Removing Fake Signups for MailChimp

Removing Fake Signups for MailChimp

Something you will realise when your blog gets older is that you’ve installed several iron gates between your blog and this endless march of spammers, botters and shady types. I provide one method in which I tackled an attack on my list and go into some ideas on why this attack might have come about.

This article was inspired recently by an inundation of fake email subscribers to my list. At the high point I was receiving 11 new subscribers a day to my list but there was something unusual about each new subscriber.

Disclaimer: As a policy, I won’t display any information directly from my MailChimp account as it would breach the confidentiality of those legitimate subscribers on my list. I take privacy seriously. Needless to say that from the 11th August to 24th August I had received 84 subscribers. In real life I’d love to see a campaign go that well but I knew it was too good to be true.


First Indication: An Unusual Amount of Un-subscribers

I admit to have not been checking my total levels for some time. A little remiss of me but I’ve been working hard on non-blog related activities up until a few months ago so my focus had been elsewhere.

A good idea is to perform a check of your numbers on a set period. It doesn’t have to be too frequent but something like once a month for subscriber numbers if you have a small list should keep you in check.


Second Indication: First Name and Last Name

Having a look through my older subscribers revealed sensible entries in the First name and last name. Following the 11th August I had discovered that randomised data was coming through the pipe. It seemed very odd. An example:

First name: cklldvsajdf

Last name: adfakjfnsdf

Ideally you should see a first name and last name. Not everybody wants to share that kind of information so you might get a first name or no names. Validation on your form can help with this.


Third Indication: Less Views on the Site than Signups per Day

As much as it pains me to admit it, doesn’t always attract a lot of attention. Since I’ve scrubbed away some non-relating posts my viewings have dropped as a result but at least now I can see the truly engaged. If there are fewer people viewing than subscribing this would indicate there is something fishy going on.

The rationale is that the user has to signup to your email via your website through the signup form. If you have attracted the attention of a spam-bot, these bots can circumvent the form. Some bots can even simulate false “opens” to emails sent through your mailing list giving your email list the appearance of activity.

MailChimp ranks users on your list by a star rating. I have two 5 star members of my mailing list who frequently open content and have been following my site for a long time.

  • New Subscribers start out on 2 stars.
  • If the next group of campaigns bounce or go unread the subscriber will go down to 1 star. Eventually these low quality subscribers will be cleaned off the list if they bounce consistently or fail to read.
  • If the Subscriber interacts they will slowly climb up the star rating over time. Those who open and click on content will rank higher quicker.


Actions Taken

Obviously just burying your head in the sand is not a viable option and I’ll explain why later. For now these actions are those I undertook to quarantine and rectify the issue.


1st Action: Go to MailChimp and Setup a Segment from the Date that the Attack Started

Creating a segment is very easy in MailChimp. What it performs is a smaller group of your list that meet certain requirements.

You need to head to your main list so that you can create a segment from it. Once a segment is created you can create a new campaign using that segment as the source.

You need to head to your main list so that you can create a segment from it. Once a segment is created you can create a new campaign using that segment as the source.

You will also want to categorise the segment by those who signed up through the contact form. However, in my case I had a non-official plugin running my signups with a better looking signup form. I’ve now had to compromise for security and peace of mind.

All active sources of signup will be displayed in the furthest right dropdown box. To catch all you may want to run without this part of the filter.

All active sources of signup will be displayed in the furthest right dropdown box. To catch all you may want to run without this part of the filter.

Important note: Obviously if you are getting legitimate interested parties you don’t want to throw them out with the bath water so you have to be careful on the next part.


2nd Action: Send a Target Campaign Requiring Action

If the subscriber is real they will have to take action. Providing a deadline is also a way to move the subscriber along. In my case I set a 48 hour deadline. I changed from an HTML campaign to a TEXT campaign on this rare occasion which should further indicate this is a non-standard request.


3rd Action: Analyse the Result of the Targeted Campaign

If there are those who respond, you can isolate them further through a segment in your targeted campaign and quarantine those who fail.


4th Action: Delete the Offenders

You don’t need to unsubscribe fake subscribers. If you did and had many, this would send out emails to all of these individuals. If you already have suspected them to be fake you don’t want the same spam-bot signing up the same dodgy emails again. MailChimp in this case will quarantine the emails for you.

Important note: Once deleted you wont’ be able to add these people back to your list. Be sure you want to delete!


5th Action: Use MailChimp’s Embedded Form

MailChimp’s form is designed to incorporate a Google reCaptcha. In the next two images you can see how this functions.



Whilst the Captcha does introduce some extra clicks, on balance it is better than to have to manage spam-bot subscribers on a regular basis. Potentially you could accidentally delete legitimate audience which would be painful.

Captchas are Both Good and Bad

Ideally you want to get people moving as soon as possible. The more steps you involve in getting your interested party to a place, the more questions they may ask and the more distracted they may become.

Email Comments are notoriously difficult to attract for new blogs. They are made even more difficult if you involve systems like Disqus, LiveFyre or Facebook comments. Captcha is another barrier that slows down the process. Vanilla WordPress comments are accessible. Comment systems add another password barrier. With each hoop you lengthen the time needed to acquire satisfaction for your audience interaction.

  • Captchas are good because if deployed correctly they act as a near foolproof deterrent to automated spam. You may never have to worry again.
  • Captchas are bad because they slow down the flow and take the wind out of the sails of a would be interested party. As a blog owner you have to work on the basis that your interested party would jump those hoops (but they aren’t always).

6th Action: Rectify the Source of the Problem

I attacked this from two angles.

Angle 1: Sidebar Widget

I replaced my MailChimp Plugin widget with a text widget using MailChimp’s embed code. The Captcha box was ticked when generating the embed code. The MailChimp plugin was then removed.

Angle 2: Bot Security

I introduced WPBruiser to my plugin arsenal. This plugin significantly reduces bot activity without Captcha.


7th Action: Test and Monitor

I tested my new signup form with an email I haven’t used with the subscription before to ensure the Captcha was working.

It makes sense to further monitor what comes through. Ideally only subscribers who have passed through the Captcha process should succeed. As you can see in the images above Captchas of this type are difficult to overcome if you are not a human.


Why are Fake Subscribers a Bad Thing? Why Should You Take Action?

The easy answer is that your individual campaigns have a limit.

If you are a small audience blogger it would take a while to come near the minimum limit where MailChimp starts charging you. The subscriber max limit is 2,000 and the max emails per month is 12,000. Mathematically you can send 6 emails to all 2,000 subscribers per month.

If you start reaching the limit of emails (through more than one campaign) you are into problems. If you leave fake subscriber numbers to go unchecked for months you could soon be into that limit. MailChimp will physically (in the logical sense) prevent you from sending out any more emails until you’ve paid up.

Aweber, as an alternative example, already comes at cost. The increments between payment steps compared to subscribers are relatively short. If you go from 500 to 501 subscribers, your cost per month will rise from $19 to $29. If you let your fake subscriber numbers go unchecked that can be costing you an extra $10 a month needlessly. The next increment is even fiercer with a change of $20 between 2500 to 2501. Once again, you could be paying this needlessly.


Why do People Generate Spam-Bots?

There are only theories as to why but here are a list of potential motivations.

Anti-Capitalist Agenda

Capitalism in any form is not welcomed by all. In the Western and more developed parts of the Eastern world a large majority of individuals go along with Capitalism and embrace it. For a growing movement there is the realisation that materialism is destroying the world piece by  piece. In my view Capitalism sucks but at least is fairer than Communism.

Closet Dweebazoid Disorder

It comes under the “Because I can” excuse. These are your garden variety dweebazoid with nothing better to do than create a spam-bot to “burn the world”. People do this for fun apparently. They also go by the name of jerk.

These dweebs may have one of three motivations:

  1. Indirectly Malicious – It is not personal but that doesn’t stop it being annoying. Being shot in the face is no less acceptable if you were a random target.
  2. Malicious – The spam-bot generator doesn’t like the subject you are connected with or you have displayed behaviours through trigger content that have caught their eye.
  3. Personal – This person knows you and has been directly affected by an action or direction you’ve taken in the past. It is quite rare to personally annoy someone but watch out if you do.

Indirect Marketing

You’ve seen email comments that look suspect. Akismet normally has its work cut out on a daily basis filtering out shameful plugging. These bots identify blogs that have lax security or use a plugin like “commentluv” in order to fire out their low-rent marketing activity. This kind of spamming appears on Facebook comments as well.

Akismet is one of those plugins you can take for granted.

On Orders from the “Man”

One of my favourite conspiracy theories is that companies who provide free services perform their own forms of skullduggery in the background. These companies employ black hat coders to create these spam-bots so that they can provide services to combat them. You could see how on Aweber it would be of benefit for some errant spam-bots to generate more business by relying on those organisations who don’t check but simply hand over their cash every month. I doubt sincerely there are people stupid enough not to check but you never know, especially if someone is managing the account for them, but are stretched over dozens of sites.

More thoughts

I’ve always thought it is not a big leap to consider that Anti-Virus software was proliferated by large anti virus software companies employing homegrown, Indonesian or Chinese black hat coders. There is nothing to suggest that this activity doesn’t still continue. Having recently had to remove an insane amount of malware from my girlfriend’s laptop, I can attest to such activity being there.

Being an observer, from a generation pre-internet, I can remember the simpler times of computer operation where only Microsoft’s poor coding would lead to problems. Now when you get online you have to make sure you are protected from the off.

New build laptops often have a copy of Norton, Kaspersky or McAfee pre-installed so that you have some rudimentary protection. It stands to reason that an Anti-Virus company would not be in business if there were no more viruses so they would only ever do the bare minimum.


Having read an alternative article, the upkeep in having a farm of virus and malware makers on hand is ludicrous for big business. The likelihood of disgruntled employees becoming whistle blowers would have seen the industry implode a long time ago.

I don’t completely buy into the idea that AV companies simply do a good job because I’ve seen a trend whereby the established AV companies turn their software into ‘bloatware’. Some individuals have referred to AVG and AVAST as Nagware and I wouldn’t disagree.

It seems that organised crime is more likely to be the ultimate culprit.

Competitor ‘Skullduggery’

I’d like to believe that I operate in a community where boundaries are respected and where all activities are performed fairly but I know this isn’t always true in the real world. Competition has the added bonus of hiding behind the anonymity of the Internet. Your competition can hire unscrupulous individuals to play ‘merry hell’ with your site. Common attacks include denial of service (DDos) which brings your system to a grinding halt. Bots to spam your subscription list is child’s play.

Organised Crime

There are some notable vices and professions that go a long way back. Forgery is a very old criminal profession. Spam-Bots can quite easily be employed by organised crime.

Unknown Purposes

For me, Akismet has blocked over 11,000 attempts to break in through my front door into the WP-ADMIN element of this very site. If you look at your own Akismet stats you’ll see a similar picture. If you compare that to your own front door at home where you’ve received 11,000 knocks, would there be any paint left on that door? Would you be concerned if 30 people turned your handle to see if the door was open when you were at work each day? I’ve added several virtual padlocks to my front door because vanilla WordPress security isn’t enough. The drawbacks with this are it takes longer to get in.

Akismet, if you are unaware, is the default anti-spam plugin that WordPress recommend to be installed.


The General Problem With Spam

It is ultimately time-wasting. A time waste to target and remove. Time can be better spent elsewhere. Blogs require upkeep and if you only have a limited time you can see a lot of your valuable resource swallowed up. You have to place trust that your automated safety nets keep everything ship-shape. Unfortunately spam evolves like natural viruses and your safeguards lose effectiveness over time. 80% of Microsoft updates address security concerns so think about that next time you are forced to update and restart.


Spam is a Problem We All Have to Tackle Together

At some point you’ll get a nasty hit of spam so I would always encourage that if you find methods to keep it out, you share them. Don’t rest idle.

Being proactive about protection allows reduction in the negative activity but nothing is ever 100% infallible. You may not be able to shake the problem on your first try but don’t let the spammers win.


In Closing

I hope you found this article interesting and helpful. I found there was a lack of overall guidance in this particular area because bloggers deploy their signups in different ways. As a point of note, MailChimp offer a popup signup box which also uses the Captcha method.

Please Care and Share

I’d appreciate if you shared this article. In addition I’m trialling SumoMe and have activated Highlight so if you find a good quote in this article you can share it on Twitter.

You can follow on Twitter by clicking this link.

Contact me directly at headboy [at] blogprefect [dot] com

Leave a comment, start a revolution!


Image Credits

Featured image by PublicDomainPictures from Pixabay


5 Comments Removing Fake Signups for MailChimp

  1. Ahmad Imran

    Jackson, just a quick-y, do you use simple signup or double signup (two-step)? Because adding an extra layer of signup procedure also reduces spam and Mailchimp provides this option.

    1. Jackson Noel Davies

      Hi Ahmad, Mine is two-step but I’ve added a Captcha in this process. Since I’ve been running WPBruiser and the Captcha I’ve noticed no new fake subscribers.




Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha * Time limit is exhausted. Please reload CAPTCHA.

CommentLuv badge