Hi @mrosique 

Spam profiles are so annoying!! In my experience they are usually gmail addresses with a ‘+’ in the address which helps identify them. I add a filter to my flows + segments to weed those out which is possibly what you’ve done.

The ‘door’ could be a) your ecomm platform - during checkout the email is added but not opted-in or an embed from, and/or b) via the API, maybe a 3rd party app that collects email data. In both cases a profile is created in Klaviyo but the status is ‘never subscribed and they’re not added to any list.

Here’s a useful reference on $source codes that can help you identify where they are orginating from: https://help.klaviyo.com/hc/en-us/articles/1260804673530 and then look at your options for reducing them at the source. For example, if you’re on Shopify you should check you have hcaptcha enabled (under online store » preferences).

Hope that helps

Andy

Hi everyone,.

I am sorry if I am adding to the problem and not to the solution but I’d like to understand it and hopefully, the thread can help more people.

I’m experiencing the same issue as you @mrosique. We’re talking 100+ new profiles a day that do not belong to any lists but just keep growing the amount of my client’s profiles AND segments. (previously set up. And I am going to redefine them so they do not include the fake profiles)

They all come from the US, while my client is Australian based. They ‘never subscribed’ but the property ‘can accept marketing’ is true. There is no other indication other than their location (USA), time and date they entered the database and that’s all. No source, no details, no activity log. The only thing I noticed that may be the start of an answer is that my client has a private API key set up and I don’t know why it’s there and neither does she. It seems that it was set up by a previous freelancer. So perhaps, these emails are entering our database from there...not sure...

So here are my questions:

• While I can make sure I do not include these profiles in our campaigns, how do I delete them forever AND make sure we stop the flow for good. I’d like to really fix the issue for good and not just find a solution to get by.
• Is there a way to know and understand what this private API does? I would not like to delete something that turned out to be essential.

@bluesnapper , I will check the hcaptcha as well. Thanks for that.

@mrosique , sorry for piggybacking on your thread, I just figured I should write here instead of starting another one.

Thank you:-)

Thanks @Gaelle  for expanding this thread, I think it can help other people too.

My case is exactly yours: hundreds of new profiles every day that only have "Accept marketing" as a property.

As in my case they all come from the United Kingdom, I put them in a segment called "Unwanted bots", but I want to eliminate them forever and stop this flow as well. We should to understand which "door" they enter through.

• I have disabled the newsletter subscription and they keep coming in.
• The other two doors I have left are: mark as a subscriber on the checkoout screen or sign up for an alert when re-stock (Shopify app)
• rcaptcha is enabled
• The fake emails are not too much fakes, because sometimes I receive replies as “I’m out of the office until...”, so this means the bot o whoever is using real emails. Maybe this is dropping the reputation of my account because my store is sending hundreds of emails to people who didn’t want to subscribe my newsletter.

@bluesnapper  thanks for the answer, the article you put is truly valuable, but in "Custom properties" the value "$source" is not displayed and "How they found you recently" the value of "Source" is empty.

Any ideas please?  Thanks!

Hi @Gaelle and @mrosique 

To hopefully answer your questions:

• To see if a private API key is in use go to: https://www.klaviyo.com/settings/account/api-keys and look at the last used date stamp. If it’s last use was a long time ago it may give you the confidence to delete it. You can also look here: https://www.klaviyo.com/developer-tools/dashboard and under ‘Logs’. To filter for profile created events use ‘profile’ in the search endpoints and select those to see underlying API calls. you may find something useful in there (though I’ve not spent any time doing that!)
• "How they found you recently" will only capture details if you have utm tracking enabled globally or on specific campaigns/flows, or on external url sources e.g digital ads. If not enabled, or if a person/bot visits the site without a utm tracker, there is no “how they found you” info though it may include ‘direct’
• When I identify spam profiles I suppress them but I don’t delete the profiles. That is just to ensure that if the spammer hits again using the same set of emails, they stay suppressed (unless they re opt-in!).
• Double opt-in should stop spammers getting added to youir lists and will certainly stop them when they use others real emails. 
• Re sender reputation, you can mitigate that risk by adding a sunset flow so you identify profiles that are not engaging with your emails (opens and clicks over time) and then automatically suppress them with a webhook.

Hope that helps (a bit!)

Andy

@bluesnapper thanks for pure value. Can you share ss for filter using ‘+’ factor in your flows.

Thank you

Thanks @ali786 

I just add a segment or flow condition for the email that it ‘does not contain’ a +. It may pick up a few false positives but in my experience genuine subscribers don’t use a + and spammers nearly always do!

Regards

Andy

Thank you all so much for all the details. That’s very helpful. Really appreciate it.

No problem @Gaelle Pleased to have been of help!

Regards

Andy

Hi @mrosique ,

What definition did you use to create your unwanted bot segment? While I do have a few email addresses with a + in them, most of my spams are office emails or regular emails. I have used the conditions:

• person can receive email marketing filtered with because ‘person never subscribed’ ( I realise it sounds weird )

I feel like I’m missing something…

Hi again, sorry to come back to the forum so late but I wanted to test the behavior for a week after making some changes.
The fake profiles have stopped, I have indeed activated hcaptcha , but I don't quite understand the meaning of hcaptcha because when I do a simulation of subscribing it doesn't ask for a confirmation.
In addition, my fake profiles didn't have "+", I created a segment based on $country (they were always from United Kingdom).
I'll keep watching.
Thank you so much to everyone!