Forms are wonderful. Amirite? They are a direct connection to your customer so they can communicate with you. The purpose of this connection could be as simple as letting you know they are interested in your service. Or something more complex like collecting valuations on products and feedback on services.
When forms are done right and their purpose is to build your customer base, they don’t just grow your list, but they grow you an informed and consented list!
And if you’ve ever read a deliverability article or talked to someone in deliverability, you’ll know the number one thing needed for a successful email program is consent. Anyone who says differently is probably questionable and you should run away. Fast. In the other direction. Screaming is optional, but recommended.
Forms are also used to gain insight and collect information, adding a lot of flexibility and power to your program. And since it comes straight from your customers, you now have your very own ‘zero-party’ data set. This information gives you the data you need to customize communications, touchpoints, workflows, and build stronger and more meaningful relationships. Which boils down to: information is the key to unlocking deliverability.
BUT when forms aren’t implemented correctly, they can also be dangerous. This is especially true for signup forms tied to your mailing systems and customer databases. An abused form can lead to:
- Deliverability problems that can negatively impact your campaign performance and ROI
- List bombing which causes harm to your customers by flooding their inbox with unwanted mail
- Mailing customers without consent, which can violate a number of sending laws
- DDoS (Distributed Denial of Service) attacks that bring down your system (website, email, etc.) or someone else’s
These are not merely inconveniences, they are risks to your business, ROI, security, and brand, as well as your customers’ online safety. This is why protecting your websites and developing strong email security processes are so important.
There are 2 main types of sign-up form abuse: list bombing and subscription bombing.
List bombing is intended to flood an individuals inbox (most likely with mail from reputable companies) to either take it down or bombard it with so much mail that it hides a crucial security or account compromise email.
Subscription bombing attacks a single form to overwhelm the receiving system. Instead of focusing on an individual, it intends to degrade performance so further system compromises can take place. In some cases, attackers just want to harm a business because it’s fun for them. And sometimes it’s much more nefarious.
The majority of the time these attacks are run by bots (and not the good ones) programmed to collect emails and search for vulnerable forms. They wait while they build up their collection of emails and forms. And when they have enough to bring down a mailbox, DNS, or other system, the bots are then sent to submit the collected emails to the identified forms.
Which brings us to how to protect your forms.
Protecting your online forms
There are four options you can deploy to protect your lists and your forms from abuse. They have varying levels of protection, so it’s best to mix and match.
- Email Verification (An important starting point)
- Honeypot Fields (Good)
- Confirmed Opt-in (Better)
- CAPTCHA (Best)
Wanna make your deliverability consultant (or security team for that matter) cry tears of joy? Implement all of the above.
Email verification is a helpful and useful addition to your email capture process. It helps to reduce the number of emails coming into your system that are invalid, contain typos, are riskier due to the nature of their purpose (disposable domains), unknown, and more. It can be used to prompt subscribers to correct mistakes. And, it can help you, as the sender, greatly improve the chances that addresses you’re sending are valid.
A good place to start to address form abuse is email verification. The key words here are “start to address.” Verification can’t prevent form abuse nor can it identify all forms of abuse. But it can provide a small level of protection. Let’s look at one use case we saw here at Kickbox.
Degradation in performance due to spikes in bad email addresses
A client of ours came to us asking why our verification service wasn’t flagging a flood of bad email addresses coming into their system, which was about 35K in one shot. It was causing them significant degradation in email performance due to high bounce rates. And this wasn’t the first time. According to our client, this was the third identified attack.
After reviewing and working closely with our client, it was uncovered that there was a gap in between the email submission and our verification API. This allowed the attackers to submit thousands and thousands of emails directly into our client’s system, bypassing our API to verify the quality of those records.
Had they come through the proper workflow, email verification would have flagged the poor email addresses. Verification wouldn’t have stopped the attackers from submitting the emails, but it would have kept the bad emails from poisoning their database and prevented the high bounce rates.
This is a great example of when email verification does a great job of keeping the unknown, poorly formatted, invalid emails from entering your system and depleting your deliverability due to bounces.
However, verification isn’t designed to confirm consent was collected. When attacks are lobbied using real addresses (stolen or purchased), forms require additional protections to identify and prevent attacks as well as to weed out emails submitted without consent.
Honeypot fields are additional form fields included within a form that are invisible to a typical user. But to a basic bot viewing the code, it looks like just another field to fill out and submit.
Honeypot fields are a great way to distinguish between human-generated and bot-generated submissions. So for the submissions that include a value for the honeypot field, you can be fairly certain it came from a bot.
However, honeypot fields do not prevent or stop the abuse, but they are good at flagging activity that should be viewed more closely.
Confirmed Opt-In (Double Opt-In)
Opt-in methodologies are up next for form protection. Of the opt-in methods, Confirmed Opt-In (COI) is best suited for form protection.
Because COI requires a follow-up action, once the initial pile of emails go out to customers, COI will prevent further messaging from going out. Unless, of course, the email recipient confirms their opt-in status via a click or another affirmative action (better protecting your program from complaints.) And once you get that confirmed opt-in, you can be much more confident that the customer is real, interested, and has value.
However, COI, like the other 2 options, has its limitations. It doesn’t prevent emails from getting injected. And it doesn’t help a user experiencing a list bombing attack where their one email is subscribed to thousands of forms.
Recognizing that COI is a hard sell for a number of marketers, it can be challenging to justify its implementation. Concerns around COI are rarely tied to its security benefits, but, instead, the perception that recipients won’t click on the opt-in link, confirmation emails get lost, ignored or blocked, and the extra confirmation step is a barrier to list growth.
But, if your newly signed up customer really wants your email, they will not fall into the drop off you may fear. Consider what happens if you instead are dealing with thousands and thousands of non opted-in customers injected into your database. The damage it can do to your deliverability alone from the resulting complaints may make you rethink the ‘benefit’ of bypassing COI.
Want another benefit of making sure your list is truly opted-in? Jeanne Jennings published a case study comparing conversion rates for opt-in versus not opt-in emails. The results speak for themselves and why marketers shouldn’t fear the misperceptions around opt-ins.
Ensuring the list your mailing is truly opted-in is a win for your program in addition to the benefit of reducing the risk associated with form abuse.
CAPTCHA, or some form of this (Google offers reCAPTCHA to make the process less disruptive) is a tool that helps to differentiate whether the submitter of information is a bot or a human. It does this by using matching, recognition, or other forms of identification testing.
CAPTCHA is one of the most used defenses to protect signup forms from bad actors trying to abuse your forms. Before a form is accessed or allowed to submit information, it requires a passing test. And if a failure occurs, the follow-up test served will change, which helps to keep CAPTCHA from being predictable.
In most cases, sign-up attacks are run by bots. Before these bots begin signing up emails, they scour the web for vulnerable forms. Then they begin either list bombing (signing up individual emails to thousands of streams) or subscription bombing an individual form. In either case, the sheer volume of machines working on these submissions floods the receiving inbox of an individual or the organization hosting the form.
Having CAPTCHA in place halts the submissions as most bots (at least as of today) aren’t savvy enough to pass the different CAPTCHA quizzes. Of the four ways to protect your forms, this is the only one that has any chance at preventing bots from submitting unwanted junk into your forms.
For these reasons, CAPTCHA is classified as “best” in our list of ways to protect your forms from abuse. Plus it’s one of the recommended form protection practices by M3AAWG.
One out of four is just not enough
Three Dog Night got it right with their song title, “One.” When it comes to fighting abuse, one protection is never enough, even if you are using the “best” one. Utilize as many protections as possible.
In the case of form abuse, opting for the quad-fecta of protections will provide you the most protection so you can rest easier that your database, list, and email program are protected. If you can’t implement all four, pick at least 2.