No results were found...


8 ways to prevent bot attacks and avoid spam sign-ups

· 13 min read · Websites and forms,Email marketing · Feb 14, 2023
Cesar, Customer Support.

Spambots are the Terminators of the internet. They’re machines that relentlessly pursue their target–your email signup forms–causing harm and disruption to your business.

Just like Sarah Connor and her allies fought to protect the future in the Terminator movies, it's crucial for email marketers to take proactive steps to prevent bot attacks and avoid spam sign-ups.

Strap in as we walk you through the essential strategies for keeping your email signup forms protected from these unwanted cyber intruders.

A bot attack is a type of cyber attack where automated bots are used to flood email signup forms with fake or spam sign-ups. The goal is usually to jeopardize the validity of the email list or spread malware to the recipients. 

These attacks can have a significant impact on your business, including decreased email deliverability, wasted resources storing or managing fake sign-ups in your email service provider (ESP), and damage to your sender reputation.

Terminators can sweat, bleed and smell just like a human, making them pretty hard to distinguish from real people. Spambots try their best to avoid detection too. Luckily, they aren’t high-tech cyborg assassins from the future, so they’re usually pretty easy to spot. (If you know what to look for).

Classic signs of a spambot attack
  • High volume of sign-ups in a short period of time - For example, if you suddenly get hundreds of signups in the space of 5 minutes or even 5 seconds

  • Sign-ups with similar or identical information, such as names, email addresses, and IP addresses - If a bunch of sign-ups come in from the same domain or IP address it’s likely that they’re fake email addresses

  • Sign-ups using disposable email addresses - A disposable email address is a temporary email address that is used for a specific purpose and is discarded when no longer needed

  • Odd geographical distribution of sign-ups - If you get a sudden influx of subscribers from one specific country that’s out of the ordinary for your audience

  • Sign-ups with misleading or fake information - For example, if text fields such as name, last name, etc, are filled with gibberish

  • High bounce rate or low open rates - If you don’t catch spam sign-ups in time, your newsletters will see a decrease in open rates and an increase in bounce rates

If you notice any of these signs, it's important to take action quickly to prevent further harm to your business and email list.

Spam newsletter sign-ups can lead to decreased email deliverability, clog your email list with worthless subscribers, and harm your brand's reputation. Preventing them is essential to maintain the integrity and reputation of your email list.

You don’t need any special weapons to eliminate these bots, but you do need to be proactive. Here are 8 ways to stop a spambot from ever saying “I’ll be back”.

Turning on double opt-in for your signup forms is the easiest way to stop spambots from infiltrating your email list. It means subscribers have to open and click a confirmation email before being added to your subscriber list.

Since spambots aren’t real people, they aren’t checking their emails. If double opt-in is enabled on all of your forms, only real, engaged subscribers will be added to your list.

To turn on double opt-in in MailerLite, just open your form settings and toggle it on.

Hack: Double opt-in doesn’t have to disturb the subscriber experience. If you’re using forms to promote downloadable lead magnets, just go to the Confirmation thank you page tab and enter a custom URL as the thank you page. You can enter your direct download link there, so subscribers who confirm their subscription automatically download their freebie.

A CAPTCHA or reCAPTCHA is a simple test to determine if a website visitor is human or not.  The difference between the two is that a CAPTCHA  presents users with a distorted image of letters or numbers that they must correctly transcribe in order to prove they are a human user.

A reCAPTCHA, on the other hand, presents users with a checkbox that they must click to confirm they are human–slightly more user-friendly.

It’s easy to add reCAPTCHA to any form in MailerLite. All you have to do is select your form, click the Settings tab, and check the box labeled “reCAPTCHA”.

A GIF displaying reCAPTCHA being added to a MailerLite form

The algorithm uses various signals to determine the user's likelihood of being a human. If it determines that the user is likely to be a human, the user is allowed to proceed, while if the user is determined to be a bot, their form won’t be submitted.

Email list verification is the process of verifying the validity and accuracy of email addresses on your email list. It aims to improve email campaigns' deliverability by removing invalid, non-existent, or incorrect email addresses.

The process typically involves running the email addresses through a series of checks, such as syntax validation, domain name verification, and checking against a list of email domains or addresses that are known to be invalid–making it easy to spot and remove spam email addresses. Perfect for annihilating spambots. 👊

You can use an email verification tool (like MailerCheck) to automatically analyze your entire email list, remove invalid email addresses and import the clean list back to your ESP in just a few clicks.

A MailerCheck report showing the number of valid, invalid and catch all email addresses in an email list.
Image credit: MailerCheck

A honeypot is a trap set to detect and deflect spam email sign-ups. It's an invisible form field that only spambots can see. If the invisible field is filled in, you automatically know it’s a spambot and you can add those addresses to a blocklist.

Adding a honeypot field to your MailerLite forms is as simple as adding a little bit of extra code to your form's HTML code.

First, create a new text type custom field and name it something obvious like “honeypot”. Then, add the honeypot field to your MailerLite form and give it a label like “Leave this field blank”. Make sure that the field is not required in order to submit the form.

Then before embedding the form on your website, make these 2 small edits to the HTML code.

1. Change the field Class to “hidden” - Use CTRL+F to search for your honeypot field by name, then change class=”form-control” to class=”hidden”


<input aria-label="honeypot" type="text" class="hidden" data-inputmask="" name="fields[honeypot]" placeholder="Leave this field blank" autocomplete="">

2. Set the style rule so that “hidden” means no display - Use CTRL+F to search for <style type="text/css"> Then add .hidden { display: none } right after the LOADER element


<style type="text/css">

    /* LOADER */

    .ml-form-embedSubmitLoad {

      display: inline-block;

      width: 20px;

      height: 20px;


   .hidden { display: none }

    .g-recaptcha {

    transform: scale(1);

    -webkit-transform: scale(1);

    transform-origin: 0 0;

    -webkit-transform-origin: 0 0;

    height: ;


This will ensure that the field is invisible to humans, but still functional. That way, bots will mistake it for a legitimate field and fill it in. Then you can create a segment for subscribers with any value in that field and remove them.

If you track and record spam domains, you can create a blocklist of spam email signups in your MailerLite dashboard. When you get attacked by a specific domain, use the subscriber filters to create a segment based on the email field. Then create a segment using those filters.

Subscriber filters in MailerLite

Subscribers with that domain address will automatically be added to the blocklist segment. Then you can periodically unsubscribe the fake email addresses from your blocklist.

Block specific IPs from visiting your website

If you want to stop spambots at the source and block known spam IPS, here are a few ways to do that:

  • Use a web server firewall - Many web servers, such as Nginx or Caddy, have built-in firewalls that allow you to block specific IP addresses. The exact method of blocking IP addresses will vary depending on the web server you are using

  • Use a Content Delivery Network (CDN) - Services like Cloudflare or Akamai can be used as a CDN to block specific IP addresses at the edge of their network. This is a convenient option if you don’t have direct access to your web server

  • Use server-side code - If your website is built using server-side code, such as PHP or Ruby on Rails, you can block specific IP addresses in the code. You can use the server's IP address blocking features or write custom code to block specific IP addresses

Two-factor authentication (2FA) is a security process that requires a user to provide two forms of identification when logging in to a website or accessing a secure system. For example, a password and an SMS code. It’s like having two locks on your front door, making it harder for someone to break in.

Requiring a secondary form of authentication, such as a code sent via text message, is a great option to prevent bot attacks if you have forms where users sign in or sign up for a service.

There are several 2FA libraries available for different programming languages, such as Google Authenticator for PHP, or the Django Two-Factor Authentication library for Python. Choose the library that best suits your needs and the language you use to build your website.

Make sure all software, including the content management system (CMS) and any plugins, are updated to the most recent version to minimize exposure to bot attacks.

Updates are frequently released by software developers to address known vulnerabilities and enhance the software's overall security. This usually involves fixing flaws that bots might use to access your website without authorization, steal sensitive data, or any other malicious activities.

Even if you implement all of the precautions mentioned in this article, it’s still important to regularly monitor sign-up activity. 

Keeping an eye on sign-ups is made 100x easier with the MailerLite Manager app for iOS. The latest version includes a feature that allows you to add your live subscriber count to a widget on your lock screen.

Lock screen widget displaying the number of subscribers and emails sent in a MailerLite account.
Image Credit: MailerLite Manager

Instead of logging into the dashboard and reviewing your subscriber count, all you need to do is glance down at your phone! If you see a sudden spike in sign-ups, you’ll know it’s time to start investigating.

If some sneaky spam email addresses have wormed their way onto your list, don’t fret! It’s super easy to get rid of them. You can use the subscriber filters to find subscribers based on their domain or signup date, then select and unsubscribe the fake email addresses.

Subscriber filters in MailerLite

Then implement one (or more) of these prevention strategies and practice regular email list cleaning to ensure a high-quality email list.

Spambots may not be as life-threatening as Arnold Schwarzenegger in a leather jacket, but they are just as relentless (and annoying). Luckily it doesn’t take time travel to save your future from spambots. If you take a few proactive measures, you can avoid spam sign-ups for good. 👍

Erin Ford
Erin Ford
I’m Erin, I write content here at MailerLite. When I’m not typing away at my laptop, geeking out over email automation and targeting, you can find me at the nearest beach with my furry little rescue pooch, Alfie.