Hello, i have unused sucuri account that i’m going to discontinue within 5 days… so we have around 4 day left to test if sucuri be able to block this bot… anyone interest please PM me… we should test it right away…the protection from sucuri is only cost $10/mo…
note: i have no affiliation with sucuri…
Someone has suggested I put in a 6G Firewall https://perishablepress.com/6g/ – anyone know anything about this?
I checked the link that you shared and realised that this is the upgraded version of a blackhole system that Perishable Press published a few years ago. I used it extensively for protecting my site’s integrity before I started using Sucuri (I like that they can easily block access to my site based on country or specific URL) and switching platforms.
Having said that, it’s worth giving it a try. Implementation is simple (if you are able to edit .htaccess) and adds no weight to your site.
I’d be inclined to add this in to my arsenal of weapons to combat the bots. My experience says that the solution has to be a multi-pronged approach…
HTH
I just wanted to follow up here and let everyone know we recently put out a simple article that explains this topic in more detail, attempting to answer some common questions you may have. Feel free to send us an email at help@activecampaign.com if you have more specific questions and we’ll be happy to explain!
By the way, as an idea/suggestion/question – I’m wondering if running fail2ban on the website server will help against such an attack. I think it should.
@nick To be honest, if there was a quick technical fix I’m sure that most sites would have implemented this automatically. It’s possible that fail2ban might help, but advanced subscription bombing attacks would not likely be thwarted by this if they use dynamic IP ranges.
I’ll defer to the authority on this matter (Spamhaus):
The single best thing that can be done to secure a form and avoid becoming an attack vector is to put a CAPTCHA on it… Even using COI [confirmed opt in] in this situation is not sufficient, as the sheer volume of confirmation emails can be completely overwhelming. Use CAPTCHA plus COI to protect your mailing list subscription form!
-Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs
I read all threads on this issue. Can someone tell me HOW to add the Captcha to a form??
We’re experiencing the same issue. Adding captcha would create poor user experience, as would double optin in my opinion (not to mention skewed analytics data).
Never had this problem with CampaignMonitor, Aweber or Getresponse but we have had spam issues with contact forms that contain input name=“email”. Because this is what AC is using, I believe it’s one of the reasons for spam.
Could you investigate switching to a randomized email input name? It’s a simple fix that could potentially help a lot of users.
Thanks,
Chris
Hi All,
i’m experiencing same issue. I added Captcha to the only form I used and we are still receiving dozen of bots per hour from this form. Looking forward for a resolution.
Dear AC,
Have you resolved this issue?
My mastermind partners and I would like to move from Aweber to AC but have been hesistating due to this issue.
Thank you @aburch for posting the article explaining the issue. Your article states: “Am I charged for these contacts? If you are using single opt-in, yes. These contacts will be considered valid until you delete them or they bounce.” So if I move my list and opt-in forms from AWeber (where I’m not experiencing form spam problems) to AC, then with AC I will experience form spam and also be charged for the additional fake contacts? Please explain so that I can have confidence and signup for AC. Your system seems stellar but this one issue has me (and my mastermind parnters) on the fence. Keeping fingers crossed this issue will become an non-issue!
Thank you!
@nocompanynameyet Thanks for checking in here.
HTML forms will always be abused by bots. Unfortunately there is no way to positively stop this, so there is no way for us to completely resolve this issue for our users that have an HTML form collecting signups.
We do have some basic sanity checks in place that prevent forms from being submitted too many times per minute/second, but even these checks can be circumvented by a bot fairly easily.
The only way to truly resolve this issue is by adding captcha, which we have chosen to leave optional for ActiveCampaign users — we don’t force catpcha on forms. Therefore, it’s really up to you to add captcha to your forms to protect them from bots. This isn’t a requirement, so you can choose not to use captcha, but if you do so then the risk of bots will always be there.
To add captcha to a form:
Here’s a short video that will walk you through the process: http://screen.ac/092Z0i3j3I3D
If you are still receiving bot signups after adding captcha it’s most likely from an old form that is cached somewhere without captcha or because those contacts are coming from another source like a 3rd party API integration you may have setup. If you are still getting bot signups with captcha, please file a support ticket and we can help identify where those bots are coming from and how you can lock down those forms (often by deleting the old form that may be cached and creating it anew with captcha).
Hi.
Nice tip. Thanks a lot. One question here.
After adding that CAPTCHA… Do I have to change/update my integrations in my sites?
I’m using a plugin that uses URL + Form number in its config. (https://myaccount.activehosted.com // 2).
I’m using double opt-in.
Sorry. I’m not an advanced user 
Thanks,
@mkgr If you are using the Simple Embed you won’t need to update your page - captcha will automatically appear there once your make the change in ActiveCampaign.
However, if you are using the Full Embed, you will need to manually update the code on your end with the new code we generate for you in ActiveCampaign.
@aburch please consider to add invisible captcha as you have in your own page:
https://help.activecampaign.com/hc/en-us/requests/new?ticket_form_id=227307
I think if you have it for yourselve we could also benefit 
If not a very reliable service is cleantalk.org I have use it in my prestashop default newsletter and it is almost 100% effective but I can not use it with your forms as they are not located in my own server. Please consider. It is a very good solution for a very big problem.
Thanks
Interested in speaking to you about your services, I can be reached at 503-739-3474. I run a bankruptcy law firm
Tom McAvity