Skip to main content

Hello,

Recently, I've been getting these computer-generated sign-ups like:

XXXX+sdf8yf@gmail.com and their locations are like weird international places.

Screenshot from a segment I built (with some deletions for privacy)

My question is are they spammers or is this the new privacy feature that apple users. Or VPN features?

I know that the + sign is a way of redirecting your emails within Gmail, not sure if it works in other systems.

Because I have been getting a few and wither way it sucks for working out legit customers.

PS: I know I can activate double opt-in to prevent spam.

 

Hi @Nico01 

Are you seeing any checkout activity on any of these profiles? I ask because Google does have a ‘mystery’ shopping crawler that adds products to the basket and initiates a checkout. However it usually declares itself as John Smith somewhere in the gmail.

Regards

Andy


Hi @Nico01 

Are you seeing any checkout activity on any of these profiles? I ask because Google does have a ‘mystery’ shopping crawler that adds products to the basket and initiates a checkout. However it usually declares itself as John Smith somewhere in the gmail.

Regards

Andy

Hi @bluesnapper,

No anormal checkout activity. It’s only on the sign-up side thru the pop-up.


Any updates to this?, as I’ve been getting spammed in a very similar fashion, via a signup form. 
However, I hid the form on my shopify site and am still getting spammed from that form. The emails primarily are random bot generated gmail addresses & the rest of the info is random locations around the world, with a random first name, just like the OP. How can it keep doing this when the form is no longer accessible?


Hiya @Nico01 @The ZOOM guy

 

This is unfortunately not an uncommon problem we talk a lot about in the community here. When bots target your Shopify site or forms, many of those events trigger a profile creation in Klaviyo. However, this doesn’t necessarily mean they become active profiles because they aren’t subscribed. 

 

Here are few threads with different cases and solutions that may help guide you to figure it out:

 


Kaila - Here’s the issue- These bots are breaking thru via Klaviyo. That means that they are breaching your system and then using the email and contact forms to pollute my system. 
I’ve had to disable my contact form, to hopefully stop the attacks and I may have to completely remove it altogether. 
This needs to be fixed by your tech/devel team.


Any updates to this? We just caught on that this is happening to us too, getting spammed via our newsletter signup form. There’s always only a random first name, an email address with combo of letters and numbers then the + and more letters and numbers @gmail.com @hotmail.com @icloud.com and @msn.com and the locations are mostly international but seen some US. I just manually deleted close to 200 from our “new subscribers” segment. Looks like this started first week of April and we get about 10 to 20 bogus ones daily and seems this week has really increased in frequency.

What can be done about this? We have recaptcha enabled on our shopify store. I tried hiding the newsletter sign up form from our website and every few hours bogus sign ups are still coming in….
 


Hey there @The ZOOM guy @realnoni @Nico01 

 

I know it’s super frustrating to be attacked by bots. Unfortunately, it’s an industry-wide problem that doesn’t just affect Klaviyo. Our Product team is definitely aware and is actively working on solutions to combat bot activity. In the meantime, our Support team can take a closer look at each of your accounts and tease out exactly where the profiles are coming from if you’re really curious!

 

Regardless of what the case may be, it’s important to remember that with double opt-in enabled on your forms these bot profiles will never become confirmed subscribers and therefore do not count towards your active profile count and will not be sent campaigns. You can absolutely bulk suppress or delete them if they’re really bugging you.

 

Alternatively, you can also try beefing up the security of your website to block bot traffic at the source. A popular tool the community references a lot is SpamAssasin, but there are lots of options out there.

Hope that helps :)


I’m just wondering how they’re able to bypass the ReCaptcha and the mandatory fields…..Also, I have the page in question shut down and the email profile turned off, yet a couple are still slipping thru here and there.


Hi @kaila.lawrence 

Just curious what the benefit is to the bots or whoever is managing the bots to spamming our newsletter sign up even is? What do they have to gain? Besides being 100% annoying to us :)

Were do I turn on double opt-in for our newsletter sign up form? Do I do this in Klaviyo? Or in Shopify?

As far as bulk surpressing or deleting, I had a read through the link you shared and seems like I’ll need to upload a csv list to do this? Is there any easy way to export a list of these bogus profiles? Right now I just keep checking our “new subscriber” segment daily and deleting the bogus sign ups. All the email addresses always have a + sign so can I create a segment that pulls any email with a “+” and then easily get a list that way? 


Thanks so much for any extra insight.


@realnoni There are lots of reasons bad actors create bots, but they’re typically deployed looking for security vulnerabilities or for data scraping. You’ll really never know for sure. 

 

Were do I turn on double opt-in for our newsletter sign up form? Do I do this in Klaviyo? Or in Shopify?

You should do this in Klaviyo since this is where the list lives. 

  1. Click into the list you want to edit.
  2. Select Settings.
  3. Select Consent.
  4. Select Double opt-in.

 

 

 

 

 

 

 

 

 

As far as bulk surpressing or deleting, I had a read through the link you shared and seems like I’ll need to upload a csv list to do this? Is there any easy way to export a list of these bogus profiles? Right now I just keep checking our “new subscriber” segment daily and deleting the bogus sign ups. All the email addresses always have a + sign so can I create a segment that pulls any email with a “+” and then easily get a list that way? 

Yes, use any patterns you notice to filter them out. Unfortunately Klaviyo won’t automatically know a real address from a bogus one, so this will take a little deduction on your part. 


Hope that helps! :)


I am new to Klaviyo and opened an account less than a month ago. I am still creating my forms, and I've published one on a hidden page in Shopify. I don’t get how spammy subscribers can bypass mandatory fields. My form asks for name, email, and phone number; all fields are mandatory. However, I am getting a bunch of spammy subscribers with email only. How is that possible?


@DianaSantos They aren’t being bypassed. Bots can fill out those fields automatically. Do you have double opt-in enabled in your list?


Bots can fill out those field, but the field is empty in their profile. I don’t have double opt in, and I will not add to this specific form because of a marketing strategy I am using.


@DianaSantos It is possible for bots to enter blank spaces as data. This is a known issue the team is working on in my answer above! Unfortunately though, using single opt-in makes it harder to manage bot activity. At least with double opt-in you can be sure the only profiles subscribed to your list are real people. 

 

If you want to maintain single opt-in, you can create a segment with conditions you notice for patterns of these bot profiles and periodically suppress them. 


Having the same issue - here’s what I did.

Created a new segment called ‘+’ (used the AI feature) - segment defined by ‘email addresses that include the + symbol’

That then trawls and adds all these unwanted addresses to the ‘+’ segment.

Then daily I look at the segment to see if they are all rubbish and when confirmed I go to:

Settings (bottom left) / Other / Profile Maintenance / Remove Profiles / Select a List to delete / + / delete people

Purged!


I am getting these emails subscribe also.. And then they receive the email flows and even open them.. how can that be if they are BOTS, and then some are marked by them as SPAM? 


@bythehorns Typically a malicious bot will target forms or checkout pages and flood them with real emails they are looking to attack. Since these are real emails, they might respond in different ways: open, click, mark as spam or even reach out. What we would recommend is enabling double opt-in and turn on ReCaptcha if you can on your checkout page.


Reply