Online forms everywhere are experiencing fraudulent sign-up attacks. When a website form lacks human verification, such as CAPTCHA, it becomes susceptible. This includes Constant Contact’s sign-up forms that are embedded on websites.
Fraudulent sign-ups are the work of automated computer programs finding unprotected sign-up forms on the web. Once a form is located, the program will start submitting fictitious email addresses into the form. The result is a flood of unsolicited mail arriving in the victim’s inbox. Fraudulent sign-ups can impact Constant Contact’s sending reputation since some of these “fictitious” email addresses belong to real people who didn't ask for mail.
We have a new process in place to help identify fraudulent sign-up behavior, and prevent fictitious names from getting added to your account. You should also take steps to protect your sign-up form from these attacks.
What Constant Contact is Doing to Stop Fraudulent Sign-ups
When email addresses are added to your account, we check to see if they’re suspicious. Any email suspected of being fictitious is placed directly into the Temporary Hold - Do Not Email status. Even though you may see your contact level grow because of this issue, these contacts are inactive and therefore
not billable.
What to do with Fraudulent Sign-ups
If you have contacts in the Temporary Hold - Do Not Email status, please leave them there. During these kinds of attacks, the same email addresses are getting reused over and over again. Another attempt could be made to add them to your list. Leaving them in your account prevents them from getting added again. Remember, you won’t be charged for keeping these contacts in your account.
How to Prevent Fraudulent Sign-Ups
Prevention, of course, is the best medicine. Here are ways to prevent fraudulent sign-ups:
When using a Constant Contact URL or embedded form on your website
We automatically turn on rate limiting and CAPTCHA. These limit the number of signups per hour, and require each signup to verify that they’re human. Here is what else you can do if you’ve been a victim of an attack:
- Remove and Re-Add the Form – Removing your sign-up form from your site and re-adding it should clear out any automated programs that may have attached themselves. Continue to monitor your contacts to make sure fraudulent sign-ups don’t happen again.
- Confirmed Opt-In – Confirmed Opt-In, also called double opt-in, sends every person who tries to sign-up a confirmation email to verify that they really want to receive email from you. Keep in mind that any contacts that don't confirm their interest will not be able to receive email from you until they do.
When using a 3rd party form
- Secure the Form – If you are using a third-party form to collect sign-ups, like our Wordpress plugin, you need to add reCAPTCHA to your form. reCAPTCHA asks people signing up to prove that they’re human by checking a box, which computer programs cannot do.
- Confirmed Opt-In – Confirmed Opt-In, also called double opt-in, sends every person who tries to sign-up a confirmation email to verify that they really want to receive email from you. Keep in mind that any contacts that don't confirm their interest will not be able to receive email from you until they do.
We are continuously adjusting our detection methods to prevent fictitious addresses from being added to your list, but some may slip through. Please remain vigilant and watch for unexpected behavior. If you need help identifying or removing fictitious emails from your contact list, please call support.
