think it is in this case) To test the validity of the emails?? To annoy the leaked email addresses owners by having them subscribed to thousands of newsletters To annoy the website owner (me) How I Fixed It I have a couple of solutions to this problem. Step 1: Enable Double Opt-in The first and most important step is to make sure that all your newsletters are ‘double opt-in,’ meaning that the user has to confirm their email address before getting subscribed. On Listmonk (the newsletter software I am using), make sure that the list to which you are subscribing your users to is double opt in. double opt in. This means that even if your form gets spammed, you can just remove all the addresses that haven’t verified their email (after a couple of days/weeks). Want to learn how to set up your own self-hosted newsletter with Listmonk? Check out my guide: How to set up a self-hosted newsletter using Listmonk . How to set up a self-hosted newsletter using Listmonk Step 2: Add Captcha or Cloudflare JS Challenge The second step I took was to enable some sort of captcha. Initially, I set up an HCaptcha via Listmonk. But I don’t think that is the best solution, as it’s kind of annoying. I am, however, using it for the videiro.com newsletter. If you're interested in how to do it, here’s how: videiro.com Open the listmonk web UI Go to settings Under Security, enable captcha and enter a hCaptcha.com API key (you will first have to sign up at hcaptcha.com) Open the listmonk web UI Go to settings Under Security , enable captcha and enter a hCaptcha.com API key (you will first have to sign up at hcaptcha.com ) Security hcaptcha.com However, with this setup, if you are using custom forms (like the email subscription form below), the submission process will be kind of broken. So instead, what I came up with and I am currently using on 4rkal.com newsletter is to use Cloudflare JS Challenge on a specific subdomain. 4rkal.com The way that I have set up my email newsletter is that I have Listmonk running on newsletter.4rkal.com , a separate subdomain. newsletter.4rkal.com This means that I can set that specific subdomain as “under attack” on Cloudflare and prompt users to sometimes complete a Captcha. To do this: Head to cloudflare.com Log in and head to the dashboard of your specific domain Under Security select WAF Then click on Create rule Give it any name Under Field select hostname and under Operator select wildcard, in Value enter the subdomain, in my case, that’s newsletter.4rkal.com. The expression should look like this (http.host wildcard "newsletter.4rkal.com") Under Choose action select JS Challenge Click on Save Head to cloudflare.com Log in and head to the dashboard of your specific domain Under Security select WAF Security WAF Then click on Create rule Create rule Give it any name Under Field select hostname and under Operator select wildcard , in Value enter the subdomain, in my case, that’s newsletter.4rkal.com . The expression should look like this (http.host wildcard "newsletter.4rkal.com") Field hostname Operator wildcard Value newsletter.4rkal.com (http.host wildcard "newsletter.4rkal.com") Under Choose action select JS Challenge Choose action JS Challenge Click on Save Save And that’s about it. Summary Getting your website spammed is never fun, but I hope this article might have given clarity to people going through the same problem as me. Subscribe Join my newsletter here: https://newsletter.4rkal.com/subscription/form https://newsletter.4rkal.com/subscription/form
