Hello guys. I have noticed that for the past couple of weeks, lots of spam bots have been registering with AC forms in different websites I have. After talking to a few friends and colleagues who also have an AC account, I found out they’re having the same problem. The bot always registers with pretty much the same name, “59194f609a518” or a similar variation.
This problem only happens with AC, and not other email providers, and it happens on multiple websites, and multiple separate AC accounts. The only thing linking the attacks is that it only affects AC.
The bots are quite a nuisance but there are things you can do to combat them. I do want to point out that we aren’t the only provider being targeted by them. It’s not clear why some providers are being targeted and others aren’t, but it’s not a problem specific to ActiveCampaign. We’re working on ways to deal with this.
Yep, I’m aware AC isn’t the only one being targeted by spambots. There’s really nothing you can do to combat them unfortunately. This one seemed strange though, because it’s the same bot that’s attacking only AC forms in a variety of different businesses and accounts. So I was wondering if there was someone attacking specifically AC to your knowledge.
The name being entered is a long number generally starting with a 58 or 59 and so on and the email addresses seem to be real as I got blocked due to a high level of spam reports - by people who hadn’t opted in themselves, but their email was used…
I am relatively new to this technology, but was wondering if I set up an If/Else action where if the first name contains 0123456789 then the automation would end, or they get unsubscribed? Would that work to stop people receiving the email they didn’t subscribe to?
Hi there, Amy from ActiveCampaign’s Customer Experience Team. We’re just refreshing our forum page and I wanted to add some help here for anyone who comes across this page/question/post.
There are 3 concrete actions you can take to ensure that spam contacts do not enter your account as active contacts:
Recommended.Add captcha to all forms. This instantly solves the problem. Very few bots can complete a captcha test, so this prevents many bots from entering your list. Captcha is free and easy to add to all ActiveCampaign forms.
Add confirmed/double opt-in to your forms. If you do this, bots are still able to sign up to your list, but they will only receive one confirmation email, which they will never click. Confirmed opt-in limits the damage, but doesn’t fix the problem entirely. This works especially well in combination with a CAPTCHA to drastically limit the number of bot signups.
Add a hidden field to your form. If a bot fills out this field you will know it’s a bot. You can even create an automation that automatically unsubscribes any contacts that fill out this hidden field. This is not a definitive solution, though, because smart bots will not fill out a hidden field.
Thought this doesn’t stop these spam contacts from entering your ActiveCampaign account (because let’s face it - you will inevitably encounter this issue no matter which platform you use), this does ensure that the contacts in your account, subscribed to your lists are legitimate contacts.
Any questions or additional ideas, thread them below!
Hi. I had submitted a support ticket related to this issue a few months back and it was suggested I comment in the forum. So I’m doing that now.
We already had reCAPTCHA on the form but it was still being spammed.
Issue:
We are attempting to tackle spam issues by implementing a form with a Captcha and honeypot. While testing a new form on a password protected staging website, we have received spam submissions. These may be humans submitting the forms and not bots. So it appears that the direct form link is being picked up by a crawler monitoring ActiveCampaign forms.
Questions: what is preventing crawlers or unwanted traffic from finding and submitting the direct form link? Can the direct form link be disabled?
The form url is not even encrypted so all someone has to do is change the number at the end of any ActiveCampaign form to find all of the forms in an account.
My question that was not answered:
Is there a way to prevent a direct form link from being detected or used?
The form link I provided as an example has not been published on a website page but has obviously been found by crawling the direct form url.
This seems like a major issue when forms that are not even published on webpages are being spammed by crawlers.