Form Abuse Mitigation

Background: We provide CCtoMany customers with simple HTML which they can embed on their website to create a signup form for their newsletter. Whenever someone submits their email address to subscribe, a Confirmation Message email is sent to that address. They must respond to that in order to actually be subscribed.

The problem: We began to see that this form was being abused. Someone / something was submitting multiple email addresses per day. Our guess is that somewhere there exists an "abuse script" which accepts a target email address, then submits that address to hundreds of online forms at once. Each of those then responds by sending an email to that target address. The target address owner finds their inbox flooded with messages they never requested, sometimes even pushing them over quota and disabling the address.

These unwanted messages are typically reported as spam by the recipients, which can lead to our CCtoMany server being blacklisted even though we never send actual spam.

The solution: We have modified our signup script so that when an email is submitted, we display a page which requires the user to complete a simple verification. This seems to effectively mitigate automated form submissions. You (list owners) don't have to do anything to existing forms except be aware that the signup process now requires real humans to complete one additional simple step.