Attack of the bots 🤖!

Has your email list been taken over by bots?

I know mine have…

And there’s a good chance yours has too.

If they haven’t, I can assure you they will be infiltrated soon.

So the big question is, “What do we do?”

Start by preventing bots from joining your list in the first place!

For a bot to get on your list, you must have let them in to begin with. Below is a set of strategies you can implement to establish a strong defense against bot offensives.

Google reCAPTCHA

If you're not using Google reCaptcha on your website, especially on any signup or subscribe now pages, you should implement it immediately.

You can easily see if your landing pages are utilizing it by verifying if the reCaptcha seal is showing on the page as seen below.

Get more info about Google reCaptcha by clicking here.

Email Validation

I’ve stated this over and over again as a recurring theme. Please validate all the emails that register for your newsletter.

As soon as a person subscribes to your newsletter, you should immediately send that email address to an email validation service to verify it’s a valid email address.

Not only do these services verify it’s a deliverable email address, they also check if the email is on their identified bot list.

The example above from Email Oversight - We only allow emails that are marked Verified to be on our email lists. All other responses are blocked.

Now, these validation services don’t know every email bot out there, but whichever bots they do have identified, should be blocked before getting into your email list.

Focus on TLD and Cable Email Domains

Through years of analysis, a majority of email bots have been known to be tied to GI (General Internet) email accounts.

GI accounts are all email addresses not associated with major mailbox providers like Gmail, AOL, Yahoo, or cable domains like Comcast, Cox, etc.

Examples of GI email addresses are:

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

Examples of TLD and cables are:

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

An email address must be part of our known TLD and cable domains or we do not add them to our email lists.

You can access a full list of the domains we consider safe to send by clicking here.

Setup Cloudflare for Performance and Security

All of our websites utilize Cloudflare to improve performance and enhance the security of our sites against bots and other cyber attacks.

Cloudflare is more advanced, so this may be the last strategy for you to implement in preventing bots from getting into your email list.

Cloudflare Bot Management

By implementing Cloudflare Bot Management you can add another layer of protection stopping bots from reaching your signup forms.

For more details visit Cloudflare Bot Management.

NOTE: There are rules and events you can set up to manage the bots along with super bot fight mode which you should have an expert implement for you.

Block traffic from specific countries

Another technique available with Cloudflare is to block traffic from countries flagged for creating high volumes of spam or bot activity like Russia or China.

Or, you can set it up to only allow traffic from the specific countries you want.

In the example below I am setting it up to block all traffic that does not originate in the U.S.A., U.K., Canada or the United States Minor Outlying Islands. Traffic from any other country is blocked.

If you follow all the techniques above you will eliminate a large portion of bots from getting into your email list.

Now, it’s not foolproof so you’ll have to also keep an eye on what’s happening within your email list and identify bots that have made it through your shield.

Once identified you will be able to act and isolate these bots from your list.

Identifying bots that have made their way onto your email list!

Set up “Skynet” on all your email lists

What in the world is Skynet you might ask? Just a term we came up with to label our hidden bot links inside of our email templates.

In every one of our email templates, we include a link that goes to a page like this https://healthyhappynews.com/stop-right-there/.

<div class="hidden_link"><a href="https://healthyhappynews.com/stop-right-there/" style="color:#fff;font-size:2px;">hidden</a></div>

The idea is to make the font color the same color as the background color of the email and make the font size very small so it doesn’t affect the layout of your email template.

You can now create a segment in your ESP to identify all of the subscribers who are clicking on this hidden link.

Now that you have these people bucketed you can take a deeper look to see if they are email addresses you want to remove or not.

Who to remove?

If an email address is not part of the TLD and cable domains list I provided earlier in this newsletter I will remove them immediately from my list and add them to a global blacklist that we keep in-house.

Who to keep?

All emails that are part of the TLD and cable domains I will revalidate through an email validation service to see if the email has been compromised.

If it comes back Valid, I will keep the email on my list and take a deeper look into their activity.

For any that fail validation, I will remove them from my email list and add them to our global blacklist as well.

Now you may wonder… why am I keeping the other emails on the list.

For starters, maybe the click activity can help your deliverability for specific ISPs like Yahoo or AOL.

Maybe it was just a security bot checking the links to make sure they were valid.

In any case, it’s probably time that we analyze these valid “Skynet” subscribers a little deeper.

Analyze subscriber activity

Now that you have a list of prospects you believe may be bots we can take a deeper look into their activity to decide if they are really a malicious bot or not.

Here are a couple things to look for:

All links in the email clicked at the same time

Multiple Links Clicked within 45 seconds of email send

There are a variety of other things you can look at depending on your ESP, like user agents and source IPs if that’s available.

Those are a bit more advanced so looking at the actual amount and timing of the clicks would be the first thing to investigate.

Block bots at your tracking link (Super Advanced)

This technique I recently learned from Matt Paulson.

I am not going to take you step by step on how to set up the rules in Cloudflare, I will just explain the premise behind the concept.

If it’s something you want to implement, find a professional who can implement it for you… and that person is not me 😄.

How it works!

You set up your click tracking via Cloudflare so that you can set up WAF rules for suspicious ASIN’s to trigger a captcha.

If it’s a real user they will click the captcha to continue to the page they requested.

Once the user confirms the captcha the click is tracked in your ESP, otherwise the traffic will get blocked from going to the requested page in essence stopping the bot.

HUGE DISCLAIMER: It’s a very advanced technique that takes a high level of technological know-how as well as the implementation of Cloudflare.

The bot war has been raging for many years and it’s gaining steam. Make sure you protect your lists from the massive invasion.

Feel free to reply with any questions you may have about my experience.

Bee Boop,
Chris Miquel

Follow me on Twitter: @miqchris

Follow me on Linkedin: chrismiquel