Why are obvious fake emails signing up for our institutional newsletter?
August 24, 2022 8:42 AM Subscribe
Where I work, we run a fairly dry institutional newsletter of very little interest to the general public. Recently, I've seen a run of obviously fake email/name pairings coming into our "sign up for our newsletter" form. What's in it for a spammer/hacker/whoever to sign up for newsletters via a garbage account?
I'm cynical enough that when I see an email address and name with the name being an obvious fake like Kurt Cobain, or a wild mismatch like "d.dunning@gmail.com" and name "Jennifer Albertson", I assume it's some sort of bot- or scammer-powered ridiculousness. But I can't figure out what the scam or angle is to having bots /fake people just sign up for random newsletters... what's the motivation?
I'm cynical enough that when I see an email address and name with the name being an obvious fake like Kurt Cobain, or a wild mismatch like "d.dunning@gmail.com" and name "Jennifer Albertson", I assume it's some sort of bot- or scammer-powered ridiculousness. But I can't figure out what the scam or angle is to having bots /fake people just sign up for random newsletters... what's the motivation?
Do you have any features or content that are gated behind a newsletter signup? That would encourage fake or garbage signups (assuming there was no email verification step, and some people might try their luck anyway)
posted by Ted Maul at 9:19 AM on August 24, 2022 [2 favorites]
posted by Ted Maul at 9:19 AM on August 24, 2022 [2 favorites]
Just as a guess, they may be signing up for random mailing lists in case there is data that can be scraped and used for sketchy purposes, such as contact email addresses, physical addresses, or phone numbers. It's probably very low effort for a system to look for that information automatically from many mailing lists once signed up so even if any given mailing list doesn't include that information, it'd be worth adding many for a chance of finding something.
posted by past unusual at 9:24 AM on August 24, 2022 [5 favorites]
posted by past unusual at 9:24 AM on August 24, 2022 [5 favorites]
I believe this is often called "low volume list bombing" in the email/spam industry. Usually you can find a lot of these requests coming from similar IP addresses. The purpose of this is multifold--it can be used to compromise sending reputation, flood mailboxes, harass, and test spam filters and techniques. I'd recommend shutting it down if you can.
posted by sleeping bear at 9:44 AM on August 24, 2022 [1 favorite]
posted by sleeping bear at 9:44 AM on August 24, 2022 [1 favorite]
This is what Captchas are for.
posted by beagle at 11:26 AM on August 24, 2022 [2 favorites]
posted by beagle at 11:26 AM on August 24, 2022 [2 favorites]
I sign up for newsletters in industries in which I have no association. I find them fascinating and I learn a lot by reading them. I use a fake email address at one of my domains, usually the name of the industry @mydomain. I get the catch all emails at my address so I can confirm them.
posted by JohnnyGunn at 11:45 AM on August 24, 2022 [2 favorites]
posted by JohnnyGunn at 11:45 AM on August 24, 2022 [2 favorites]
Best answer: If this is a website form, sometimes the object is to figure out whether or not the form itself can be hijacked into sending out spam email on its own. You should ensure that any emails generated from the sign-up form can't go to arbitrary recipients with any text that is input into the form without some mechanism in place to prevent spammers from abusing this maliciously (a relatively hard problem).
You should likely also make sure that your email list is double-opt-in or otherwise verifies the validity of the email address; that is, your mailing list management software should send out an email confirming that the user wants to subscribe to the email address that signed up, not just trust the web sign-ups blindly.
posted by Aleyn at 1:10 PM on August 24, 2022 [4 favorites]
You should likely also make sure that your email list is double-opt-in or otherwise verifies the validity of the email address; that is, your mailing list management software should send out an email confirming that the user wants to subscribe to the email address that signed up, not just trust the web sign-ups blindly.
posted by Aleyn at 1:10 PM on August 24, 2022 [4 favorites]
Do you have any features or content that are gated behind a newsletter signup?
Or content that's not actually locked behind a signup, but might appear to be so? IE, a "sign up for our newsletter" pop-up on top of a blog post. Even if there is a 'no thank you' or X button, people might input some junk information just to make it go away.
posted by Glier's Goetta at 1:43 AM on August 25, 2022
Or content that's not actually locked behind a signup, but might appear to be so? IE, a "sign up for our newsletter" pop-up on top of a blog post. Even if there is a 'no thank you' or X button, people might input some junk information just to make it go away.
posted by Glier's Goetta at 1:43 AM on August 25, 2022
Response by poster: Thanks for the thoughts so far -- to answer some questions:
- No, there's no promise of additional content or anything you "get" by signing up
- The form itself is created by MailChimp, so I'm hoping/assuming that they are ahead of the curve on making sure the form isn't vulnerable to exploits
- I have added a recaptcha and double-opt-in to the process, which were great suggestions -- thank you!
posted by Shepherd at 2:55 AM on August 25, 2022
- No, there's no promise of additional content or anything you "get" by signing up
- The form itself is created by MailChimp, so I'm hoping/assuming that they are ahead of the curve on making sure the form isn't vulnerable to exploits
- I have added a recaptcha and double-opt-in to the process, which were great suggestions -- thank you!
posted by Shepherd at 2:55 AM on August 25, 2022
« Older Help me refine a Google Form summer camp survey... | How can I fix my uneven wood floors? Newer »
This thread is closed to new comments.
posted by quadrilaterals at 8:55 AM on August 24, 2022