CODEWITHSUNDEEP
email-validationmailchimp
Immutable Brick
Immutable Brick

Reputation: 820

I think the Mailchimp double opt-in process is broken or some bot is circumventing it - how to fix it

I am not sure if this is a programming related question.

I cannot say for sure the MailChimp double opt-in process has been hacked but I believe I have strong evidence.

If this question does not belong here I am more than happy to move it to the relevant Q&A website (please tell me which if that is the case).

I hope to be able to fix this through javascript (if I can use JS to restrict posting to the page), but I will describe the problem before jumping to conclusions, I am open to any suggestion but changing provider.

Last 2 weeks we started receiving "spam users" to our Mailchimp mailing list (it is a veterinary list), those users follow all the same format:

Name: S
Surname: CLARK
Practice/Organisation: .
Address Line 1: .
City: .
Postcode: .
Country: .
Email Address: [email protected]
Address Line 2: .
Address Line 3: .

Please note [email protected] is just a place holder for an example domain.

They basically repeat the same answer - they say they use the double opt-in process (link sent to an e-mail address where the user needs to click a link to verify the authenticity of the email) is robust and all users are valid.

But we do not use their hosted signup form at all to register new users, we instead use their API so the "spam user" has to register on our DB before it is signed up to the MailChimp mailing list but it is not on our DB.

Some facts that suggest it's not a bot:

  1. IP addresses are all different
  2. domains email seem to be legit
  3. double opt-in process is active
  4. Users are not subscribing in bulk but in what seems to be at random times

Some facts that suggest this to be some really clever bot hacking mailchimp (or only my list which is very unlikely):

  1. All these users follow the same rule (caps on surname, 1 letter on the name and dots on all the rest)
  2. They all come from the "hosted sign up form" (a form hosted on the mailchimp site), this form is not linked anywhere on our website and has a text saying "unavailable at the moment" therefore will be impossible for real users to submit any information to it

Now you can say I'm paranoid but I think someone wrote a bot that does the following:

  1. Uses a Botnet (justifies different IP's)
  2. Scans the subject list and checks against its DB to pick an email that is relevant to the list
  3. Posts directly to the page the pre determined fields that are required to process the registration

What I cannot explain though is how this bot broke the double opt-in process.

And more importantly how can I stop this? (I can edit the signup form on the mailchimp website so I assume I could write some clever JS)

Upvotes: 2

Views: 1663

Answers (2)

Anthony Bird
Anthony Bird

Reputation: 225

I am having similar issues with Mailchimp. We are using custom API integration for Mailchimp lists however there are multiple signups daily with random emails and random IP addresses.

I believe that bots are injecting email signup spam directly at the Mailchimp's hosted signup forms.

I have been in communication multiple times with Mailchimp however they only suggest using double optin (which was in place), a honeypot field (which in place and not relevant since the bots are injecting directly on mailchimp's site which does not have a posted honeypot field) or a 3rd party hosted form (which is not relevant because the signups on are their hosted forms and not from my custom api).

None of their solutions are helpful. I cannot help but think that Mailchimp is encouraging the bot spam for monetary gain.

Its fee based model is based on the number of user accounts therefore they profit from our inconvenience. To me this reeks of negligence and borderline fraud.

Upvotes: 2

user1019653
user1019653

Reputation: 31

We're having a very similar problem. We have a double opt in mailing list which we sign people up to via the API.

All the traffic comes from a variety of IP addresses. I've done a little research into one of the useragents that's being used, and it seems to be associated with botnet traffic, which supports the above suggestion of a botnet.

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2

How they're getting past the MailChimp double opt in process is a bit of a mystery. It's not impossible I know, but why they're even doing this is another good question. But if this is a wider attempt to add spam to MailChimp, then maybe it's nothing to do with us.

However it's certainly reducing the quality of our list so we need to stop this happening.

Upvotes: 1

Related Questions