jeudi 3 novembre 2016

Designing a mailing list signup form

I'm designing a mailing list system which, as you can guess, collects email addresses from website visitors and sends out a newsletter every X days. Due to the site's privacy policy I can't use a third party mailing list service, CAPTCHA, etc.

The challenging component seems to be protecting the subscription database from malicious bots submitting random email addresses.

Here is what I've tried so far...


Recently I added a simple homebrew CAPTCHA. It was successful against most bots but the basic CAPTCHA wouldn't stand up to a targetted/more intelligent bot. Also I think it dissuades legitimate users from signing up, any additional fields make the form twice as daunting to use.

Surprisingly when I forced visitors to HTTPS spam submissions were reduced by around 60%.

Website visitors are likely to be using NoScript or have Javascript disabled in some way. They are the target audience so a non-JS solution is important.

I have access to the subscriber's IP address (temporarily) although chances are high that they use an anonymizer (VPN, proxy, etc). I know of IP address verification APIs which can return a risk score - often used for ecommerce sites - which could filter out a lot of bad bots plus has an agreeable privacy policy. With dynamic IPs and anonymized shared IPs it will return many false positives.


The only other route I can think of is to send a verification email with confirmation link to complete the subscription. It does open a possible attack vector, so the system would need to throttle outgoing mail. If this is the right approach, how could it prevent malicious bots from flooding the mail queue?

Aucun commentaire:

Enregistrer un commentaire