Lately, I have been bombarded with spam actors signing up for my list with account info that is gibberish like what is below. Anyone else have this happen to them and what to do about it?
_____________________________________
die.wupper@web.de has subscribed
Subscribe page: 1
First name = sCXtSnZeodTpjhRwHfQLGX
Last name = GWhtnsSZrZWyccNht
Phone Number = QUEIECKhmfTJZMqqLAFWyx
_________________________________________________
I’ve had that recently. I think if subscribers have to click a confirmation link it’ll work out ok.
The confirmation link will be clicked, this will not prevent bogus accounts from polluting your database.
Adding a CAPTCHA seems necessary, but I don’t have experience with that… yet. I need to do that promptly, because one of my lists is now getting hit with the bogus signups. The last time it happened to another list, I was getting hundreds of signups (all “confirmed”), and I just yanked the embedded form offline (it was rarely useful anyway) - yet I continued to get signups, so I had to disable the Subscribe page within phpList.
That’s interesting. I had a spate of this but none of them were confirmed.
I was able to add recaptcha to my subscribe form.
I’ll need to make time for this in the next day or two - my pen-name subscription form is now getting a bunch, and at least one of them reported the subscription confirmation email as spam. Honestly this just looks like automated vandalism, there’s no logic behind it that I can see - just making trouble for the sake of making trouble.
Since enabling the recaptcha, the spam has stopped.
I just added the Cloudflare Turnstile via the Cloudflare Turnstile plugin from @duncanc so hopefully that will give me some relief. As a user I prefer the Turnstile experience over reCaptcha.
Thanks for the info. I didn’t know about it.
It seems very similar to recaptch v2, which is what I used, also by @Duncanc.
I think this screenshot from the last bogus account created before I installed that plugin is interesting. It shows the subscription was confirmed two seconds later from a different IP address. Thinking back to the spam complaint I got and the confirmations (which don’t happen for every subscription), I wonder if the bots are using real peoples’ email addresses and those real people are the ones reacting - confirming (but why?) or complaining about spam.
I don’t know why I’m trying to understand the motivation/intent behind this bad behavior, but maybe understanding the intent would help mitigate the problem. Maybe… 
I was trying to understand it too. I always deleted the accounts - they were never confirmed.
There is obviously some mischief in mind. But now I am happy, no more spam accounts since activating recaptcha v2. Thanks @duncanc!
Same for me - in less than a day, Cloudflare Turnstile has blocked 30 form submissions and not one bogus account has been created. Very much appreciate the plugin for making it easy to integrate this important service.
