As an ESP, we host mailing list signup forms for many customers. Of late, it appears they have been getting pounded on with fraudulent signups for real addresses. Sometimes the people confirm by clicking the confirmation link in the message and we are left scratching our heads as to why they would do that. Mostly they get ignored and sometimes they come back as spam complaints.
One opinion I got regarding this was that people were using bots to sign up to newsletter lists other bot-driven email addresses at gmail, yahoo, etc., to make those mailboxes look more real before they became "weaponized" for use in sending junk. That does not seem to be entirely what is happening here... Today we got a set of complaints for what appears to be a personal email address at a reasonably sized ISP. The complaint clearly identified the messages as a signup confirmation message and chastised us for not having the form protected by a CAPTCHA. Of course, they blocked some of our IPs for good measure :( They characterized it as a DDoS. What are the folks on this fine list doing about this kind of abuse? We do have ability to turn on CAPTCHA for our customers, but often they have nicely integrated the signup forms into their own web sites and making it work for those is pretty complicated. If I enabled CAPTCHA naively, the subscribers would have to click the submit form twice and then click the confirm on the email. The UX for that sucks, but such is the cost of allowing jerks on the internet... Rate limiting doesn't seem to be useful since the forms are being submitted at low rates and from a wide number of IP addresses. I look forward to hearing what others here are doing.
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
