Have you got a messenger with fake newsletter records? Learn how to protect your models using double subscription, CAPTCHA, and Cloudflare.
background
I woke up up to 200 new subscribers in the newsletter of my website, videoo.com. Did it finally happen? Has my site eventually become viral?
Unfortunately, no. After checking the new subscribers, I noticed that no one had verified their email addresses, not even one, and this is definitely not confidence.
After some quick research, I understood that I had already been subjected to an unwanted message. But all emails look legitimate. Here are some examples:
[email protected]
[email protected]
[email protected]
[email protected]
After some initial research (inserting emails in HapeENPWNED), most of these email addresses appear to have been in a kind of penetration or breach.
So what was happening? How can I prevent him in the future?
Someone decided to use email addresses at risk to showcase my model. Either to pollute my news messages, to know what extent can they go, or just because they can?
What I learned
When anything available to the audience on the Internet, there will be unwanted messengers, there will be robots, and there will be people trying to penetrate it. For this reason you should always make it as safe as possible.
It turns out that this type of random post offensive is more common than you think (especially since the newsletter of Maditi has been subjected to the unwanted message after two weeks). Robots crawl on the web and search for models, usually the newsletter or communication models, then start sending the “leaked email addresses”.
But why? Below are some of the reasons it reached:
- To pollute your email menu (if this is a personal attack, I don’t think it is in this case)
- To test the health of emails ??
- To annoy the owners of the leaked mail by making them subscribers in thousands of newsletters
- To annoy the site owner (I)
How to fix it
I have some solutions to this problem.
Step 1: Enabling double subscription
The first and most important step is to ensure that all your news releases are “double subscription”, and this means that the user must confirm his email address before subscription.
On ListMonk (the newsletter program I use), make sure the list is subscribes to users double opt in.
This means that even if unwanted messages are canceled, you can only remove all addresses that have not been verified from their email (after a few days/weeks).
Do you want to learn how to prepare the autonomous newsletter with ListMonk? Check out my guide: How to prepare a self -hosted news message using ListMonk.
Step 2: Add Captcha Challenge or Cloudflare Js Challenge
It was the second step I took to enable a kind of captha. Initially, I prepared HCAPTCHA via ListMonk. But I don’t think this is the best solution, because it is a kind of inconvenience. However, I am using it in the newsletter for Video.com. If you are interested in how to do this, here is how:
- Open the ListMonk web menu
- Go to the settings
- under
SecurityEnabling CAPTCHA and enter the API HCAPTCHA.com (you will first have to register for HCAPTCA.com)
However, with this setting, if you use custom models (such as the email subscription form below), the application will be somewhat idle.
Instead, I am currently using it on Newsletter 4rkal.com is the use of the Cloudflare JS challenge on a specific sub -scale.
The way I prepared to send the newsletter to the email is that I have ListMonk working on newsletter.4rkal.comSeparate sub -range.
This means that I can adjust this specific sub -field as “under attack” on Cloudflare and users to complete Captcha sometimes.
To do this:
- Go to Cloudflare.com
- Log in and go to your specific dashboard
- under
SecurityHe choosesWAF - Then click
Create rule - Give him any name
- under
FieldHe chooseshostnameAnd underOperatorHe chooseswildcardinValueEnter the sub -range, in my case, thisnewsletter.4rkal.com. The expression should look like this(http.host wildcard "newsletter.4rkal.com") - under
Choose actionHe choosesJS Challenge - Click
Save
This is about that.
summary
Getting your web site is never desirable, but I hope this article has given clear to people who pass the same problem like me.
Subscribe
Join the newsletter here:
