Signup form subscription bombing is worth avoiding

Signup form subscription bombing is worth avoiding

Signup form subscription bombing is worth avoiding

Subscription Bombing

Everyone who sends email even close to properly has a sign-up form, therefore, you should have all heard about subscription bombing by now and signup form subscription bombing is worth avoiding.

Just in case you haven’t, its when a spider, bot, virus etc. finds a form on a page and submits it, a lot. Like a ddos attack but with email addresses. Thousands an hour or even a minute, relentlessly.

I’ve recently been tracking hits on a form (which is protected), for about a month, that began in China before going to the Philippines, then Hong Kong and then back from the Philippines. Mainly using numbers at qq and repeating combinations of a short list of names for other fields.

Consequences of subscription bombing on your list

There are a few consequences for a list:

  • It fills up really quick and with rubbish.
  • You can’t send to it.
  • It’s a nightmare to clean.
  • If you have a welcome message and no double opt-in, you then send dozens of thousands of those that will never be opened.
  • If you have a double opt-in email, you’ll send dozens of thousands of them but at least only the humans will confirm.

This all sounds inconvenient, expensive and very complicated to recover from…

It then gets worse when Spamhaus blocklists your IP for not sufficiently protecting your sign-up form. Apparently you should know about this and want to protect it. Also your ISP probably has a Spamhaus listing in their Ts & Cs of things not to have so now your entire hosting package is on the line.

How does Spamhaus manage to find out? interesting question, however, it matters not; it’ll make you fix it quicker and you won’t do it again.


Spamhaus is the worst blocklist to be on and most people who get on a list, deserve to be there. It’s successful, popular and reliable for a reason. But sometimes, you’re unlucky. Ignorance is not an excuse, although it may be a reason but ignorance is cured by knowledge. Sometimes you can get punished twice, when the guilt and the consequences of the first problem, what you thought was the big problem is sinking in, you get called an idiot and kicked while you are down; Signup form subscription bombing is worth avoiding. Do your home work, otherwise you look lazy and contemptuous and that never goes down well.

How to avoid subscription bombing

Double-Opt-in and reCaptcha.

How to avoid signup form subscription bombing


As I’m sure you know, subscription bombing is not pretty and expensive. Having your form signed up to thousands of times in an hour by what is essentially a virus in a ddos attack is the worst. So here’s how to avoid signup form subscription bombing.

1. Double Opt-in

Also known as Confirmed Opt-in (COI): Someone signs up, send them an email with a link in it. If they click it they get in; if they don’t, they don’t, it’s as simple as that.

Well before subscription bombing was a thing, this was ‘best practice’. Listed in every ISP’s bulk sender guidelines; cited by every spam blocklist as proof of unsolicited email; often named the list killer by most B2B email marketers, the needless added barrier to that all so valuable foot in the door.

For the most part, only people who want to be on the list will click that link in the confirmation email they get after signing up. If you get unlucky, lazy or stupid and hit a trap with a COI, it’ll get you notified before blocklisted.  Senders who are scared they’ll lose those people aren’t confident in their own brand and the exclusivity of their list.

2. reCaptcha

Google’s completely free and far prettier version of the captcha, where you have to tick a box and Google and will decide if you are a human or not. If it can’t decide it’ll ask you to click some pictures, just the ones with road signs in or house numbers etc.

Only a human would be able to get to those and match those images, like the original captcha but google does a little bit of checking first.

Also there is now an invisible version, so you don’t even have to tick a box. Its very new and the UX of it is yet to be accepted.

Just login with a google account, get the code and follow the instructions.


Lightboxes Improve Cart Recovery


Lightboxes increase abandon email capture…

One fragment of big data is utilizing browser and cart behaviour for better profiling, accurate product recommendations and cart abandonment emails.

One of the most prominent best of breed specific software packages for this service is FreshRelevance (used to be called: Triggered Messaging).
By installing script on your site much like you have for Google Analytics, the tool will watch your site and store product interaction on individuals who can be identified.

One of the very cool things it can do is look visitors up in your ESP when they click through from an email. This means that no personally identifying info is carried around and each bit of software is used for its core job and compliments the other.

However, as usual, one of the primary goals is to rescue and convert to new visitors who’s email address you do not have. If they don’t enter it you get nothing.
When someone is shopping as a guest it has become popular to ask them for an email address to save the cart. This avoids the often over complicated and tedious process of creating a whole new account at point of check out but it still allows you send an abandoned cart email.

If you use FreshRelevance it turns out at our trusted PadiAct is the lightbox of choice. Sign-ups through a PadiAct lightbox can be picked up by FreshRelevance and of course will send emails back to your choice of ESP where you do your welcome email thing too.

Stay tuned for some specific ecommerce lightbox tips

The great big data fragmentation


Collections of focussed, specialised tools for each job instead of one big suite for all

It’s not a secret that the phrase “big data” didn’t actually bring anything new: single customer view, data mining etc. have been around for a long time. But the ability to attain, store and use that data tends to require a custom build in house or a very expensive all encompassing suite.

Subsequently it got written off for all but the larger brands who could use and value justify the cost of the big suite.

It felt like this knowledge had got lost over the generations of SME marketing managers whose predecessors had ripped the knowledge from the archives to save future generations from such disappointment.

The catchphrase “Big Data” was enough to bring these wants and dreams back to the minds and hearts of all marketers, including those who couldn’t afford it.

This time though, those people whose investigations would have thrown them into such hope of a feature set only to be broken by the price, had a much better time of it as will we all.

“Multitasking is the thief of quality”, today’s solutions are about specialist software, focussed and best of bread not the full all singing all dancing suites that may do everything but not all of it will be what you want.

The best of Big Data is a fragmented solution where you buy a solution to your problem not one solution to all problems and use what you need.

Focussed solutions like abandoned forms and baskets from software like Triggered Messaging, Light Box sign up forms from software like PadiAct, where the solution is a very narrow element but you get so much control and so many options and so much data.

Added to that, the new demands from the marketer have caused existing software providers to make more of their data available with added features to use it.

ESPs are a great example. While an ESPs will count each event that can happen to an email, the stats available are often basic. This new requirement has pushed ESPs to compete over data mining features as they have over deliverability, visual-editors and customer service over recent years.

Engagement, single customer view, automations, purchase & abandon purchase tracking and more are available from an ESP.

It may not surprise you to know that not all features are written by each ESP, some are white-labelled specialist 3rd parties. That is not a bad thing at all. No ESP has tried to write their own inbox preview software, most just API to Litmus and many even tell people about it.

The only concern is when brands get bought and solutions are bundled together as a single product but are not and feature quality is diluted as the suite grows.

A few seasoned ESPs have been bought by seasoned database & enterprise solutions firms or an ESP has bought other companies for features they want. There is a lot of confusion over what they actually offer now or what they were bought for and this will serve to open the door to the more fragmented solutions where you pick and choose dedicated best of breed solutions and expect them to work together.

Nowadays people expect the ESP to integrate more because that is the end point for the data but cloud based Single Customer view solutions are arriving to sit in between multiple databases and you ESP, keep an eye for them, they’re game changers.

A robot has won my iPad competition


(updated: 2019-04-24 with new domains)

If you run a competition and ask people to enter it by providing you with an email address, as well as other details, you run the risk of a having that form filled out by an Automated Competition Bot.

Basically there are services which trawl the web looking for competition entry forms so they can fill them out. Some of them are just trying to ruin a competition, some of them are one person trying to win as much free stuff as they can and some of them are offering a service where someone else can put their details into a tool and that tool will enter them into as many competitions as it can.

Either way, this means that some of the entrants to your competition have not seen your site or your brand and just want something for nothing.
Presumably this defeats the object of your competition which, in this and many cases, is to provide brand awareness, build a list of at least intrigued people and offer at least one of them a prize in reward.

You will always get some people who just want the prize, especially if it is a good prize; but if you offer too good a prize the bots will find you. If for instance you create a lovely landing page for your prize draw for a free iPad, the bots will find you!

If you’ve been got, you might see that you have a lot more entrants than you expected and when you see the list you might find a high volumes of a few domains which you don’t recognise as a commonly used consumer domain like the hotmails and gmails most of you would expect to see.

This is the list from back in 2013 of the ones I’d seen or had found during our research:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


An even more dedicated chap called Rob Record (cool name) ran into this more recently (early 2019), found my list and has made an updated version. Some of his observations are that the domain names are very similar but with slight changes. This suggests that the hosts realised they’d been twigged and blocked so altered them to sneak through.

Here’s Rob’s updated list which he kindly shared with me for you…,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Rob said: became became became became became was added

I haven’t replaced anything except for

These were all based on spam submissions I saw coming in to a competition form I had a lot of traffic on. Hope it helps!

What a legend!

I suggest you add them all to a suppression.

If you do not want them entering, you will have to put some extra security into your competition form.

Common solutions include:

  • Invisible ReCaptcha: Google’s new angle on captcha, where it can tell a robot without a person having to tick a box, then it’ll kick in a captcha test on it’s own.
  • Captcha methods: A form widget which offers a picture of numbers and letters for the user to enter as they submit the form.
  • Hidden field entry: Have a hidden field which a human user cannot enter details for but the bot might as it blindly provides values for every field in pages HTML. You can then simply reject all entrants with a value in that hidden field.
  • Domain rejection: Hold a list of known bot domains and reject any entrants using email addresses in those domains.
  • Double Opt-in: Send an email directly back to the entrant containing a link for them to click in order to complete their entry; this confirms their interest and the fact they own the address.
  • Server side processing: (this is a bit techy) often the easiest way to perform this kind of validation client side using javascript. It is very easy for bots to bypass client-side javascript, so it helps if the validation can be done server-side.

Google and much of my research suggests that Loquax has a great resource for more information, whether that was deliberate or not?


Best open times ruined by mobile

In the last … forever … email marketers have studied the best time of day to send an email to get the most people to open it.

On a B2B level you knew they’d be at work 9-5, probably using MS Outlook, with coffee and lunch breaks.
Consumers would tend to be better in the early evenings when they turned their computers on after dinner.

Now we’ve all got smart phones not only can we check our emails on the move at any time, we can even get alerted to a new email by our phone, like we would an SMS.

This means more recipients will open the email within minutes of receiving it. So, to an extent, it does not matter when the emails are sent, a large percentage of the list will open it straight away.
Especially with iPhones loading the images automatically.

It does not, however, mean engagement!

This also means that most of the open times studies are now wrong. It’s no longer about the time of the open it’s about the time of engagement: opportunity, convenience, brand rapport, relevance;

Or has it always been this way and KPIs have simply distracted us?

(image: courtesy of Swagstein)