A robot has won my iPad competition

megatron

(updated: 2019-04-24 with new domains)

If you run a competition and ask people to enter it by providing you with an email address, as well as other details, you run the risk of a having that form filled out by an Automated Competition Bot.

Basically there are services which trawl the web looking for competition entry forms so they can fill them out. Some of them are just trying to ruin a competition, some of them are one person trying to win as much free stuff as they can and some of them are offering a service where someone else can put their details into a tool and that tool will enter them into as many competitions as it can.

Either way, this means that some of the entrants to your competition have not seen your site or your brand and just want something for nothing.
Presumably this defeats the object of your competition which, in this and many cases, is to provide brand awareness, build a list of at least intrigued people and offer at least one of them a prize in reward.

You will always get some people who just want the prize, especially if it is a good prize; but if you offer too good a prize the bots will find you. If for instance you create a lovely landing page for your prize draw for a free iPad, the bots will find you!

If you’ve been got, you might see that you have a lot more entrants than you expected and when you see the list you might find a high volumes of a few domains which you don’t recognise as a commonly used consumer domain like the hotmails and gmails most of you would expect to see.

This is the list from back in 2013 of the ones I’d seen or had found during our research:


2rainmail.org.uk, barchor.org.uk, bestmailforyou.co.uk, cannotmail.org.uk, course-manager.co.uk, crymet.org.uk, darklin.info, drecom01.co.uk, easybusinessemail.info, freemailstore.com, freggnet.co.uk, hoodmail.co.uk, indigoable.net, kreahnet.org.uk, laurelbaker.net, lonynet.oeg.uk, mailbreaker.co.uk, meandmine.info, mobiledatamail.com, moussenetmail.co.uk, movenextweb.com, mywheelbox.org.uk, navyngrey.com, pluntermail.org.uk, prainnet.org.uk, purpleweb.info, rackernet.org.uk, railosnet.co.uk, rottmail.co.uk, runracemail.org.uk, runwaynet.org.uk, satinmaker.info, sherrymail.co.uk, shortsmail.co.uk, stickique.com, stonetimenet.co.uk, tangerineinternet.com, telph1line.org.uk, threemailnet.co.uk, tigerweb.org.uk, tyermail.org.uk, wonandron.co.uk, wormail.co.uk, yourmail4you.com

UPDATE:

An even more dedicated chap called Rob Record (cool name) ran into this more recently (early 2019), found my list and has made an updated version. Some of his observations are that the domain names are very similar but with slight changes. This suggests that the hosts realised they’d been twigged and blocked so altered them to sneak through.

Here’s Rob’s updated list which he kindly shared with me for you…

2rainmail.org.uk, barchor.org.uk, bestmailforyou.co.uk, cannotmail.org.uk, course-manager.co.uk, crymet.org.uk, darklin.info, drecom01.co.uk, easybusinessemail.info, freemailstore.com, freggnet.co.uk, hoodmail.co.uk, indigoable.net, kreahnet.org.uk, laurelbaker.net, lonynet.org.uk, mailbreaker.co.uk, meandmine.info, mijnpostcode.nl, mobiledatamail.com, moussenetmail.co.uk, movenextweb.com, mywheelbox.org.uk, mywheelboxmail.org.uk, navyngrey.com, pluntermail.org.uk, prainet.org.uk, prainnet.org.uk, purpleweb.info, rackernet.org.uk, railosnet.co.uk, rottmail.co.uk, rottmail.org.uk, runracemail.org.uk, runwaynet.org.uk, satinmaker.info, sherrymail.co.uk, shortsmail.co.uk, stickique.com, stonetimenet.co.uk, tangerineinternet.com, telph1line.org.uk, threemailnet.co.uk, tigerweb.org.uk, tyermail.org.uk, wonandron.co.uk, wormail.co.uk, yourmail4you.com

Rob said:

lonynet.oeg.uk became lonynet.org.uk
mywheelbox.org.uk became mywheelboxmail.org.uk
prainet.org.uk became prainnet.org.uk
rottmail.co.uk became rottmail.org.uk
mywheelbox.org.uk became mywheelboxmail.org.uk
mijnpostcode.nl was added

I haven’t replaced anything except for lonynet.oeg.uk

These were all based on spam submissions I saw coming in to a competition form I had a lot of traffic on. Hope it helps!

What a legend!

I suggest you add them all to a suppression.

If you do not want them entering, you will have to put some extra security into your competition form.

Common solutions include:

  • Invisible ReCaptcha: Google’s new angle on captcha, where it can tell a robot without a person having to tick a box, then it’ll kick in a captcha test on it’s own.
  • Captcha methods: A form widget which offers a picture of numbers and letters for the user to enter as they submit the form.
  • Hidden field entry: Have a hidden field which a human user cannot enter details for but the bot might as it blindly provides values for every field in pages HTML. You can then simply reject all entrants with a value in that hidden field.
  • Domain rejection: Hold a list of known bot domains and reject any entrants using email addresses in those domains.
  • Double Opt-in: Send an email directly back to the entrant containing a link for them to click in order to complete their entry; this confirms their interest and the fact they own the address.
  • Server side processing: (this is a bit techy) often the easiest way to perform this kind of validation client side using javascript. It is very easy for bots to bypass client-side javascript, so it helps if the validation can be done server-side.

Google and much of my research suggests that Loquax has a great resource for more information, whether that was deliberate or not?

 

2 thoughts on “A robot has won my iPad competition

  1. Good shout Bill!
    A solid solution to this problem is to do everything you can to fully validate each address at the point of collection. Validation services, of which FreshAddress are a market leader, offer an instant solution to potentially problematic data collection points. If you’ve ever had this problem, you should definitely explore this option.

    Like

Comments are closed.