Skip to main content
  • EN
Solved

Spam bots on a form that DOESN'T even have an email entry box!

  • 22 May 2024
  • 8 replies
  • 203 views

I have a Klaviyo “form” that’s really not a form… it just catches people when they leave a blog post to click a link button.

 

And yet for the past few months, I’m getting multiple spambot email signups a day FROM THIS FORM that doesn’t even have a place for an email entry box or a submit button.

 

I don’t even see these bots on LuckyOrange, so I’m assuming they’re calling this Klaviyo form without even going to my website.

 

Why is this, and what can I do?

 

What the “form” looks like that is nonetheless getting spam signups...

 

I know it’s this form because the profiles say this:

And I’ve been able to create a segment based on the form ID… but then I have to manually suppress/delete the profiles here AND in Shopify.

 

Why are the bots doing this, and HOW are they doing it?

8 replies

eCom2Win_Agency
Rank
Userlevel 3
Badge +7

@Wear Skinnys 

This scenario suggests that bots are exploiting your form's endpoint directly, bypassing the user interface. What that means is that bots are likely targeting the form's backend link directly. They don't need to see the form on your site; they just send data straight to the link that processes the form.

Have you looked at your server logs to see where these submissions are coming from?

You could try using a reCAPTCHA (tool that can help tell humans and bots apart) or Hidden Fields (Honeypots) which adds fields that users can’t see but bots will have to fill out. If these fields are filled out you know it’s a bot.

Klaviyo has discussed reCAPTCHA as an approach in their community, mentioning that while Klaviyo itself does not provide reCAPTCHA integration, it can be implemented on your website to work with Klaviyo forms. You can find more details in the Klaviyo Community.


Hidden fields might be difficult to setup, as it requires a bit of custom code in the HTML.

I would also consider contacting Klaviyo support, if the issue persists.

Hope this helps:)

Generate 20% - 40% of your eCommerce store revenue with https://rebrand.ly/eCom2Win!
W
Rank
Badge +3


This scenario suggests that bots are exploiting your form's endpoint directly, bypassing the user interface. What that means is that bots are likely targeting the form's backend link directly. They don't need to see the form on your site; they just send data straight to the link that processes the form.

Have you looked at your server logs to see where these submissions are coming from?

 

All over the world, back to back.

 

You could try using a reCAPTCHA (tool that can help tell humans and bots apart) or Hidden Fields (Honeypots) which adds fields that users can’t see but bots will have to fill out. If these fields are filled out you know it’s a bot.

 

I can tell which are bots simply because they’re using a form that doesn’t actually capture user data. I can isolate them so they don’t go into an email flow, but they still litter my profile list and get pulled into Shopify.

 

It’s wild that Klaviyo is allowing this to happen. There’s no reason they should be accepting form submissions from a form that doesn’t capture data.

 

I wish I could just set up a filter that automatically deletes any profile (or stops a profile from being created) under some condition (such as this particular form being the source).

eCom2Win_Agency
Rank
Userlevel 3
Badge +7

@Wear Skinnys 

Thanks for the explanation on the thread.

Are you using a single opt in on the form? You could try using a double opt in. This should help in preventing bots from signing up. It’s a process through which a new subscriber must confirm their subscription before being subscribed to a given list. 

Here is a helpful Klaviyo article that could assist you:
https://help.klaviyo.com/hc/en-us/articles/115005251108

I would also contact Klaviyo support, if the issue persists.

Hope this helps :)

Generate 20% - 40% of your eCommerce store revenue with https://rebrand.ly/eCom2Win!
Taylor Tarpley
Rank
Userlevel 7
Badge +60

Hi there @Wear Skinnys

 

So sorry to hear about the frustration you’re facing due to these bots! We have seen an uptick in bots and are working on a more native solution to combat this. 

 

@eCom2Win_Marketing is right that all forms have an endpoint that these bots are accessing, regardless of whether there is an email button or not. 

 

Please let me know if you’re still facing rampant bot signups after implementing these recaptcha or honey pot features! Here’s a helpful thread relating to it!!

 

-Taylor

W
Rank
Badge +3

Hi there @Wear Skinnys

 

Please let me know if you’re still facing rampant bot signups after implementing these recaptcha or honey pot features! Here’s a helpful thread relating to it!!

 

 

I don’t need to implement those, and they’re not even relevant to me.

I don’t need a recaptcha on a form that doesn’t collect information because it doesn’t really act as a form. And I don’t need the honeypot technique because the bots are only targeting one form that I can easily separate out.

But nonethless it’s filling up junk data that then makes its way into Shopify and requires a manual removal.

It’s wild that Klaviyo is leaving these endpoints susceptible to submission where inputs and submit buttons haven’t even been used.

I’m tempted just to duplicate the “form” (which is really just a pop-up not a form) and disable the old one.

But then the bots might try targeting some other form of mine.

 

W
Rank
Badge +3

Are you using a single opt in on the form? You could try using a double opt in. This should help in preventing bots from signing up. It’s a process through which a new subscriber must confirm their subscription before being subscribed to a given list. 
 

Lol. It’s not even really a form!

I don’t want to implement double opt-in sitewide for all the obvious reasons no one wants to do it, so I hate that recommendation in general.

But are you saying there’s a way to implement a double opt-in on JUST this form-that’s-not-a-form?

W
Rank
Badge +3

@Wear Skinnys 

This scenario suggests that bots are exploiting your form's endpoint directly, bypassing the user interface. What that means is that bots are likely targeting the form's backend link directly. They don't need to see the form on your site; they just send data straight to the link that processes the form

 

Why does Klaviyo allow this to happen?

T
Rank
Badge +2

Agreed this is an infinite loop. It does mean more subscribers. (Sorry being cynical) Wasn’t a Klaviyo hosted form considered best practice? The cost appears to be more spam signups. I don’t think this should be a trade off you have to make. Why can’t we have re-captcha support? At least on the roadmap?

 

Klaviyo Sign Up-Form vs Shopify Sign-Up Form | Klaviyo Community

 

Here are some other threads that would be insightful for Klaviyo form best practices

 

 

 

Derek Giles

 

Reply


Most helpful members this week

Terms & ConditionsCookie settings