██FR█████ █INTELL███████████

How to Prevent Your Newsletter Sign-Up From Getting Bombarded With Spam


This content originally appeared on HackerNoon and was authored by 4rkal

\ Got spammed with fake newsletter signups? Learn how to protect your forms using double opt-in, CAPTCHA, and Cloudflare.

Backstory

I woke up to 200 new subscribers on the newsletter of my site, videiro.com. Had it finally happened? Did my site finally go viral?

\ Sadly no. After checking the new subscribers, I noticed that none had verified their email addresses, not even one, that’s definitely not a confidence.

\ After some quick research, I understood that I had indeed been spammed. But all the emails look legit. Here are some examples:

kathyolynn@yahoo.com
lukeckins@gmail.com
dispatch@gonealinc.com
doug_fern@hotmail.com

After some initial research (entering the emails into haveibeenpwned), it looks like most of these email addresses have been in some kind of hack or breach.

\ So what was happening? How can I prevent it in the future?

\ Someone decided to use compromised email addresses to spam my form. Either to pollute my newsletter, to see how far they could go, or just because they can?

What I Learned

When making anything publicly available on the internet, there will be spammers, there will be bots, and there will be people trying to hack it. That is why you should always be making it as secure as possible.

\ It turns out that this kind of spam attack is more common than you think (especially since my blog’s newsletter also got spammed a couple of weeks later). Bots crawl the web and look for forms, usually newsletter or contact forms, and then start submitting “leaked” email addresses.

\ But why? Here are some reasons I came up with:

  • To pollute your email list (if this is a personal attack, which I don’t think it is in this case)
  • To test the validity of the emails??
  • To annoy the leaked email addresses owners by having them subscribed to thousands of newsletters
  • To annoy the website owner (me)

How I Fixed It

I have a couple of solutions to this problem.

Step 1: Enable Double Opt-in

The first and most important step is to make sure that all your newsletters are ‘double opt-in,’ meaning that the user has to confirm their email address before getting subscribed.

\ On Listmonk (the newsletter software I am using), make sure that the list to which you are subscribing your users to is double opt in.

\ This means that even if your form gets spammed, you can just remove all the addresses that haven’t verified their email (after a couple of days/weeks).

\ Want to learn how to set up your own self-hosted newsletter with Listmonk? Check out my guide: How to set up a self-hosted newsletter using Listmonk.

Step 2: Add Captcha or Cloudflare JS Challenge

The second step I took was to enable some sort of captcha. Initially, I set up an HCaptcha via Listmonk. But I don’t think that is the best solution, as it’s kind of annoying. I am, however, using it for the videiro.com newsletter. If you’re interested in how to do it, here’s how:

  1. Open the listmonk web UI
  2. Go to settings
  3. Under Security, enable captcha and enter a hCaptcha.com API key (you will first have to sign up at hcaptcha.com)

\ However, with this setup, if you are using custom forms (like the email subscription form below), the submission process will be kind of broken.

\ So instead, what I came up with and I am currently using on 4rkal.com newsletter is to use Cloudflare JS Challenge on a specific subdomain.

The way that I have set up my email newsletter is that I have Listmonk running on newsletter.4rkal.com, a separate subdomain.

\ This means that I can set that specific subdomain as “under attack” on Cloudflare and prompt users to sometimes complete a Captcha.

\ To do this:

  1. Head to cloudflare.com
  2. Log in and head to the dashboard of your specific domain
  3. Under Security select WAF
  4. Then click on Create rule
  5. Give it any name
  6. Under Field select hostname and under Operator select wildcard, in Value enter the subdomain, in my case, that’s newsletter.4rkal.com. The expression should look like this (http.host wildcard "newsletter.4rkal.com")
  7. Under Choose action select JS Challenge
  8. Click on Save

\ And that’s about it.

Summary

Getting your website spammed is never fun, but I hope this article might have given clarity to people going through the same problem as me.

Subscribe

Join my newsletter here: https://newsletter.4rkal.com/subscription/form

\


This content originally appeared on HackerNoon and was authored by 4rkal