Email essentials

How to Protect My Website from Spam Bots and Fake Signups

Reading Time: 8 minutes

Most marketers believe that a spike in email subscriptions is a good thing. After all, the sooner your email list grows, the wider your marketing reach will be.

This may not be true all the time.

There’s a possibility that malignant programs, known as spambots, might be attacking your website. When they do, they push fake signups onto your contact list.

Naturally, this should be a cause for concern because the fake signups are not interested in your products and will not interact with your content. They may also place fake spam complaints which could get your domain blacklisted by email clients.

Is there a way to stop spambots on your website and stop fake signups?

Yes, this guide has all the answers for you.

In this post, we’ll cover:

What is a spam bot?

A spam bot is a malicious program designed to seek out and sign up for emailing lists with fake and real email addresses. Spam bot attacks can damage the sender reputation , decrease email deliverability rates , and cause other problems.

Signs of a spam bot attack include a sharp increase in unsubscribes and spam complaints, dips in delivery and open rates, and a sudden, unexpected spike in subscribers.”

What are fake signups?

Fake signups happen due to spambots that scour the internet looking for signup forms to fill in.

They fill out these forms—either with fake email addresses or real email addresses. The former might belong to people who don’t want emails from your store. This is especially detrimental, as soon you’ll find your emails being a target for referrals for spam.

But the question remains—why do spammers register on your site?

There are various reasons these malicious spambots want to spam your signups. One is that they’re looking for weaknesses in your site to exploit them for further gain. It could also be to gather all of your email addresses and send you spam.

Another important reason is that the spammers want to damage your email campaigns and your all-important deliverability—especially when they use real email addresses.

For example, if someone receives an unwanted newsletter from you, they might hit the ‘Spam’ button. If this happens often enough, Gmail and other sites could put you on their spam blacklist .

This means that none of your subscribers will see your emails in the future.

How do fake signups hurt my email campaigns?

Having a well-stocked email list might seem like a great thing. However, this is only true if they are real people who are interested and engaged with your brand.

Keeping a lot of fake signups on your subscriber list can hurt your email campaigns in many ways.

1. Your emails go to spam

This is the most damaging for your sender’s reputation and is the inevitable result of fake signups using real addresses.

Receivers get emails from you that they never asked for and send them straight to the spam folder . If this is happening regularly, your subscribers’ email service providers will start to mark all your email as spam.

This way, your email marketing strategy is as good as dead.

2. Your metrics are misleading

Another important thing to consider is that your metrics will be way off when you have large amounts of fake signups.

Spam contacts don’t engage with your emails. This means you’ll likely see low figures with the likes of CTR. This might cause you to interpret this as a problem on your end. In turn, you might start making unnecessary changes, such as to your content, prices, or products.

However, real subscribers might still engage with your emails because of these elements. These changes to accommodate lower metrics might start to harm you, rather than help you.

Without accurate ecommerce analysis, you won’t be able to make informed decisions to drive your business forward.

3. You don’t have an accurate image of your customers

Lastly, you probably won’t have a good picture of who your real audience is. With fake signups, it’s difficult to know what they like or dislike.

For example, imagine you sell products mostly geared to a specific location, like the US or UK. If you notice that a significant portion of your contacts is coming in from a different region, you could alter your email campaigns.

You might adapt your marketing to appeal to your new audience, even though that audience isn’t real.

Those spam contacts never have and never will interact with your brand. You risk mistakenly adapting your business for them because you don’t know they’re fake.

How to stop fake signups on your website

The dangers of fake signups are clear. Next comes the question of how to stop spam bots on your website.

1. Use reCAPTCHA

Consider using reCAPTCHA to verify your sign-ups. It is free of charge and isn’t too inconvenient for the user. reCAPTCHA is a fraud detection tool from Google that recognizes bots automatically. It is free and convenient to use. Best yet, spambots cannot get past it. This makes it an easy way of protecting your contact list, and thus, keeping your website from fake signups.

A typical reCAPTCHA form looks like this:

Get started with reCAPTCHA

2. Add a double opt-in form

The double opt-in sends a follow-up email after signups that only asks recipients to click a link. This acts as a confirmation of whether the email actually belongs to the subscriber or not.

Naturally, spam bots cannot answer the email, so you’ll guarantee that only real people are signing up. This reduces the chances of a hard bounce , which are undeliverable emails. This is because the double-opt-in makes sure that the visitor enters the correct email the first time, eliminating misspelled or invalid emails.

A typical confirmation email looks like this:

Learn more:

3. Use the “Honeypot Captcha” technique

The “Honeypot Captcha” technique works by including a small, hidden (using CSS) text field or checkbox in your sign-up forms that customers cannot see or access, meaning that only the spambots will fill it in.

This allows you to easily uncover the intruders and quickly move in to block them. Paul Boag , a UX expert, gives a simple explanation of what a honeypot captcha is in this video.

4. Block traffic from specific countries

This is a bit more drastic option, but is used by many top websites to avoid spam traffic. You can simply block traffic from certain countries to avoid spam signups if they meet the following conditions:

  1. You are moderately or highly certain that spam traffic is coming from these countries
  2. You are moderately or highly confident that this traffic won’t convert to paying customers

There are a few ways to get this done. First, on a view level, you can filter out spam traffic from specific countries in Google Analytics. Simply go to your Admin tab, click Filters > New Filter and you’ll be able to block countries.

You can also block countries in various ways, such as using .htaccess, with information from the country IP blocks list .

5. Use a third-party app

Sometimes, it’s better to delegate other responsibilities so that you can focus on the main activity of your business—getting more customers, more sales, and keeping those customers happy.

There are various apps or plugins you can add to your online store that will help block spam signups, and won’t require you to do any manual work (and potentially break something on your website).

If you’re on Shopify, for example, you can use apps like Shop Protector to stop spam signups and fake accounts.

If you’re using WordPress/WooCommerce, then you can use something like Wordfence , which is a larger security suite that can also block spam traffic.

6. Check subscription dates

Another smart way to find out whether your website has been attacked by spambots is to check if you have received too many signups in a short time.

Examine how many people signed up for your email list in the last 24 hours or a short period of time. If that number is unusually high, most of those signups could be fake.

The best website spam protection you can deploy in this case is to get an email marketing software that tracks your signups to help you pick out any unusual behavior.

Omnisend, for example, shows you exactly when a user subscribed to your newsletter. This feature is called the “opt-in date” and is shown with the date and time an email address subscribed to your email list like in the image below.

You can go through the email list to see if there was a spike in the subscriptions at any given time. Analyzing this data can help you spot the fake email newsletter subscribers that might have likely come from spambots.

7. Use multi-step signup forms

Multi-step signup forms break down the signup process into several steps. Rather than the signup form bearing the fields and subscription button on the same page, multi-step forms introduce additional steps and actions to get the users to spend more time on the form.

Not only can multi-step signup forms help you to collect more data, but by introducing additional steps, they can also stop bots from submitting forms, thereby preventing fake signups from getting to your email list. Moreover, such signup forms will discourage manual spammers who would rather fill in fake contact details at once than go through a multi-step signup process.

The example below shows a popup with a multi-step signup form. The popup only bears the subscribe button that you have to click to reveal the signup field.

Set up your popup forms this way to stop spambots on your website from subscribing to your newsletter.


How to use smart popups for better conversions

How to remove spam signups

Keeping your email list clean should be an ongoing process. It can be a challenge if you have thousands of subscribers, but deleting fake signups is critical to the success of your email marketing.

To remove spam signups:

  • Find passive subscribers with segmentation. Segment users that remain inactive for six months and remove them. You can do that in Omnisend—watch the second part of the video below for step-by-step instructions.
  • Use your ESP’s email list cleaning service . Omnisend’s email List Cleaning service applies artificial intelligence for constant email validation and includes custom grammar and inactive email checks to keep your bounce rates down.
  • Manually look through email addresses . Sometimes, you’ll notice that some of them look strange. You can check them out with CleanTalk . This tool has a blacklist of almost six million spam emails and emails that have been abused by bots.
  • Double-check the addresses of cart abandoners . Spam bots can add products to carts and then leave without finishing the purchase. See if the emails of those visitors look strange or repeat many times.
  • Get your list validated by Mailgun . It’s an email verification service that runs numerous checks for every email address. Watch the video below for step-by-step instructions on how to use it.

As promised, we have a video with steps to remove fake signups.

In this one below, you’ll find out how to a) use Mailgun for verification and b) remove passive emails by segmenting users in Omnisend.

But the bottom line here is:

The sooner you start protecting your signup forms, the better. It’s one of the strongest ways to protect your website from spam bots and fake signups.

Wrap up

Unfortunately, spambots have become an everyday issue for ecommerce marketers. However, you shouldn’t panic if you realize that you are hosting several fake signups.

Again, to protect your website from spambots:

  • Use reCAPTCHA
  • Add a double opt-in form
  • Use the “Honeypot Captcha” technique
  • Block traffic from specific countries
  • Use a third-party app
  • Check subscription dates
  • Use multi-step signup forms

Also, make sure that you have an ESP that is well equipped with tools to deal with spambots and other malicious actors. Start using Omnisend and do your email marketing with confidence.

Scroll to Top