Spam email addersses being add to my audience

  • 18 January 2024
  • 4 replies




I’m hoping someone can help me resolve a worrying problem.

Over the last few weeks we have been hit by spam activity which is adding a large number fake email addresses to our audience. It looks like they are using our Newsletter sign up facility as access. The format of the spam record’s name is always 0ykAAKrjU2 9Bygq83ijO. A 10 character ‘first name’ and a 10 character ‘last name’. Email domains are very varied with no clear pattern.

I’ve managed to remove lots of the spam records but approx 200 are being added per day. How do I block them?


Best answer by kaila.lawrence 18 January 2024, 19:50

View original

4 replies

Userlevel 5
Badge +25

Hey, @Stephen Mc! Totally understand the panic here. Bots are the worst! But don’t worry, it’s totally solvable. 


I did actually just give some advice to another member about this issue yesterday. In short:

  1. Make sure you have double opt-in enabled.
  2. If you’re still having issues, there are 3rd party mitigation tools you can try.


Let me know if that post is helpful!


Userlevel 1
Badge +3

Hiya, this fits the same spam activity we have on our Shopify store (so I assume you’re using Shopify).

In my research I’ve found that it is possible to send an HTTP POST request to to easily create a customer account, which bypasses Google reCAPTCHA (if you have it enabled on your store).

In addition, our store is configured to sync customer accounts with Klaviyo, which means that even if the spam customer is not signed up to a list, they get added to our number of active profiles. With 200-600 spam accounts added each day, it adds up to a lot of junk in our Shopify and Klaviyo that we struggle to clean with a small team.

This Shopify spam customer registration behaviour has been affecting us for over a year now (maybe even two?), and I’ve built some measures to evaluate new customers for potential spam which helps to limit it somewhat, but it is a reactive measure, one I have to constantly revise every few months as the spammers tweak their tactics.

The proactive measure would be Shopify enforcing better protection on the POST /account endpoint, maybe even putting in nonces. I’ve already submitted a request to Shopify about this, but frustrated that after 1-2 years nothing has been done about it.

Badge +3

Hi @mscheurichpatou ,

I’m currently dealing with something similar. Were you able to resolve? You mentioned you built some measures to evaluate new customers for potential spam - what measures did you put in place?


Userlevel 1
Badge +3

Hi @ALopes,

I created a custom Mechanic task that could evaluate new customers based on certain spam behaviour that I had seen.

In the end the better fix was enabling reCAPTCHA on our store. For some reason, in the lifetime our store had been established someone requested Shopify to disable reCAPTCHA. So even when I tried to enable via the Shopify Admin, reCAPTCHA was not actually enabled. Anyway, we got that internal flag removed and reCAPTCHA started to work properly and hurrah, no spam accounts ever since!

Talk to your Shopify support people to see if your store might have the same issue.